Editorial: Check that backdoor
If an agency's cybersecurity strategy does not cover networks in McLean, Va., Lanham, Md., and a host of other cities where contractors work, it does not extend far enough.
A recent survey of wireless networks in the Washington, D.C., area found mixed results, although agency officials have made strides in securing wireless networks.
Armed with a handheld antenna and a laptop computer, two Federal Computer Week reporters and a wireless expert drove around town to see if they could intercept signals emanating from government facilities. When they detected a signal, they checked to see if the data was properly encrypted.
When FCW reporter Bob Brewin conducted a similar survey several years ago, he found that many agency officials had unwittingly created backdoors to their networks. Security at those agencies has improved significantly, and our team detected only a few rogue wireless access points.
The bad news came when they scanned the facilities of some major systems integrators and found many wireless networks. Some links were encrypted, but in some cases, the wireless expert was able to identify the network addresses of access points, which could be dangerous information in the hands of a hacker.
The findings raise some unsettling questions, given the extent to which systems integrators are involved in many major government programs. Do the vulnerabilities of a contractor's network put government information at risk? How can agency officials assess threats, and how can they protect against them?
The lesson is not that wireless technology is too risky or that contractors cannot be trusted. Agencies must work in a networked world with inherent risks. The task is to understand those risks in all their manifestations.
The challenge in a networked world is to realize that some risks may arise in areas outside your direct control. Then it becomes a question of governance: How do you track those risks and their mitigation?
Our survey of wireless networks is no cause for panic. But it should remind agency officials to think in broader terms about the security of their information and networks.