FCW Challenge

Blog archive

6. Cybersecurity

Up for Debate: This is a job for McGruff the Crime Dog.

Federal employees are unknowingly placing their agencies at risk for cyberattack by not taking their own personal security measures seriously. The government should launch a new PR campaign to raise awareness and protect itself, its citizens and the economy from cyber warfare.

Find out more about the FCW Challenge.

Posted by David Rapp on Apr 29, 2010 at 12:12 PM


Featured

Reader comments

Tue, Jun 1, 2010 RayW

In the DoD (my part) not only do we get annual trainings (yes, plural), we get quarterly and semi-annual trainings on computer and information systems security etc. I have four backed up right now that I have to have done by June 26. Plus we have the splash screens that come up when we log into the computer that warn us about diverse things. So how much more "PR" do we need? And the anonymous poster that claims nothing is done for violators, we have had two folks in my building dismissed in the last year for violating mandated computer security practices. I do not know about upper management, but at least in the trenches we are slapped for not following the rules.

Of course, it is hard to do much computing work, our computers are locked down so far that you can do basically four things, surf the internet (with even .gov sites banned by the blocking tools), check email, do Microsoft programs (unless you are lucky enough to be authorized Open Office), and put in your time. If you have special needs like engineering, software development, or science, you must have a second or third computer to do that, assuming you are allowed one.

On one hand you are told "be secure, or else" and on the other you are told "get your work done, or else". Fine and good if you are a paper pusher and only need M$ or Open office products, but if you have to do any real computer work, then you have to work around the system to get the work done.

And yes, 'they' are really out to get us, so either way 'they' win.

Tue, May 18, 2010 Airborne All The Way Springfield, Virginia

There are two laws that govern bureaucraies: Parkinson's Law where bureaucracies tend to grow see: http://www.economist.com/business-finance/management/displaystory.cfm?story_id=14116121 Factor I.—An official wants to multiply subordinates, not rivals; and

Factor II.—Officials make work for each other.
Pournelle's Iron Law of Bureaucracy states that in any bureaucratic organization there will be two kinds of people: those who work to further the actual goals of the organization, and those who work for the organization itself. Examples in education would be teachers who work and sacrifice to teach children, vs. union representative who work to protect any teacher including the most incompetent. The Iron Law states that in all cases, the second type of person will always gain control of the organization, and will always write the rules under which the organization functions.

Too often, the default position is to do nothing. If you do nothing then you will not have a failed project and can not be criticized. I think that this explains many of the problems with Cybersecurity in government.

Thu, May 13, 2010

Some agencies do go beyond the minimal requirement of annual ISS-LoB Tier 1 training. The place where I work (~2000 employees) has an extensive security awareness program, including monthly newsletters, intranet reminders, etc. Incidents are reported in the newsletters, and much can be learned from reading these "victim" stories. Using actual events as the basis for training keeps our employees more attuned to security matters--they'd rather read about the foibles of others than become a victim themselves. This doesn't mean that we are perfect, but relying on just the annual training tutorial is not enough--security education demands real and constant feedback in order to be effective.

Wed, May 12, 2010

On the day following the 9/11 attack, every Federal Agency, in DC, greeted its badged employees with a ride through a magnetometer - the process still goes on today. Were these badged employees ever a threat - no - but this symbolic action gave the impression that the government was in control of the situation. Lesson: When your only tool is a hammer, every problem begins to look like a nail.

In the case of Cyber security, we all adhere to NIST 800-53 etc. By doing so we merely assure that our applications and infrastructure are compliant with NIST – not that they are secure. Any bound, hardcopy document on Cyber security that has gone through agency vetting and formal publication is going to be out-of-date by the time it is viewed and understood by its using audience

On the operational level, every Cyber security office insists that the application development team must develop the Risk Assessment, Security Plan and ATO application, (The security office merely evaluates the completed work) these development teams are not necessarily competent to address all of the sophisticated issues that surround deficiencies in protocols, proprietary products, operating environments, etc. that are exploitable by hackers/crackers. Usually these Risk Assessments and Security Plans are cobbled together by application developers and analysts after plagiarizing other security plans that previously past muster with the security office (much the same as RFPs are often copied from previous RFPs) without regard to the pertinence and completeness of the materials that are reused. It has become a paperwork drill.

The truth is that we don’t have sufficient security expertise and security experts to provide a secure, on-line environment for the entire world – the technology (and the hacker) is moving too fast for that. We would be better-off to reconsider (1) if everything that is online has to be online, and (2) if everything that has to be on line needs to be on a public network – a judicious decision here would at least reduce the vulnerability to our most precious assets.

Tue, May 11, 2010

In DoD, everyone already gets annual training. They ignore it. Since they never discipline anyone for allowing breaches, fear does not work as a motivator. The response has been to lock down hardware and perimeter controls so tightly as to impede mission capability. DoD, and the rest of FedGov, needs their own trusted internet for mission work, and make people walk over to a machine in the corner to interact with the outside world.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above