Check out this article, "Analysis: Cybersecurity puzzle is a tough one to solve," from Federal Computer Week. While it provides some well-reasoned perspective on the lack of cybersecurity effectiveness in U.S. Government systems, I think that the conclusions of the analysis are misdirected.
Organizations have a lot of cybersecurity challenges and the Federal government probably has it worst than most. It represents a highly visible target, presents a huge attack surface, and maintains some of the most valuable information on the planet. To the modern hacker (state-sponsored or otherwise), U.S. government systems look collectively like a huge walled-off fresh water lake in a desert full of thirsty people.
Having spent nearly my entire IT career supporting the Federal government, I would argue that cybersecurity is only a tough puzzle to solve when your trying to force the pieces into the wrong places. Rather, in my experience, the government tends to be deluded into seeing the cybersecurity picture as something different than reality. That's not to say that there are no good people in government cybersecurity. There are. But, those people lack the tools and access to make much more than baby steps in progress, and are often supported by security practitioners who depend too much on ineffective practices that they defend as "leading."
So, in response, I offer the following points that combine to confuse the cybersecurity picture and submit that, to solve the puzzle, the government needs to prioritize its efforts to counter each point.
- Blame the User. Security practitioners have been blaming the user for cybersecurity failures from the beginning. How long can we continue to perpetuate the charade before users start to really rebel (if they haven't already)? In the 1990s, the industry told users to stop opening documents from other users because they could contain malicious scripts. In the 2000s, the industry then shifted to say that you had to install anti-virus and stop reading untrusted email. This decade, we're now telling users to stop clicking on email links, opening attachments, and connecting to public wireless access points. What all of these steps seem to ignore is the fact that users need to do all of these activities as part of their daily routines. It's no wonder that people ignore cybersecurity policy because it often fails to address their actual needs. To correct this perception, security practitioners need to begin Enabling the User to make more secure decisions by making security more transparent and in line with their daily routines. We need to be experts in everything the user does to best understand how what users do can cause security breaches. Embedded security is the answer.
- Technology over Process. At no point can technology solve a cybersecurity problem because technology is simply a tool for enabling the business or mission processes. Taking this approach is like putting a bucket under a leaky ceiling. It solves a symptom while the problem gets worse. For example, when approaching a network-based application, the security industry will talk about encrypted connections, multifactor authentication, form validation, code reviews, etc. But, those solutions only apply to the application architecture, not the process that the application enables. If a user requests and receives access to an asset management system from one manager and then requests and receives access to a financial system from another manager, then all of the technical security controls have proven effective. However, if the user then has control over the entire procurement process, the user is in a position to commit undetected fraud. Security practitioners should focus on Securing Business/Mission Processes to better identify where interface points and other weakness represent vulnerabilities. Then, and only then, should they begin to identify solutions that may, or may not, include technology enhancements.
- The Secure Endpoint. In most cases, the endpoint system, be it a workstation, laptop, mobile device, or other information interface, cannot be trusted. While there are trusted computing platforms and hardening guidelines that can do a very good job of securing the endpoint, the reality is that most users don't have the access nor the control to employ them. The session hijacking example that I've written about in the past is a great example of how attackers have figured out how to exploit our misplaced trust in endpoint systems by bypassing all technical controls. Sure, the security industry can blame the user for submitting to social engineering tactics, but even the most experienced security professionals can sometimes fall victim to sophisticated human-oriented attacks. We tend to assume a secure endpoint to make our jobs easier, but we do so at the expense of the information that we're charged to protect. Instead, security practitioners need to be more innovative and Give Up Device Control. It's a losing battle. We should assume that the endpoint is untrustworthy and focus our energies on protecting transactions rather than sessions, and process over technology.
- Compliance Culture. If the Federal government has done one thing wrong, it was to place too much dependence on security control standardization and reporting and too little on keeping up with changing security. For example, I noted in this recent posting that NIST SP 800-63, the government standard on electronic authentication, was written five years ago. Time has not been kind to the standard. Yet, in a checkbox compliance environment, system owners are only required to do what they're told, not to do what needs to be done to protect the system. System owners will therefore use the standard despite its age. A compliance culture also emphasizes the need to secure at development checkpoints rather than to secure the lifecycle of a system. To combat this problem, security practitioners should be steering away from compliance and more towards building a Culture of Security. In this shift, reporting should change from showing what was done upfront to showing how the system responds to change. There is no phase that's more important to cybersecurity than Continuous Monitoring, but it's the most neglected phase of the security process.
- Security Specialization. From a government community perspective, cybersecurity tends to be treated as an exclusive domain best addressed by specialists than as a common practice best employed by every member of the community. Even security practitioners continue to perpetuate the notion that users should have general security training. But, that training emphasizes a very broad view that focuses users to "look for problems" rather than educate them on how to conduct their work activities soundly. Security practitioners should be more innovative by employing Transparent Security techniques that embed security into all business and mission processes, and then training accordingly.
In this era where IT has evolved to become embedded into our daily lives, so too must cybersecurity evolve to being less of a specialization and more of a common imperative. To solve the puzzle, the Federal government should start looking at its cybersecurity efforts differently and seek out innovative people and organizations that will help it evolve rather than remain constrained to outdated legacy practices.
If you would like to comment on this or any of my other postings, you may look for it on Google+ or on LinkedIn and comment there. This helps counter SPAM and promotes intelligent discourse over anonymous rantings.