Why security is so hard

What will it take to make federal agencies more serious about computer andinformation security? We will learn shortly whether the Government InformationSecurity Reform Act can do the trick.

GISRA is the latest attempt to compel federal agencies to build adequatesecurity safeguards into their information technology systems. It requiresagency officials to submit annual reports to the Office of Management andBudget documenting their security preparedness — the first is due Sept.30 — or risk having funds for IT projects withheld. However, there are signsthat an alarming number of federal offices still have not prepared reportsand that many have not even performed the vulnerability assessments thatare a key requirement of GISRA.

So why, despite numerous legislative actions that date back as far as1987, is much of the government not doing enough to protect its IT assets?There are several reasons.

One is the persistent nature of the security challenge. In certain respects,the current focus on security is analogous to the effort to ensure thatgovernment computers could safely handle the date change to the Year 2000.In both cases, credible risks to the smooth operation of government computerscalled for concerted efforts to mitigate those risks. And both issues consistentlyranked at the top of most IT managers' list of concerns.

But the Year 2000 problem differed significantly in that it culminatedin a single day of reckoning (a split second, really). That laser focuswent a long way toward galvanizing agencies to apply abundant attentionand resources — work that, in the vast majority of cases, was entirely successful.

Security, on the other hand, has no such convenient deadline. Threatsto federal IT systems are always present and sources of new attacks plentiful.Securing government systems is like running a marathon, not a sprint, aswas the case with the Year 2000 problem. For whatever reason — perhaps becausethere has yet to be a catastrophic breach, just embarrassing and inconvenientones — few agencies have demonstrated the resolve to hunker down for thelong haul.

The subpar commitment to building bulletproof federal IT security systemscan also be attributed to the simple fact that IT security is just plainhard. For example, once you've installed a long list of security software— firewalls, virtual private networks, antivirus software — you need tokeep all those products up-to-date by installing a steady stream of softwarepatches.

And because enterprise IT systems are constantly growing and changing,you need to do regular vulnerability assessments to make sure the securitysystems continue to work properly.

Effective security also requires strong commitment from senior management— financially and in terms of leadership — as well as the cooperation ofan agency's entire workforce.

Until now, the government's traditional approach of staying at leastone step behind the new technology curve has not been a major liability.If it took an extra six months or a year for the benefits of new technologyto reach the government, that was an acceptable trade-off to avoid thepitfalls of first-generation technology. But the government can't afforda six-month gap when malicious hackers and potential adversaries are alreadyusing the newest technology.

Better government security systems are entirely within reach, technicallyand financially. The resources that are in short supply are commitment andleadership. That's one deficit we can't allow to continue.