The best security strategy: Low expectations

Members of a panel of security experts today painted a gloomy picture of the cybersecurity landscape, in which rapidly evolving threats and conditions ensure that even the best solutions are likely to remain piecemeal and temporary.

Security efforts should focus on assessing and managing risk to information, members of the panel of industry and government officials said, and baseline security requirements mandated by government cannot be expected provide adequate security across the board.

“We should go in with our eyes open to the reality that if somebody wants the information, no matter what the baseline, they will get it,” said Wayne Fullerton, solutions and operations director for Cisco Systems Inc.’s U.S. federal organization.

Levels of security need to be assigned to a given piece of information based on its value to the owner and to those who could steal it. After the cost of stealing information drops below its perceived value, “if people really want it, they will get it,” Fullerton said.

And although no one level or policy is practical for securing all data, no one architecture is advisable either, said Bill Vass, president and COO of Sun Microsystems Federal.

“We don’t want to have one consistent architecture everywhere,” Vass said. That would only create a common set of risks.

The panel was presented by the Secure Enterprise Network Consortium, which includes Cisco, Sun Microsystems, CA and Accenture, as well as the Energy Department’s Los Alamos National Laboratory.

Rep. Jeff Miller (R-Fla.), ranking member of the House Armed Services subcommittee on Terrorism and Unconventional Threats and Capabilities, expressed concerns about the threat of cyber warfare in his opening remarks to the panel. Miller represents the panhandle of Florida that includes the Pensacola Naval Air Station and Eglin Air Force Base.

“We are in a cyber war, whether you want to call it a war or not,” he said, citing the millions of daily attacks against Defense Department IT systems. It is difficult to determine the sources and motives for these attacks, but he also cited instances of online attacks against Estonia in 2007 and Georgia last year as illustrations of the “ability to combine cyber attacks with a military objective.”

Miller said DOD must work closely with industry to ensure that national defense IT systems are not compromised at their outset by backdoors and other compromises that could be installed by offshore developers and manufacturers.

Terry Wallace, principal associate director for science, technology and engineering at Los Alamos, said the lab assumes that its systems are compromise, and that its security is imperfect.

“There will always be information loss,” Wallace said, and all systems are contaminated, although how and to what extent is unknown. With these assumptions, Los Alamos must strike a balance between the need to protect information and to enable collaboration on scientific research that is the lab’s stock in trade.

“There isn’t an answer today,” he said. “Our biggest challenge is that we have a lagging response. We’re almost always mitigating something that is no longer a security concern,” taking resources away from the job of anticipating threats.

Another problem that does not seem to be anywhere near a solution is figuring out who is in charge of the government’s IT security. This is a question that frustrates both the government and private sector.

“For us in industry, it looks like a phone book” when trying to determine whom to contact on a given subject, one member of the audience said.

Miller had little comfort to offer on that question. Although a central point of contact would be convenient, he warned that responsibility needs to be distributed so that differing needs of each installation can be addressed.

Jerry Briggs, managing director of Accenture’s federal business, said that rather than a single overseer for IT security in government, what is needed is better cooperation between the executive branch, Congress and industry.

About the Author

William Jackson is a Maryland-based freelance writer.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Shutterstock image: looking for code.

    How DOD embraced bug bounties -- and how your agency can, too

    Hack the Pentagon proved to Defense Department officials that outside hackers can be assets, not adversaries.

  • Shutterstock image: cyber defense.

    Why PPD-41 is evolutionary, not revolutionary

    Government cybersecurity officials say the presidential policy directive codifies cyber incident response protocols but doesn't radically change what's been in practice in recent years.

  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

Reader comments

Thu, Mar 19, 2009

Rea: Low Exppectations-sounds like the Cyber community is where the Physical Security community was about 10 yrs ago. We tried all kinds of elctronic systems and defenses and finally came full circel to putting gaurds (humans) at crtical points of entry and used centric cones of security to guard our most critical assets with a mix of electronics and people. Seems the cyber folks could learn from our mistakes and successes-we finally had to admit that if an adversary was willing to pay the costs in equipment and manpower, most of what we were trying to protect could be exploited. Think about integrating your early warning cyber detection systems (gateways?)with humans/guards, 24X7, 365,so you have a ready, timely response/defense and method of interogating the intrusions we are seing to our systems. I know this is a simplistic approach to a complex problem-the same argument all the "smart" pople used when we we turned things around in the Physical Security world, but the concept may work for Cyber as well?

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group