Security officials play nice

Federal agencies are deploying more sophisticated network scanning tools than ever before. But even high-level information security officials often have little power — other than persuasion — for getting network users to plug the security holes identified through scans.

The situation that information security officials described today at an event in Washington, D.C., was no surprise to anyone familiar with the way large bureaucracies such as the Veterans Affairs Administration or the Federal Aviation Administration operate.

Pedro Cadenas Jr., the VA's chief security officer, said his office and the VA's Inspector General's Office are the only two groups within the VA who are authorized to run scans of the entire wide-area network. But Cadenas has to use "friendly reminders" to get others to fix security problems.

"We're not writing any tickets," Cadenas said.

Friendly reminders, however, have proved fairly effective, he said. When information security staff members can say with authority that they have discovered rogue devices attached to the network, or open connections that should be locked down but are not, the owners of those devices and connections usually fix the problems, he added.

Open connections are often referred to as leaks. VA officials found several thousand leaks along their perimeter on a recent scan of their network, Cadenas said. For that and for subsequent scans, Cadenas' staff used a scanning tool made by Lumeta Corp., the company that sponsored the security seminar.

Cadenas said the VA operates under unusual security constraints with regard to medical devices attached to its network. Information security staff members, for example, have no authority to apply security patches to the computers that control medical devices. Unpatched computers are vulnerable to infections by malicious code — such as the recent Sasser worm.

The recent Sasser worm infected 192 of the VA's machines, Cadenas said. This was a light hit, considering the 240,000 employees who are connected to the VA network.

Tom O'Keefe, deputy director of the FAA's cybersecurity office who also spoke at the Lumeta event, said he could not disclose the number or kind of vulnerabilities FAA officials discovered when the agency ran its first security scan. Similar to Cadenas, O'Keefe said all that his staff members could do with the findings was "just cajole."

More worrisome to O'Keefe, however, is the fact the FAA needs an influx of talented security people who can understand and use such tools. There are no reserve players when it comes to government information security, O'Keefe said. Prospective employees "are all going someplace else," presumably into private-sector jobs, he said.

Trying to lure talented people into government to handle the challenging but "cool job" that awaits them in the FAA is one of O'Keefe's biggest challenges, he said.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.