"I believe the infiltration by foreign nationals of federal government networks is one of the most critical issues confronting our nation. Over time, the theft of critical information from government servers could cost the United States our advantage over our adversaries."
Those were the words Rep. James Langevin, D-R.I., used to describe the dire state of information security inside the Beltway. At a hearing of the House Subcommittee on Emerging Threats, Cybersecurity, Science and Technology, Langevin, other lawmakers and private sector security experts listened as officials from federal agencies described a string of deep, and deeply troubling penetrations of government networks in recent months. In particular, the witnesses at the hearing talked in detail about attacks at the Department of State and the Department of Commerce last year that went undetected for some time. The State attack is thought to have started in Asia and while officials have not said so publicly, the attackers are believed to have made off with some sensitive U.S. data. And it started with a department staffer opening a phishing mail that contained a Trojan.
This incident says a lot of things about the security of our government's networks, and none of them is good. The fact that phishing emails are getting through to end users is a bad sign, as is the fact that federal employees don't have enough security awareness to ignore them. But those really are low-level concerns in the grand scheme of things. The bigger issue here is how far down the priority list cybersecurity is in Washington. It just does not get enough attention to allow advocates to push for more funding and resources. And this is not a partisan issue either; both parties are equally culpable.
But, despite all of the bad news coming out of this hearing and other corners of Washington, I believe that for the first time in recent memory there is some cause for optimism on this front. Perhaps the main reason for hope is the simplest one: The Office of Management and Budget in March sent out a memo to all of the CIOs at federal agencies, informing them that they had until Feb. 1, 2008, to begin running Windows XP and Vista in secure configurations. The term "secure configuration" can mean any number of things, but in this context it has a precise definition. The agencies will be required to use a set of secure configurations for Windows that the Air Force developed with the help of Microsoft, the National Institute of Standards and Technology, DHS, the Defense Information Systems Agency and the NSA.
The agencies must submit their plans to OMB by May 1, and this is no small task. The document must contain the following:
I think it's a fair guess that most enterprise CIOs could not say with a straight face that they meet all of these criteria. And that, really, is the crux of all of this. If the federal agencies go ahead with this, which it looks like they will, and software and hardware vendors begin using these configuration guidelines as a template for setting up their products, then IT managers and CIOs in the private sector can begin demanding the same set-ups. Some large companies have been using their purchasing power to this effect for a few years now, but it has not happened on a large scale yet. That may change soon.
Another reason that things are looking up for federal security is that many key agencies now have people who get it in positions where they can make a difference. OMB is a perfect example. Karen Evans, who runs the office of e-government and information technology at OMB, effectively oversees all of the IT implementations for the federal government. The former CIO of the Department of Energy, Evans is widely respected in both Washington and the private sector and has been one of the prime behind-the-scenes movers in the push to bring government security up to date. In short, when Evans speaks, people listen. (Others on this list include Tony Sager of the NSA and, yes, Greg Garcia at DHS.)
And let's not overlook the significance of the attacks on the State Department, either. If there's anything positive that can come out of this incident, it's the attention it has drawn to the serious security problems that still plague government networks. The House subcommittee hearing alone is a good indication of the direction in which things are moving. Legislators paying attention to cybersecurity is as rare as a comfortable August day in Washington, and Langevin and the rest of the subcommittee deserve credit for bringing the problem into the light. Hopefully, this time it will stay there and not be thrown back into a dark corner.