Analysis: Cybersecurity puzzle is a tough one to solve

Despite increased efforts to implement better cybersecurity, federal agencies continue to succumb to cyber attacks. Could more – or updated – policies stem the tide of these potentially devastating attacks?

The topic gained renewed prominenece in late October when the Energy Department’s inspector general noted in an audit that cyber attacks targeting federal agencies' systems and websites increased nearly 40 percent in 2010. DOE itself had failed to adequately protect its information systems from the cyber attacks that constantly probed the networks – this after spending “significant resources” on cybersecurity measures, according to the report, released Oct. 20.

It is no surprise that cybersecurity has become an increasingly urgent issue for federal agencies, with hackers and nation-states infiltrating the systems to extract sensitive information and data.

The Defense Department, in particular, has been a prime target for hackers: In June 2010, U.S. Cyber Command chief Gen. Keith B. Alexander said DOD’s systems were probed more than 6 million times a day.

There are policies and measures already in place to prevent these attacks. The National Institute of Standards and Technology, which provides cybersecurity standards and guidelines to the federal government, has a security control catalog with 18 safeguards and countermeasures that each agency is required to implement.

The approach that’s currently been taken is sort of the equivalent of telling employees, ‘when you come to work, don’t open any square blue boxes.’ But then someone sends in square red boxes, and they all get taken." --  Eugene Spafford.

Many people think a policy is  “just paperwork, but policies and procedures are critical for setting the tone and establishing the organization’s commitment to doing the right thing with regards to due diligence in the area of cybersecurity,” said Ron Ross, fellow and project leader of the Federal Information Security Management Act Implementation Project at NIST.

The policies can address many different areas, and they can be challenging. But if the policy is clear and follows the basic principles that are articulated in the NIST standards and guidelines – and if it’s implemented properly -- it should result in better cybersecurity for the organization, Ross said.

No policy, however, will do any good if individuals fail to recognize their part in keeping information and systems secure.

“A policy for education, training and awareness is very critical today because a vast majority of the attacks come through the web and email,” Ross said. “One of the principal areas we have to focus on is making sure that the folks who work within the federal agencies and contractors understand they play a very important role in the protection of these systems.”

Although technology continues to play a significant part of cybersecurity, “the days we thought technology could be the solution to all evils and problems are gone,” said Amry Junaideen, a principal at Deloitte & Touche and cybersecurity leader for the firm’s federal practice.

Most data breaches in the past have happened not because technology failed but because of a people aspect, which makes training and awareness training ever so important, he said. However, if any aspect -- such as governance, policy, process or people -- are missing, “you’re going to fail in terms of mitigating your risk,” Junaideen warned.

Full security comes from having “the right technology in the right places” coupled with an educated, well-trained workforce, he said.
“You [could] have the perfect technology and someone who’s not properly educated basically opens the backdoor and posts sensitive information on the Internet [or] on a file share that gets compromised. All of a sudden, your human being becomes the weakest link,” he said.

Eugene Spafford, a professor at Purdue University and founder and executive director of the Center for Education and Research in Information Assurance and Security, said the real problem is the belief that flawed systems can be secured retroactively, either by add-ons or by compelling users to act in ways they are not used to.

Even if agencies have policies to provide training, they are often too specific or too ambiguous, he said. For example, take the “don’t open any suspicious e-mails” approach. What exactly constitutes a suspicious e-mail message? Many of the social engineering attacks occurring today are designed to not look suspicious, Spafford said.

“The approach that’s currently been taken is sort of the equivalent of telling employees, ‘when you come to work, don’t open any square blue boxes.’ But then someone sends in square red boxes, and they all get taken,” he said.

The federal government’s efforts to transition to cloud-based services and technologies could also mean more security problems, he suggested. Following trends or big pushes to save money often mean that security issues fall lower on the priority ladder.

“That’s partly why we have vulnerable systems today, because the idea was, ‘we’ll buy whatever is the cheapest thing on the market’ to save money rather than actually thinking through building a strong, secure infrastructure,” Spafford said.

Nominate Today!

Nominations for the 2018 Federal 100 Awards are now being accepted, and are due by Dec. 23. 


Reader comments

Thu, Nov 3, 2011 Jeff Debrosse San Diego

Without automation as one of the dimensions, we're going to significantly lag behind our cyber adversaries. According to Gen. Alexander's numbers citing 6 million probes per day directed at the DOD, we're probed heavily on a daily basis across all of our fronts. We can learn about each probe and attack, but the growing volume makes it humanly impossible to scale our analysis of each probe or attack. Enter machine learning and analysis. With learning systems, we can discover trends and patterns to identify bad actors and their collaborators. At the very least, we can detect behavioral patterns to increase our awareness. With more data points we have an increased ability to model the threats. Our adversaries are giving us what we need to draw a clearer picture of the threat - 6 million+ pieces of information on a daily basis. It's up to us to leverage that in a constructive manner and use it against those that are intent on stealing, modifying or destroying information.

Thu, Nov 3, 2011

Education and funding, not policy is the answer. I’ve been involved in DOE information security for almost 3 decades. Policy lags too far behind technology to be really useful. NIST does some really good stuff, but by the time it’s published it’s almost out of date. By the time NIST guidance filters through DOE and NNSA it’s 2-3 years out of date. Educate the end-users, the system administrators, the network administrators, and managers. If they understand the risks, we will need less policy. Of course that takes $ and our cyber budget is getting cut, every year. A year ago we had grown a very good cyber defense team. Apparently too good, because in the last 3 months we’ve have lost over half of them to the “private sector”.

Thu, Nov 3, 2011 Glenn Schlarman Annandale, VA

This article could have been written 15 or even 20 years ago. Until security is automagically implemented without need for user input, we'll just recycle the problems and the articles about the problems. Or, we can shake things up. Let's publicly pillory offenders and their managers, fire executives and transfer agency security program operations and responsibilities to an outside agency.

Thu, Nov 3, 2011 Scott Tennessee

I think the last paragraph incapsulates the entire article. Too many times we have to deal with purchasing what is cheapest, not best - that includes tecnology and personnel. It also extends to automatic promotions. The government needs to change its focus.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group