The one action that may make the most difference in how federal agencies secure their computer networks involves no new whiz-bang technology.
It has no up-front real-dollar costs either.
Eugene Spafford, a professor of computer science at Purdue University in Indiana and the executive director of the Center for Education and Research in Information Assurance and Security (CERIAS), a campus-wide institute for cybersecurity, said the solution, in part, is much simpler.”One of the biggest problems is there isn’t sufficient accountability in most places,” he said. “It’s very hard to discipline employees for not following good procedures or not attending classes in many agencies. I wouldn’t say it’s true across the board. At higher levels, there isn’t much accountability if there is a significant problem at an agency to hold managers or the CIO of the agency responsible. So if we would have better accountability, I think that would make a huge difference right there. That isn’t as much a functional change, but a change in attitude.”
Spafford, who has served on federal committees and worked with the Air Force and other standards organizations, said too often cybersecurity still is considered a “nice to do” and not a “must do.”
He pointed to the recent cyber attack the Energy Department suffered where the personal information of more than 50,000 employees now is at risk.
“The fact this keeps happening time after time after time for very simply fixed problems is an indication this isn’t taken seriously enough,” he said. “If it was taken seriously, a lot of those really low hanging fruit kind of issues would be fixed. We wouldn’t constantly be seeing cases of people doing dumb things like bad passwords, installing unpatched software or clicking on links they are not supposed to and so on. There really isn’t a sense of urgency or a sense of ownership that permeates too many places.”
Spafford doesn’t dismiss the fact the federal government has improved how it deals with data and protects information and systems.
He said pockets of real progress and change do exist, particularly in the Defense Department. But too many agencies face the same roadblocks and challenges today as they did 5 or 10 years ago.
Additionally, Spafford said cyber threats and vulnerabilities are more complex, where once a hacker was happy to launch a virus or worm just to see if it worked. Now, nation states, cyber criminals and others are launching similar attacks with the goal of stealing information.
Spafford said agencies face several different challenges in protecting their systems, including not having enough funding, then the commercial sector faces.
“They have to make a lot of their information and processing available to the public, either to individuals, to other agencies, to firms and to all kinds of possibilities so they have to have a lot of open interfaces and those are more difficult to secure,” he said. “A second issue they have problems with is I don’t think many agencies have the resources that they should have to adequately protect their systems. This includes people, training and especially software and hardware. There is a large legacy base in the government and the ability to upgrade those and to do so in a way without breaking existing applications or replace outmoded items is much more difficult because of budget constraints, because of laws about how things can be purchased and evaluated and the very long contracting process is involved.”
Spafford said agencies will face an additional challenge when Microsoft stops supporting XP in April. He said that’s an example where agencies need to move off old software to a newer, more secure operating system, but many don’t have the resources to do that in time.
The government spends more than $35 billion a year on IT security, including more than $20 billion by DoD.
He said there is a growing awareness in Congress and the White House about the importance of funding cybersecurity across all parts of the government.
Spafford added it’s not just funding, but agencies need a better understanding that the Internet doesn’t stop at the U.S. border, thus an international perspective about cyber laws, rules and the like are more important than ever.