Between the repeated attacks on the United States government’s IT infrastructure by foreign hackers and incursions by LulzSec, a hacker community whose members wandered in and out of government cybersystems before publicly disbanding this week, it’s not difficult to conclude that the U.S.’s federal IT infrastructure is the cybersecurity equivalent of Swiss cheese.
LulzSec trashed the public-facing websites of the FBI, the CIA and Congress, as well as those of Sony and other corporations. Last week, it broke into the servers of the Arizona Department of Public Safety, stole confidential documents, and published them on the Internet.
Meanwhile, the Obama administration is wrestling with the possible impact on federal IT of the pending departure of the first United States Federal CIO, Vivek Kundra. He will leave in August for Harvard University.
Will Kundra’s departure impact U.S. federal cybersecurity efforts? Can the Obama administration lead us to the cybersecure promised land? Or will hackers continue to loot and pillage our IT infrastructure at will?
Every Goodbye Makes the Next Hello Closer
It’s not yet clear just how or if the pending departure of federal CIO Vivek Kundra after just over two years on the post will impact the state of federal cybersecurity.
“I have great hope that this position will continue to have impact in the federal cybersecurity arena in the future,” said Keren Cummins, director of federal markets at nCircle.
“Losing strong and effective leadership is never a good thing, but … the problem is not one of leadership, people, resources or will; it’s a problem of technology,” Dave Lowenstein, CEO of Federated Networks, told TechNewsWorld.
Washington Puts Up Its Dukes
It’s not as if the Obama administration is taking things lying down. It has made cybersecurity one of its top priorities.
In May, the Administration launched the United States International Strategy for Cyberspace. It’s also working on the Comprehensive National Cybersecurity Initiative.
In addition, the White House last month sent Congress a cybersecurity legislative proposal. Further, the U.S. government is pursuing hacker groups with a vengeance and teaming up with its counterparts overseas to do so.
However, cybersecurity defenders are currently outgunned because hackers “have frankly out-innovated the security industry,” Federated Networks’ Lowenstein suggested.
Practicing the Art of Lobster-Fu
An outmoded approach to cybersecurity is crippling U.S. efforts in this area, argued Charles Dodd, a cybersecurity consultant to various U.S. government agencies.
For example, the U.S. Department of Homeland Security has released a risk management strategy to protect online activity across the globe.
Developed in partnership with the IT industry, this suggests “risk mitigation activities such as promoting education, training, outreach and awareness that focuses on data file misuse.”
That may sound like reading a book about karate when a bunch of heavily armed muggers is heading your way at high speed with crazed eyes.
“The DHS don’t have people with the right skill set advising them on what they have to do,” Dodd told TechNewsWorld.
“If they have a bunch of people telling them … how to posture themselves defensively, who the hell cares?” Dodd asked.
“The temperature’s already been turned up, the water’s already starting to boil,” he added.
The DHS did not respond to requests for comment by press time.
Work Like You’re on a Chain Gang
IT security professionals, especially in government, have to keep working hard just to stay in the game.
“Government networks are under attack all the time,” nCircle’s Cummins told TechNewsWorld.
“Security today is like running a movie — you need to be watching your environment proactively,” Cummins stated. “You need to be continually asking yourself what steps you can take today to harden your environment.”
The Need for New Thinking
Existing cybersecurity models and methods are “seriously flawed,” Federated Networks’ Lowenstein said.
Vendors should “move immediately to a results orientation,” Federated Networks’ Lowenstein suggested. “It’s not about the technology, it’s what the technology can actually do, what attacks it can actually stop, or not, as the case may be.”
Perhaps the feds should also re-assess their approach to security.
“We do possess some serious capabilities within the NSA (National Security Agency) and the FBI,” Dodd said.
“But nobody is going to give these guys permission to offensively counterattack, and that’s because our policymakers don’t realize how bad this threat is,” Dodd stated.
Gotta Use the Old Cabeza
In the meantime, government agencies and departments at all levels could use a little common sense.
Take the LulzSec hack of the Arizona Department of Public Safety, for example.
“You would hope that sensitive documents would not be stored on Internet-facing equipment, but this wouldn’t be the first time this has happened,” Chet Wisniewski, a senior security adviser at Sophos, told TechNewsWorld.
Better yet, organizations should encrypt their data, suggested Wasim Ahmad, VP of data security at Voltage Security.
“Traditional boundaries are disappearing,” Ahmad told TechNewsWorld. “Data now lives inside data centers as well as in the cloud and on mobile devices, and it’s vulnerable in all of those places.”