The limits of a cyber czar
Many of the government's chief security challenges are for agencies to address
- By Alan Paller
- Jun 15, 2009
As President Barack Obama announces plans to appoint a cybersecurity coordinator, cybersecurity continues to challenge agencies in ways that the eventual appointee might find difficult to fight.
Identifying the chief vulnerabilities in federal cybersecurity is easy: incomplete inventories of systems so agencies do not know what computers they are running; insecure configurations; delays of weeks or months in installing patches; a critical shortage of employees with advanced technical skills to do forensics and intrusion detection and code reviews; and custom software with programming errors that provide easy access for attackers. A more complete list is embedded in the report, “Twenty Critical Security Controls,” published by the Center for Strategic and International Studies.
Sadly, solving most of the problems falls to individual agencies more than a cyber czar. Agencies would have fixed most problems if they had the means. So the question is: What are the most critical impediments stopping agencies from doing the right things.
Here are three of the biggest.
1. Chief information officers and procurement officials allow systems integrators and software vendors to deliver systems and software with security flaws. When the flaws are discovered, integrators demand more money to fix their errors — more than the cost of the flawed software. The Federal Desktop Core Configuration is not widely implemented because CIOs still have not forced integrators and software vendors to guarantee their software works on FDCC-equipped systems.
2. Federal managers lower standards to not embarrass unqualified people. An example is the Defense Department’s failed effort to ensure its security people have certified technical skills to do hands-on security work. Fixing the skills shortage is one of the nation’s top priorities. But when DOD discovered that many security people do not have strong hands-on technical skills, officials simply ordered a security certification that avoided the tough technical questions.
The result is that nearly everybody passes, and the nation wastes the opportunity to improve security. Several civilian agencies meet the requirement to provide technical training for their security employees by offering online training, but the agencies do not require the employees to pass tests to prove they have mastered the material or even ensure they take the training. One agency reported privately that no one — not one person — completed the online training. That agency still gave itself full credit for providing technical training to its security people, and its auditors concurred.
3. Auditors measure what is easy to count instead of measuring what is critical to do. The Government Accountability Office has repeatedly told Congress that federal cybersecurity auditors generally do not measure the effectiveness of critical controls. They might measure whether a policy is in place but not whether the policy has been implemented effectively. Why? Because it is easier to count the paper documents than to ensure that effective technical controls are in place.
So what can the cyber czar do? Shine a public light on those anti-security practices, and when those caught in the spotlight complain, give them the White House support they need to do the job right, along with deadlines and consequences. Every person mentioned above — CIOs, training managers and auditors — want to do the right thing. But they have not been given the spine-stiffening top cover they need from the White House. It’s time they got it.
Alan Paller is founder and research director of the SANS Institute, a graduate degree granting college and security training and research institution with more than 120,000 alumni in seventy countries. At SANS, he oversees the Internet Storm Center (an early warning system for the Internet), NewsBites, (the semi-weekly security news summaries that go to 210,000 people), @RISK (the authoritative summary of all critical new vulnerabilities discovered each week), and the identification of the most damaging new attacks being discovered each year. He also leads a global security innovation program that identifies people and practices that have made a measureable difference in cyber risk reduction, and illuminates those innovations so other security practitioners can take full advantage of them to improve security in their enterprises.
He has testified before both the US Senate and House of Representatives. In 2000 President Clinton recognized his leadership by naming him as one of the initial members of the President’s National Infrastructure Assurance Council. The Office of Management and Budget and the Federal CIO Council named Alan as their 2005 Azimuth Award winner, a singular lifetime achievement award recognizing outstanding service of a non-government person to improving federal information technology.
In May of 2010, the Washington Post named seven people as “worth knowing, or knowing about” in cyber security. The list included General Alexander who heads the US Cyber Command, Howard Schmidt, the White House Cyber Coordinator, other national leaders, and Alan. Earlier in his career Alan helped build a software company, took it public, and merged it into a larger company listed on the New York Stock Exchange. His degrees are from Cornell University and the Massachusetts Institute of Technology.