Cybersecurity failings defy answers

Readers share their theories about why cybersecurity is so lousy in the federal government

If cybersecurity is so important and if so many security guidelines and solutions are readily available, why are federal agencies doing such a lousy job of protecting vital systems?

That was the gist of a speech given last month by Howard Schmidt, the White House's cybersecurity coordinator. It sparked a flurry of comments at FCW.com.

Schmidt offered his ideas for solving the problem, which include enterprisewide network intrusion detection and better math and science training in U.S. schools. Some readers responded to his recommendations, while others simply echoed his consternation.

Anony Mous picked up on Schmidt’s idea of raising a new security-savvy generation of technology workers.

“Get kids in high schools to set up their own school-specific social network servers, using Drupal or other open-source community software, as an extracurricular activity,” Anony Mous wrote. “Let them define the content and how it works. Let them deal with both the nitty-gritty details of running a system that could be vulnerable to attack and the content-level disputes over free speech vs. defamation and fraud.”

Outdated Ideas?

But several readers questioned Schmidt’s assumptions about intrusion-detection technology.

“Is intrusion detection/prevention even possible on such a diverse network as used by the federal government?” wondered CuriousIT. “Multiple operating systems, multiple versions of each operating system, multiple versions of browsers, differing requirements for managing ports due to the use of legacy software that was written when security wasn't even an afterthought. How do you wade through all the false positives? Mr. Schmidt is correct that something has to be done, but unless there [are] funding and teeth behind his statements, progress will be slow.”

“With the advent of cloud computing, social networking, mobile devices, etc., it is difficult to define the true perimeter of a network,” wrote Andy McEachron. “Network intrusion detection is becoming less effective. Host-based intrusion detection is becoming more important, more so when IPv6 begins to take hold.”

No Help for the Clueless

The root of the problem is that so few people in government really understand the issues, wrote Papa K. “Most nonsecurity types within the government don't have a clue. They think they know because they can spell 'security,' but they have no idea what they're doing. So no standard is going to help if they have no clue.”

Federal workers also get a lot of mixed messages, wrote RayW. “Let me see now: We need more security stuff. We need more Facebook and other 'social network' stuff. Riiiiiight.”

Bman was just happy to hear Schmidt talk in such frank terms. “It’s about time a cyber chief admits the shortcomings of the federal government in this area and makes an effort to fix them, publicly ensuring that things have been documented,” Bman wrote.

Concerned in Virginia, on the other hand, found the speech altogether disheartening. “If they're so excellent, why [isn't] the government's computer systems' security better? I've read a lot from ‘government cyber gurus’ that our systemwide computer network security is terrible; so then, why aren't they doing something to make it better, [rather] than blaming one another for failure?”

About the Author

John S. Monroe is the editor-in-chief of Federal Computer Week.

The 2015 Federal 100

Meet 100 women and men who are doing great things in federal IT.

Featured

  • Shutterstock image (by venimo): e-learning concept image, digital content and online webinar icons.

    Can MOOCs make the grade for federal training?

    Massive open online courses can offer specialized IT instruction on a flexible schedule and on the cheap. That may not always mesh with government's preference for structure and certification, however.

  • Shutterstock image (by edel): graduation cap and diploma.

    Cybersecurity: 6 schools with the right stuff

    The federal government craves more cybersecurity professionals. These six schools are helping meet that demand.

  • Rick Holgate

    Holgate to depart ATF

    Former ACT president will take a job with Gartner, follow his spouse to Vienna, Austria.

  • Are VA techies slacking off on Yammer?

    A new IG report cites security and productivity concerns associated with employees' use of the popular online collaboration tool.

  • Shutterstock image: digital fingerprint, cyber crime.

    Exclusive: The OPM breach details you haven't seen

    An official timeline of the Office of Personnel Management breach obtained by FCW pinpoints the hackers’ calibrated extraction of data, and the government's step-by-step response.

  • Stephen Warren

    Deputy CIO Warren exits VA

    The onetime acting CIO at Veterans Affairs will be taking over CIO duties at the Office of the Comptroller of the Currency.

  • Shutterstock image: monitoring factors of healthcare.

    DOD awards massive health records contract

    Leidos, Accenture and Cerner pull off an unexpected win of the multi-billion-dollar Defense Healthcare Management System Modernization contract, beating out the presumptive health-records leader.

  • Sweating the OPM data breach -- Illustration by Dragutin Cvijanovic

    Sweating the stolen data

    Millions of background-check records were compromised, OPM now says. Here's the jaw-dropping range of personal data that was exposed.

  • FCW magazine

    Let's talk about Alliant 2

    The General Services Administration is going to great lengths to gather feedback on its IT services GWAC. Will it make for a better acquisition vehicle?

Reader comments

Fri, May 7, 2010 Kevin Dayton

Cyber-threats live in a evolutionary, highly complex, dynamic system with an incredibly tight OODA (feedback) loop managed by intelligent folks. Standards, checklists, and such solve the known problems of 5 years ago. The only way to "secure" a system it to attack it and fix the weaknesses. Even Army butter-bars are taught when preparing a platoon defense to walk where the enemy would walk and pretend to attack. Even facility guys occasionally trip breakers to see if the emergency generator turns on. Cyber is no different. The Govt needs more vulnerability assessment teams.

Fri, May 7, 2010 edmond hennessy united states

Again, a good article on a critical and sensitive topic. Realize that the author or reporter, Mr. Monroe, is saavy and on-the-same-page, as he is - in general, however how is it that the Bad Guys (Intruders) can so easily undermine our systems? Do they have more muscle, ingenuity, resources and funds to outinnovate/outmaneuver our Big Machine? Protecting your flanks is essential, however what are we learning and how is it being integrated into our CyberSecurity Operations? Understand the sentiment about "weaning them while school-age" and frowning on the mindset of the Government workforce for not getting it - however that's not where the problem-solution lies. The tail-end of the article has that proverbial sense of "finger-pointing." There was a time when the FBI was stumped with check fraud - they cracked the code - by enrolling the best thieves in the business to show them how it was done. Sounds like we need a dose of this to better understand the CyberSecurity Challenge - and, then we can determine the right way of protecting our valued systems and resources.

Fri, May 7, 2010 Vic Winkler http://Ground-Wire.COM

To improve cyber security we might learn a thing or two from Ernest Hemingway who famously said about writing: It's knowing what to leave out. When it comes to our choices in computers, our inclusion of applications and our implementation of networks -- we simply throw EVERYTHING into the soup of cyber space. With this approach, there can be no predictable and no reliable security. If we are doing this at home, it can be forgiven since as consumers we are probably NOT computer scientists or cyber security experts. If we are doing this as the operators of an enterprise we are MISGUIDED and ASKING for trouble. If we are running the nations cyber security this way -- WHOOPS... It is possible to have insecure components in cyberspace, even possible for me to use these in various ways -- but they have to be ISOLATED in a RELIABLE and EFFECTIVE manner! Today, I do not hear much talk about the myriad of discrete actions we can take to achieve effective security in our interdependent networks. I think more than a few people lack the appropriate KNOWLEDGE and AUTHORITY. If they have it then they NEED TO SPEAK UP!!!

Fri, May 7, 2010

Unfortunately Cyber Security will not get better until it is funded up front and built into the systems we purchase or build. We constantly are put in the position of putting a band-aid on at sucking chest wound because we can't get funds for anything else. Bean counters want to know how often it will happen before they spend the money up front and with the number of attacks on government systems it is more likely than they think. Most government entities give lip service to doing cyber security by just saying they will comply with regulation such and such.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above