Is the government dropping the ball on cybersecurity?

In any discussion on cybersecurity, there’s at least one elephant in the room: The U.S. faces serious threats to national security, and, despite warnings, seems to not be making much progress toward doing something about it.

Congress’ failure to pass cybersecurity legislation this year was seen by many as a spectacular example of the government’s inability to move beyond partisan bickering for the benefit of the country. More recently, the Defense Department has reportedly fallen behind on mandated plans for setting up oversight and streamlining acquisition of cyber capabilities.

Against a backdrop of constant cyber threat rhetoric, it would seem like the government has yet to take any real action on cybersecurity. There’s no shortage of calls to action – so what’s the holdup?

Insiders say there are a number of reasons. Among them:

• It’s a complicated problem and subject to complex, bureaucratic processes that require strong leadership;
• There’s a lack of real understanding by some in charge;
• At times, expectations aren’t realistic.

At DOD, cyberspace is still a relatively new domain of warfare, which means there’s a lot of ground to cover as U.S. Cyber Command, its service components and other cyber-focused organizations become fully operational.

Not everyone is a change agent

"The roles and responsibilities and overarching understanding are still evolving. You’re talking about a lot of moving parts, with new command structure, new doctrine and a new rapid-response acquisition process – and trying to build that out to a functioning state that everyone understands,” said former Army CIO/G6 Lt. Gen. Jeff Sorenson, now partner and vice president at A.T. Kearney. “They’re still practicing on the football field. The actual execution is going to take a little time.”

Along with the acquisition plans, DOD also is charged with establishing and implementing new cyber oversight; according to Defense News. Behind-the-scenes concerns about adding bureaucracy are another reason the plans are delayed. One former DOD official pointed out that’s it’s necessary to have the right kind of leadership in place to negotiate those complexities.

“There are more processes and bureaucracies in the government than ever before. The size of DOD has increased because of the Global War on Terror. There are more checks and balances than ever,” said Gary Winkler, former Army Program Executive Officer–Enterprise Information Systems and now founder and CEO of Cyber Solutions. “Not everyone in the government is a change agent. Who is it going to be to work through the processes and bureaucracies? It’s hard to find a champion to institute that kind of change.”

Layers of bureaucracy

Unfortunately, that’s an issue that goes far beyond the walls of the Pentagon. Across the government, layers of bureaucracy stand as a barrier between rhetoric and real action. It also contributes to a lack of true understanding of the cyber problem at hand, according to one cybersecurity expert.

“There is a lack of thought leadership," said Richard Bejtlich, chief security officer at Mandiant. "Cybersecurity is not like building a bridge, where all you have to worry about are weather, earthquakes and other things you can model for. Cybersecurity involves an intelligent adversary who will figure out a way to attack your bridge in a way you never considered."

Bejtlich noted that too often, officials from across government focus on the wrong goals – or worse, have no real goals at all – in cybersecurity, which contributes to the gridlock inhibiting real action.

“If you ask what the objective of a national cybersecurity plan may be, nobody has an explicit answer. There are a lot of plans for coming up with a standard and being rated against it, like FISMA, but it doesn’t say anything about overall effect on security,” Bejtlich said. “It’s easier to say, ‘Here’s the standard, are you compliant?’ But there’s no one metric you can look at and say, ‘Wow, this is getting worse every year.’ There’s no way to quantitatively measure risk. But in Washington, there’s comfort with auditing against the standard.”

That institutional approach often misses the mark on some of the most critical threats, hindering true progress in cybersecurity. It also sets up expectations that may be unreasonable or inaccurate, sources said.

“This is extraordinarily complex issue to deal with. The timeline by which [lawmakers] were expecting results – in some cases 180 days – that was probably a bit too far,” Sorenson said.

While the lack of action is disconcerting and further incenses an American public fed up with partisan bickering, it doesn’t necessarily mean national security is that much more threatened, sources suggested. Despite the legislative malaise, there is a flurry of action behind the scenes endeavoring to better secure U.S. interests in cyberspace.

“To say that we’re at more risk because [the plans are delayed], I don’t think is accurate. Every day people are working this issue, working to solve the vulnerabilities and working to make the network more hardened and capable. There is tremendous work being done on the inside that’s not being publicized,” Sorenson said.