Expert: Cybersecurity lapses could cost public trust

The Center for Education and Research in Information Assurance and Security

An information security expert warned that attacks on computer systems will continue to escalate and become a public trust issue until governments, industry and other organizations implement and enforce better security policies and invest more money and employees in cybersecurity.

Eugene Spafford, a computer sciences professor at Purdue University, painted a grim picture during a June 19 teleconference hosted by the National Association of State Chief Information Officers (NASCIO). He said information security research has been underinvested in and national and international law enforcement have few resources and employees to fight cybercrime.

“Things don’t look at all rosy,” he said.

Organized crime – increasingly from Eastern Europe and Africa – is responsible for data breaches. Cybercriminals have resorted to extortion, demanding money in exchange for not erasing an agency’s or organization’s data or instituting denial-of-service attacks. They employ people to write spyware, botnets and other types of surreptitious software that hide in computers and capture keystrokes and other data, Spafford said.

The cost of identity theft exceeds $100 billion annually, he said.

However, the federal government doesn’t seem particularly concerned about cybersecurity, Spafford said. For example, Homeland Security Department officials have yet to fill an assistant secretary for cybersecurity and telecommunications position created last fall, and DHS’ budget for information security research is less than 1 percent of the agency’s budget, he said. More money is spent to keep cigarette lighters off airplanes than to address the fundamental problems of information security, he added.

Earlier this year, NASCIO and the Metropolitan Information Exchange released a joint survey that shows state governments have varying degrees of technologies, policies, education, budgets and staffing regarding cybersecurity. State officials previously said they would like better guidance and cooperation with federal officials on the matter.

Spafford, who also runs Purdue’s Center for Education and Research in Information Assurance and Security (CERIAS), said agencies and organizations haven’t kept pace with good security measures as they have moved into telecommuting and wireless environments and have begun using new technology such as voice over IP.

Spafford said he understands agencies are understaffed and underfunded to keep up with the 20 new software vulnerabilities and 50 new malware reported daily. But the alternative is to lose data, and as more data breaches are reported, the public will become more distrustful of government agencies and hesitant to use the Internet and e-mail, he said. This has already started and could affect state governments that are trying to provide more services and transactions online, Spafford added.

It’s not only a matter of implementing security technologies such as firewalls to prevent or slow attacks. For example, he said CERIAS has implemented policies and other measures and has not had an incident or break-in in nearly a decade. He said agencies need to plan for the long term and think about what kind of data they’re storing, how long they’re storing it, and whether it’s necessary and encrypted. He said people need to understand penalties for misusing information, and policies need to be audited and enforced.

Officials should also consider the benefits and possible misuse of the new technologies they want their employees to use. Agencies should also limit outside connectivity to their systems. He said not everything has to be connected, and it’s generally a good idea to house critical information in stand-alone systems requiring employees to be on-site to access that data.

Spafford also recommended developing a heterogeneous environment of different kinds of hardware and software platforms, which are more resistant to widespread attacks and more likely to detect attacks earlier.

“Probably the biggest thing, however, is being able to have authority to set policies, audit them and execute sanctions against those who violate the policies,” he said. “Almost every data breach [that] occurred in the last year…has been a result of someone who believed their deadline was so pressing and job so pressing that they didn’t need to follow the policy.”

The pharmaceutical industry has done a good job of securing data, he said, adding that he heard the adult entertainment and online gambling industries also manage cybersecurity well.

Sarkar is a freelance writer based in Washington, D.C.