Is the government dropping the ball on cybersecurity?

In any discussion on cybersecurity, there’s at least one elephant in the room: The U.S. faces serious threats to national security, and, despite warnings, seems to not be making much progress toward doing something about it.

Congress’ failure to pass cybersecurity legislation this year was seen by many as a spectacular example of the government’s inability to move beyond partisan bickering for the benefit of the country. More recently, the Defense Department has reportedly fallen behind on mandated plans for setting up oversight and streamlining acquisition of cyber capabilities.

Against a backdrop of constant cyber threat rhetoric, it would seem like the government has yet to take any real action on cybersecurity. There’s no shortage of calls to action – so what’s the holdup?

Insiders say there are a number of reasons. Among them:

  • It’s a complicated problem and subject to complex, bureaucratic processes that require strong leadership;
  • There’s a lack of real understanding by some in charge;
  • At times, expectations aren’t realistic.

At DOD, cyberspace is still a relatively new domain of warfare, which means there’s a lot of ground to cover as U.S. Cyber Command, its service components and other cyber-focused organizations become fully operational.

Not everyone is a change agent

"The roles and responsibilities and overarching understanding are still evolving. You’re talking about a lot of moving parts, with new command structure, new doctrine and a new rapid-response acquisition process – and trying to build that out to a functioning state that everyone understands,” said former Army CIO/G6 Lt. Gen. Jeff Sorenson, now partner and vice president at A.T. Kearney. “They’re still practicing on the football field. The actual execution is going to take a little time.”

Along with the acquisition plans, DOD also is charged with establishing and implementing new cyber oversight; according to Defense News. Behind-the-scenes concerns about adding bureaucracy are another reason the plans are delayed. One former DOD official pointed out that’s it’s necessary to have the right kind of leadership in place to negotiate those complexities.

“There are more processes and bureaucracies in the government than ever before. The size of DOD has increased because of the Global War on Terror. There are more checks and balances than ever,” said Gary Winkler, former Army Program Executive Officer–Enterprise Information Systems and now founder and CEO of Cyber Solutions. “Not everyone in the government is a change agent. Who is it going to be to work through the processes and bureaucracies? It’s hard to find a champion to institute that kind of change.”

Layers of bureaucracy

Unfortunately, that’s an issue that goes far beyond the walls of the Pentagon. Across the government, layers of bureaucracy stand as a barrier between rhetoric and real action. It also contributes to a lack of true understanding of the cyber problem at hand, according to one cybersecurity expert.

“There is a lack of thought leadership," said Richard Bejtlich, chief security officer at Mandiant. "Cybersecurity is not like building a bridge, where all you have to worry about are weather, earthquakes and other things you can model for. Cybersecurity involves an intelligent adversary who will figure out a way to attack your bridge in a way you never considered."

Bejtlich noted that too often, officials from across government focus on the wrong goals – or worse, have no real goals at all – in cybersecurity, which contributes to the gridlock inhibiting real action.

“If you ask what the objective of a national cybersecurity plan may be, nobody has an explicit answer. There are a lot of plans for coming up with a standard and being rated against it, like FISMA, but it doesn’t say anything about overall effect on security,” Bejtlich said. “It’s easier to say, ‘Here’s the standard, are you compliant?’ But there’s no one metric you can look at and say, ‘Wow, this is getting worse every year.’ There’s no way to quantitatively measure risk. But in Washington, there’s comfort with auditing against the standard.”

That institutional approach often misses the mark on some of the most critical threats, hindering true progress in cybersecurity. It also sets up expectations that may be unreasonable or inaccurate, sources said.

“This is extraordinarily complex issue to deal with. The timeline by which [lawmakers] were expecting results – in some cases 180 days – that was probably a bit too far,” Sorenson said.

While the lack of action is disconcerting and further incenses an American public fed up with partisan bickering, it doesn’t necessarily mean national security is that much more threatened, sources suggested. Despite the legislative malaise, there is a flurry of action behind the scenes endeavoring to better secure U.S. interests in cyberspace.

“To say that we’re at more risk because [the plans are delayed], I don’t think is accurate. Every day people are working this issue, working to solve the vulnerabilities and working to make the network more hardened and capable. There is tremendous work being done on the inside that’s not being publicized,” Sorenson said.

The 2014 Federal 100

FCW is very pleased to profile the women and men who make up this year's Fed 100. 

Reader comments

Fri, Aug 24, 2012 Cowboy Joe

Might be posible that the Chinese would like to help us SOLVE some of our cybersecurity problems. They could be more interested in us giving our money to them legitimately, rather than watching us get ripped off by our own folks and endin' up too broke to buy more Made-in-China stuff ...... well, SOME of 'em maybe...

Fri, Aug 24, 2012 MIke S. No. VA

Humans do the cyber-attacking in all social spaces: federal gov't, local gov't, businesses, organizations. Some activity is criminal, some terrorism, some just "for fun". Counterfeiting and theft are also parts. This problem requires a strategic approach, not tactical ... and most gov't Leaders are tacticians as they got to the top by learning how to weave their careers thru the bureaucracy by not making waves, keeping their heads down, figuring out the best way to take that next career move, etc. They are inside-the-box organizational players, not outside-the-box thinkers: capable of looking at many different pieces and recognizing potential whole pictures. To thwart cyber attackers we need thinkers, not players.

Fri, Aug 24, 2012 Hoi-Jay

What about cyber-usability? The Govt is also all-to-slow in adopting new, better, more-efficient, safer technology. Blackberry's are still the latest-greatest .. but only in the Govt.

Fri, Aug 24, 2012 Jay DC

Bascially because of "decision by committee" and useless bureaucracy the nation is at extreme risk. Great quotes from Government bureaucrats explaining how difficult is it to do anything. Maybe someone could visit China and see how they did it. They are prepared to Cyber attack at will, totally criple the nation....end of days senario here...planes falling out of the sky, no power, no water, train derailments, military ships floating dead in the water...but China will be totally protected from our counter attacks as they simply unplug from the internet and move to their self contained infrastructure.

Fri, Aug 24, 2012 johne37179 VA

The elephant in the room here is that behind every cyber attack is an attacker. There is a human element to cybersecurity that seems to be ignored with the focus exclusively on bits and bytes. Threats come from outside the enterprise and inside the enterprise and until the human risk elements are integrated into cybersecurity we can only have a partial solution at best.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above