Cybersecurity failings defy answers
Readers share their theories about why cybersecurity is so lousy in the federal government
- By John S. Monroe
- May 06, 2010
If cybersecurity is so important and if so many security guidelines and solutions are readily available, why are federal agencies doing such a lousy job of protecting vital systems?
That was the gist of a speech given last month by Howard Schmidt, the White House's cybersecurity coordinator. It sparked a flurry of comments at FCW.com.
Schmidt offered his ideas for solving the problem, which include enterprisewide network intrusion detection and better math and science training in U.S. schools. Some readers responded to his recommendations, while others simply echoed his consternation.
Anony Mous picked up on Schmidt’s idea of raising a new security-savvy generation of technology workers.
“Get kids in high schools to set up their own school-specific social network servers, using Drupal or other open-source community software, as an extracurricular activity,” Anony Mous wrote. “Let them define the content and how it works. Let them deal with both the nitty-gritty details of running a system that could be vulnerable to attack and the content-level disputes over free speech vs. defamation and fraud.”
But several readers questioned Schmidt’s assumptions about intrusion-detection technology.
“Is intrusion detection/prevention even possible on such a diverse network as used by the federal government?” wondered CuriousIT. “Multiple operating systems, multiple versions of each operating system, multiple versions of browsers, differing requirements for managing ports due to the use of legacy software that was written when security wasn't even an afterthought. How do you wade through all the false positives? Mr. Schmidt is correct that something has to be done, but unless there [are] funding and teeth behind his statements, progress will be slow.”
“With the advent of cloud computing, social networking, mobile devices, etc., it is difficult to define the true perimeter of a network,” wrote Andy McEachron. “Network intrusion detection is becoming less effective. Host-based intrusion detection is becoming more important, more so when IPv6 begins to take hold.”
No Help for the Clueless
The root of the problem is that so few people in government really understand the issues, wrote Papa K. “Most nonsecurity types within the government don't have a clue. They think they know because they can spell 'security,' but they have no idea what they're doing. So no standard is going to help if they have no clue.”
Federal workers also get a lot of mixed messages, wrote RayW. “Let me see now: We need more security stuff. We need more Facebook and other 'social network' stuff. Riiiiiight.”
Bman was just happy to hear Schmidt talk in such frank terms. “It’s about time a cyber chief admits the shortcomings of the federal government in this area and makes an effort to fix them, publicly ensuring that things have been documented,” Bman wrote.
Concerned in Virginia, on the other hand, found the speech altogether disheartening. “If they're so excellent, why [isn't] the government's computer systems' security better? I've read a lot from ‘government cyber gurus’ that our systemwide computer network security is terrible; so then, why aren't they doing something to make it better, [rather] than blaming one another for failure?”
John S. Monroe is the editor-in-chief of Federal Computer Week.