4 Errors That Foil Federal IT SecuritySANS Institute Sees Fixes Congress Can Make
That's the conclusion of Allan Paller, research director of the SANS Institute, an IT security training and certification organization, in prepared testimony to be delivered Tuesday before the Senate Homeland Security and Governmental Affairs Committee. "This committee can fix all four," he said.
Error 1: Government Measures Security the Wrong Way.
The Federal Information Security Management Act of 2002 required agencies to establish standard configurations. That one change did a great deal of good, but now attacks have become much more sophisticated. "However, federal agencies cannot move effectively to more secure systems unless you shift the emphasis of the FISMA assessments from paper reporting to automated monitoring of essential controls," Paller says. "If agencies are asked to implement critical controls and to automate reporting but still are forced to produce the current FISMA paper reports, they just won't be able to do so. ... This committee can fix that error by authorizing and empowering agencies to move to continuous monitoring of critical controls."
Error 2. Missing the Chance to Buy IT Security 'Baked-in'
"Technology buyers cannot cost-effectively secure technology they purchase," Paller says. "Further, most users of technology are unwilling to make changes to systems - even critical security changes - because they fear the changes will disable important features. Only the people who build and sell technology to government can configure that technology securely. The $70 billion in annual federal IT spending is enough to get radically better security baked-in, but most agencies - other than the Air Force - are not yet using that procurement leverage to ensure systems come with security baked in.
"This committee can help solve this problem by instructing agencies to specify security elements in every procurement and task order. ... If the requirements are not in the specific language of each contract, most contractors will not implement them."
Error 3: Allowing the Claim - 'One Size Does not Fit All,' - to Derail Purchases of More Secure Technologies
"When the government tries to use its procurement power to buy software at better prices and with security baked in, vendors often scream. 'One size does not fit all.' And it usually works. But it's wrong!
"Microsoft sells one size of Windows to tens of millions of people. Cisco sells one size of IOS (Cisco's operating system inside each of its routers) to hundreds of thousands of people. Oracle sells one size of its database to tens of thousands of people. Hundreds of vendors sell only one size. One size, to all these vendors, clearly fits all.
"By using federal procurement to buy securely configured systems, you do not constrain agencies from innovation or from making modifications. Instead you make them safer from the outset. The Air Force proved that. Loud claims to the contrary were dead wrong."
Error 4: Expecting DHS to Manage Security Across the Civilian Government Without White House Support
"Civilian government agencies do not work on a command and control basis across agencies. If someone from one agency tells someone from another agency to implement an action, (regardless of legislative authority), the person in the second agency is likely to say 'I don't work for you.'
"The bottom line is that without a White House office actively and intelligently forcing the agencies to work well together, and to spend money on the right security controls, the Department of Homeland Security will fail in its federal cybersecurity role. ... The White House cyber security office would implement its operational control over civilian agencies only when national emergency events occur, or when agencies need to act to be ready to respond to such national security events; otherwise it would play a coordinating and monitoring role working through other parts of OMB. Unless you put the power to reconfigure and unplug computers and networks in the hands of a White House office, the nation will not be able to respond quickly or effectively to a major cyber attack."