X

Puffing pipedreams about government IT security

Counterpane's Doug Howard says the overall information security of the U.S. government is a disaster.

4 min read
While all great things must start with a minor movement forward, the latest White House memorandum on information security has as much value as telling my 4-year-old son that riding a bike is easy--all you need to do is pedal.

From the late '80s through the early '90s, I had the privilege of serving in the U.S. Air Force. For the majority of my enlistment, I served at the Pentagon, working for the Joint Chiefs of Staff. Later, I was assigned to Cheyenne Mountain (aka NORAD).

When I first started, I admittedly was as impressed as you might be if you've ever watched any movies referencing these two facilities. However, the glamour is typically isolated to Hollywood. Day-to-day operations are very similar to any other government agency or large enterprise. While the actual centralized controls of the military resources are well-defined and controlled from global command centers, process controls such as IT security are not.

The flaws with the new White House information security mandates come from assuming that centralized authority exists. In reality, this is as fictional as many of Hollywood's themes.

Simply put, the attempts to create any centralized controls or escalation points have failed. While federal authorities have attempted in good faith efforts to create security czars or centralized security groups such as the United States Computer Emergency Readiness Team (US-CERT), they have failed each time.

The attempts to create any centralized controls or escalation points have failed.

Security leaders who want to have an impact must choose one of two options.

One choice is to continue down the road that provides mediocre results, with each agency in charge of its own destiny. Allow each group to interpret its own definitions of effective security and how to meet Federal Information Security Management Act requirements, and then generate reports that provide a false sense of security to Congress. It's not that anyone is intentionally falsifying reports. But since what's being reported is not measured on a common scale, there are interpretations of convenience.

Or the security leaders can recognize that the overall security of the U.S. government is a disaster. Assign an overall leader who is candid, honest and not afraid of being fired for voicing the truth. Get all the proper leads of security from each department in a room for an extended period of time and start with the following:

A common chant must be repeated at the start of each meeting: "Today is a new day. My group and I have done some great things. However, we have areas of weakness that, when combined with my peer agencies, result in ineffective government security. I don't know everything, nor does anyone else, but as a group we can be heard or go down fighting. In the end, I know that I had an impact on the future of U.S. security."

Here's what else they can do:

• Have all members agree on common criteria of the criticality of data.

• A defined acceptance of access and controls on non-Defense Department data must be adhered to and met within a realistic time period. The Defense Department and the intelligence agencies must be given the latitude, under common criteria, to protect their nonadministrative networks in their unique way. Defense Department administrative networks and systems will align under the core group's standards.

• The key is to create a testing group under the security czar to test the implementation of security for all agencies on a recurring basis. Fund it properly, or outsource it to a qualified third-party. Prioritize weak agencies and glaring problems first.

• Require the approval of the security czar and a peer group within the U.S. government on all future Chief Information Security Officer hiring decisions.

• Provide the US-CERT with the authority for getting data from all agencies when events occur. Allow it to create a clearinghouse and global view of what's happening in the world in real time. US-CERT must be under the direct command of the security czar.

• Recognize that policies, requirements and results should be proprietary in certain situations. Some of the best security is created when all the details aren't known.

• Create an environment for an honest exchange of ideas and information. The reality is the current situation within any agency--or in the government overall--is not the result of any one individual or administration.

• Understand that mistakes will be made and some projects will fail. But do not settle for incompetence.

Sound like too much centralized control? Keep in mind that the core problems are the lack of centralized authority for government security and the lack of authority to enforce real policy. Only by moving to a centralized structure can government agencies become secure.