Why Government CIOs Are Giving Security Short Shrift
Oct 25, 2011 5:00 AM PT
We've been having a jolly good time lambasting the United States federal government and, by extension, its various CIOs for Washington's problems in cybersecurity implementation.
It turns out now that the fault, dear readers, lies not with the CIOs but with the government itself.
The U.S. General Accountability Office (GAO) has found that CIOs don't consistently have responsibility for 13 major areas of IT and information management as defined by law or deemed as critical to effective IT management. However, they continue to focus more attention on IT management-related issues.
The GAO found other issues as well. You can read its report here.
In another development, cybersecurity vendors are warning of the emergence of a new worm, named "Duqu," which is similar to the Stuxnet worm that targeted Iranian nuclear facilities.
The Short, Frantic Life of Gov't CIOs
The GAO found that most federal government CIOs are responsible for seven key IT management areas, including information security. It found that many CIOs serve in other high-level positions, such as human capital officer, in addition to their roles as CIO. Tenure in the position is generally about two years.
However, 13 major areas of IT and information management aren't always under their control, a deficiency that perhaps needs to be addressed fairly rapidly.
The GAO also found that only over half the CIOs report directly to the heads of their respective agencies as required by law. Further, CIOs don't always have sufficient control over IT investments and often have limited influence over hiring and firing decisions and the performance of CIOs at subsidiary levels.
The GAO has made various recommendations to the Office of Management and Budget (OMB) for redressing the situation.
Cybersecurity for the SMB
The FCC announced Monday that it will unveil a new online tool, the Small Biz Cyber Planner, to help remedy this problem.
This tool was developed as part of a collaboration with government experts and private IT and security companies as well as the Department of Homeland Security, among other organizations.
It lets small businesses create a customized cybersecurity guide by answering a few basic questions online.
The question this raises is: Will cybersecurity vendors have access to the answers online? Could that raise the threat of a security breach? Will it result in the SMB being flooded by sales calls and emails from vendors?
Duqu and Vendors' Free Tools
A new piece of malware, dubbed "Duqu," has emerged.
It was written by people who had access to the Stuxnet source code, Vikram Thakur, principal security response manager at Symantec, told TechNewsWorld.
The original creators of Stuxnet remain unknown, Thakur added.
However, German cybersecurity expert Ralph Langner, who's acknowledged as the researcher who discovered the Stuxnet worm, has contended that Stuxnet was created by the United States.
Symantec's Thakur claims Duqu's purpose is to "gather intelligence data and assets from entities such as industrial control systems manufacturers, in order to more easily conduct a future attack against another third party."
On the other hand, Langner's website carries a statement that his firm doesn't research Duqu because it appears to be unrelated to control systems.
Keeping Your IP Address Clean
Finally, Zscaler has released a free Web service that people can access to see whether their endpoint clients and IP addresses are being used for malicious purposes.
IPAbuseCheck is available to both individuals and organizations such as businesses and government agencies.
"We have the data that's related to infected systems, so we are sharing this data to empower the system owners to clean up their infections," Mike Geide, senior security researcher at Zscaler ThreatLabZ, told TechNewsWorld.