News Stay informed about the latest enterprise technology news and product updates.

Private sector should learn from government insecurity

The State Department hearings drew attention to the serious security problems that plague government networks. Federal security improvements will help push private sector progress.

"I believe the infiltration by foreign nationals of federal government networks is one of the most critical issues confronting our nation. Over time, the theft of critical information from government servers could cost the United States our advantage over our adversaries."

Those were the words Rep. James Langevin, D-R.I., used to describe the dire state of information security inside the Beltway. At a hearing of the House Subcommittee on Emerging Threats, Cybersecurity, Science and Technology, Langevin, other lawmakers and private sector security experts listened as officials from federal agencies described a string of deep, and deeply troubling penetrations of government networks in recent months. In particular, the witnesses at the hearing talked in detail about attacks at the Department of State and the Department of Commerce last year that went undetected for some time. The State attack is thought to have started in Asia and while officials have not said so publicly, the attackers are believed to have made off with some sensitive U.S. data. And it started with a department staffer opening a phishing mail that contained a Trojan.

This incident says a lot of things about the security of our government's networks, and none of them is good. The fact that phishing emails are getting through to end users is a bad sign, as is the fact that federal employees don't have enough security awareness to ignore them. But those really are low-level concerns in the grand scheme of things. The bigger issue here is how far down the priority list cybersecurity is in Washington. It just does not get enough attention to allow advocates to push for more funding and resources. And this is not a partisan issue either; both parties are equally culpable.

But, despite all of the bad news coming out of this hearing and other corners of Washington, I believe that for the first time in recent memory there is some cause for optimism on this front. Perhaps the main reason for hope is the simplest one: The Office of Management and Budget in March sent out a memo to all of the CIOs at federal agencies, informing them that they had until Feb. 1, 2008, to begin running Windows XP and Vista in secure configurations. The term "secure configuration" can mean any number of things, but in this context it has a precise definition. The agencies will be required to use a set of secure configurations for Windows that the Air Force developed with the help of Microsoft, the National Institute of Standards and Technology, DHS, the Defense Information Systems Agency and the NSA.

About Behind The Firewall:
In his weekly column, Executive Editor Dennis Fisher sounds off on the latest issues affecting the information security community. 

Recent columns:

WEP crack demonstrates need for WPA2

Measuring Vista's true security muscle will take time

Google boosts privacy, but storage glut continues

Savvy hackers take the hardware approach

The agencies must submit their plans to OMB by May 1, and this is no small task. The document must contain the following:

  • Testing configurations in a non-production environment to identify adverse effects on system functionality;
  • Implementing and automating enforcement for using these configurations;
  • Restricting administration of these configurations to only authorized professionals;
  • Ensuring new acquisitions by June 30, 2007, to include these configurations and require information technology providers to certify their products operate effectively using these configurations;
  • Applying Microsoft patches available from DHS when addressing new Windows XP or Vista vulnerabilities;
  • Providing NIST documentation of any deviations from these configurations and rationale for doing so; and
  • Ensuring these configurations are incorporated into agency capital planning and investment control processes.
  • I think it's a fair guess that most enterprise CIOs could not say with a straight face that they meet all of these criteria. And that, really, is the crux of all of this. If the federal agencies go ahead with this, which it looks like they will, and software and hardware vendors begin using these configuration guidelines as a template for setting up their products, then IT managers and CIOs in the private sector can begin demanding the same set-ups. Some large companies have been using their purchasing power to this effect for a few years now, but it has not happened on a large scale yet. That may change soon.

    Another reason that things are looking up for federal security is that many key agencies now have people who get it in positions where they can make a difference. OMB is a perfect example. Karen Evans, who runs the office of e-government and information technology at OMB, effectively oversees all of the IT implementations for the federal government. The former CIO of the Department of Energy, Evans is widely respected in both Washington and the private sector and has been one of the prime behind-the-scenes movers in the push to bring government security up to date. In short, when Evans speaks, people listen. (Others on this list include Tony Sager of the NSA and, yes, Greg Garcia at DHS.)

    And let's not overlook the significance of the attacks on the State Department, either. If there's anything positive that can come out of this incident, it's the attention it has drawn to the serious security problems that still plague government networks. The House subcommittee hearing alone is a good indication of the direction in which things are moving. Legislators paying attention to cybersecurity is as rare as a comfortable August day in Washington, and Langevin and the rest of the subcommittee deserve credit for bringing the problem into the light. Hopefully, this time it will stay there and not be thrown back into a dark corner.

    Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.