Analysis: Cybersecurity puzzle is a tough one to solve

Despite increased efforts to implement better cybersecurity, federal agencies continue to succumb to cyber attacks. Could more – or updated – policies stem the tide of these potentially devastating attacks?

The topic gained renewed prominenece in late October when the Energy Department’s inspector general noted in an audit that cyber attacks targeting federal agencies' systems and websites increased nearly 40 percent in 2010. DOE itself had failed to adequately protect its information systems from the cyber attacks that constantly probed the networks – this after spending “significant resources” on cybersecurity measures, according to the report, released Oct. 20.

It is no surprise that cybersecurity has become an increasingly urgent issue for federal agencies, with hackers and nation-states infiltrating the systems to extract sensitive information and data.

The Defense Department, in particular, has been a prime target for hackers: In June 2010, U.S. Cyber Command chief Gen. Keith B. Alexander said DOD’s systems were probed more than 6 million times a day.

There are policies and measures already in place to prevent these attacks. The National Institute of Standards and Technology, which provides cybersecurity standards and guidelines to the federal government, has a security control catalog with 18 safeguards and countermeasures that each agency is required to implement.

The approach that’s currently been taken is sort of the equivalent of telling employees, ‘when you come to work, don’t open any square blue boxes.’ But then someone sends in square red boxes, and they all get taken." --  Eugene Spafford.

Many people think a policy is  “just paperwork, but policies and procedures are critical for setting the tone and establishing the organization’s commitment to doing the right thing with regards to due diligence in the area of cybersecurity,” said Ron Ross, fellow and project leader of the Federal Information Security Management Act Implementation Project at NIST.

The policies can address many different areas, and they can be challenging. But if the policy is clear and follows the basic principles that are articulated in the NIST standards and guidelines – and if it’s implemented properly -- it should result in better cybersecurity for the organization, Ross said.

No policy, however, will do any good if individuals fail to recognize their part in keeping information and systems secure.

“A policy for education, training and awareness is very critical today because a vast majority of the attacks come through the web and email,” Ross said. “One of the principal areas we have to focus on is making sure that the folks who work within the federal agencies and contractors understand they play a very important role in the protection of these systems.”

Although technology continues to play a significant part of cybersecurity, “the days we thought technology could be the solution to all evils and problems are gone,” said Amry Junaideen, a principal at Deloitte & Touche and cybersecurity leader for the firm’s federal practice.

Most data breaches in the past have happened not because technology failed but because of a people aspect, which makes training and awareness training ever so important, he said. However, if any aspect -- such as governance, policy, process or people -- are missing, “you’re going to fail in terms of mitigating your risk,” Junaideen warned.

Full security comes from having “the right technology in the right places” coupled with an educated, well-trained workforce, he said.
“You [could] have the perfect technology and someone who’s not properly educated basically opens the backdoor and posts sensitive information on the Internet [or] on a file share that gets compromised. All of a sudden, your human being becomes the weakest link,” he said.

Eugene Spafford, a professor at Purdue University and founder and executive director of the Center for Education and Research in Information Assurance and Security, said the real problem is the belief that flawed systems can be secured retroactively, either by add-ons or by compelling users to act in ways they are not used to.

Even if agencies have policies to provide training, they are often too specific or too ambiguous, he said. For example, take the “don’t open any suspicious e-mails” approach. What exactly constitutes a suspicious e-mail message? Many of the social engineering attacks occurring today are designed to not look suspicious, Spafford said.

“The approach that’s currently been taken is sort of the equivalent of telling employees, ‘when you come to work, don’t open any square blue boxes.’ But then someone sends in square red boxes, and they all get taken,” he said.

The federal government’s efforts to transition to cloud-based services and technologies could also mean more security problems, he suggested. Following trends or big pushes to save money often mean that security issues fall lower on the priority ladder.

“That’s partly why we have vulnerable systems today, because the idea was, ‘we’ll buy whatever is the cheapest thing on the market’ to save money rather than actually thinking through building a strong, secure infrastructure,” Spafford said.