Cybersecurity failings defy answers

Readers share their theories about why cybersecurity is so lousy in the federal government

If cybersecurity is so important and if so many security guidelines and solutions are readily available, why are federal agencies doing such a lousy job of protecting vital systems?

That was the gist of a speech given last month by Howard Schmidt, the White House's cybersecurity coordinator. It sparked a flurry of comments at FCW.com.

Schmidt offered his ideas for solving the problem, which include enterprisewide network intrusion detection and better math and science training in U.S. schools. Some readers responded to his recommendations, while others simply echoed his consternation.

Anony Mous picked up on Schmidt’s idea of raising a new security-savvy generation of technology workers.

“Get kids in high schools to set up their own school-specific social network servers, using Drupal or other open-source community software, as an extracurricular activity,” Anony Mous wrote. “Let them define the content and how it works. Let them deal with both the nitty-gritty details of running a system that could be vulnerable to attack and the content-level disputes over free speech vs. defamation and fraud.”

Outdated Ideas?

But several readers questioned Schmidt’s assumptions about intrusion-detection technology.

“Is intrusion detection/prevention even possible on such a diverse network as used by the federal government?” wondered CuriousIT. “Multiple operating systems, multiple versions of each operating system, multiple versions of browsers, differing requirements for managing ports due to the use of legacy software that was written when security wasn't even an afterthought. How do you wade through all the false positives? Mr. Schmidt is correct that something has to be done, but unless there [are] funding and teeth behind his statements, progress will be slow.”

“With the advent of cloud computing, social networking, mobile devices, etc., it is difficult to define the true perimeter of a network,” wrote Andy McEachron. “Network intrusion detection is becoming less effective. Host-based intrusion detection is becoming more important, more so when IPv6 begins to take hold.”

No Help for the Clueless

The root of the problem is that so few people in government really understand the issues, wrote Papa K. “Most nonsecurity types within the government don't have a clue. They think they know because they can spell 'security,' but they have no idea what they're doing. So no standard is going to help if they have no clue.”

Federal workers also get a lot of mixed messages, wrote RayW. “Let me see now: We need more security stuff. We need more Facebook and other 'social network' stuff. Riiiiiight.”

Bman was just happy to hear Schmidt talk in such frank terms. “It’s about time a cyber chief admits the shortcomings of the federal government in this area and makes an effort to fix them, publicly ensuring that things have been documented,” Bman wrote.

Concerned in Virginia, on the other hand, found the speech altogether disheartening. “If they're so excellent, why [isn't] the government's computer systems' security better? I've read a lot from ‘government cyber gurus’ that our systemwide computer network security is terrible; so then, why aren't they doing something to make it better, [rather] than blaming one another for failure?”

About the Author

John S. Monroe is the editor-in-chief of Federal Computer Week.

2014 Rising Star Awards

Help us find the next generation of leaders in federal IT.

Reader comments

Fri, May 7, 2010 Kevin Dayton

Cyber-threats live in a evolutionary, highly complex, dynamic system with an incredibly tight OODA (feedback) loop managed by intelligent folks. Standards, checklists, and such solve the known problems of 5 years ago. The only way to "secure" a system it to attack it and fix the weaknesses. Even Army butter-bars are taught when preparing a platoon defense to walk where the enemy would walk and pretend to attack. Even facility guys occasionally trip breakers to see if the emergency generator turns on. Cyber is no different. The Govt needs more vulnerability assessment teams.

Fri, May 7, 2010 edmond hennessy united states

Again, a good article on a critical and sensitive topic. Realize that the author or reporter, Mr. Monroe, is saavy and on-the-same-page, as he is - in general, however how is it that the Bad Guys (Intruders) can so easily undermine our systems? Do they have more muscle, ingenuity, resources and funds to outinnovate/outmaneuver our Big Machine? Protecting your flanks is essential, however what are we learning and how is it being integrated into our CyberSecurity Operations? Understand the sentiment about "weaning them while school-age" and frowning on the mindset of the Government workforce for not getting it - however that's not where the problem-solution lies. The tail-end of the article has that proverbial sense of "finger-pointing." There was a time when the FBI was stumped with check fraud - they cracked the code - by enrolling the best thieves in the business to show them how it was done. Sounds like we need a dose of this to better understand the CyberSecurity Challenge - and, then we can determine the right way of protecting our valued systems and resources.

Fri, May 7, 2010 Vic Winkler http://Ground-Wire.COM

To improve cyber security we might learn a thing or two from Ernest Hemingway who famously said about writing: It's knowing what to leave out. When it comes to our choices in computers, our inclusion of applications and our implementation of networks -- we simply throw EVERYTHING into the soup of cyber space. With this approach, there can be no predictable and no reliable security. If we are doing this at home, it can be forgiven since as consumers we are probably NOT computer scientists or cyber security experts. If we are doing this as the operators of an enterprise we are MISGUIDED and ASKING for trouble. If we are running the nations cyber security this way -- WHOOPS... It is possible to have insecure components in cyberspace, even possible for me to use these in various ways -- but they have to be ISOLATED in a RELIABLE and EFFECTIVE manner! Today, I do not hear much talk about the myriad of discrete actions we can take to achieve effective security in our interdependent networks. I think more than a few people lack the appropriate KNOWLEDGE and AUTHORITY. If they have it then they NEED TO SPEAK UP!!!

Fri, May 7, 2010

Unfortunately Cyber Security will not get better until it is funded up front and built into the systems we purchase or build. We constantly are put in the position of putting a band-aid on at sucking chest wound because we can't get funds for anything else. Bean counters want to know how often it will happen before they spend the money up front and with the number of attacks on government systems it is more likely than they think. Most government entities give lip service to doing cyber security by just saying they will comply with regulation such and such.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above