Lance Bellers - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

White House pushes government cybersecurity changes

As the estimated number of current and former federal employees affected by the OPM data breach triples, the White House pushes new government cybersecurity changes to avoid another breach.

The OPM breach, revealed earlier this month, reportedly took place in April. The original estimates claimed as many as four million federal employees' records may have been affected. More recent estimates from investigators said as many as 14 million records may have been compromised, including those of current and former federal employees as well as contractors.

In response, the White House is pushing the "30-day Cybersecurity Sprint" in an effort to get various government agencies to take "aggressive actions to upgrade the federal government's technology infrastructure and protect government networks and information, implementing tools and policies."

According to reports, these government cybersecurity steps include immediately patching any vulnerabilities; restricting privileged user access to sensitive information; requiring multi-factor authentication procedures to access federal networks; and employing electronic "indicators" provided by the Department of Homeland Security to highlight when attacks happen.

Adam Meyer, chief security officer at SurfWatch Labs, said these changes do not go far enough to protect federal data.

"They amount to a list of basic best practices that have been commonplace for a long time," Meyer said. "What this tells me is they have a problem with basic cyberhygiene and that is likely a symptom of a larger culture problem that disregards security needs."

When the news of the OPM breach was released, questions were raised about the effectiveness of the Department of Homeland Security's (DHS) intrusion detection system, known as EINSTEIN, because the DHS admitted it "cannot currently detect or protect against new threats until they are identified and an associated signature is developed and entered into the system."

The current White House proposal does not appear to include steps to improve EINSTEIN. Meyer said this wasn't necessarily a surprise, but that DHS should take steps to make the system more proactive.

"With drawn out requirements and procurement cycles, it is not surprising that the DHS system is behind the curve and this can create a false sense of security," Meyer said. "EINSTEIN is just a monitoring system and at the end of the day, the asset owners need to take action on the alerts that the system is generating in a timely fashion. This is likely why the current system is only practicing 'observe and report' rather than a more aggressive action."

Next Steps

Learn more about other government cybersecurity bills.

Dig Deeper on Data security breaches

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What do you think of the proposed cybersecurity changes?
It is not possible to logistically secure the Internet so any approach to trying new ways to secure it, starts from a false foundation.  Our government knows this but continues to expose the American people to danger.  read The Abilene Net
We should have been aggressively putting resources into cyber security for US infrastructure, US govt agencies for over 15 years.  In 1998 China declared cyberwar on the US under the disguise of "students"; the Honkers Union led by the Lion. This hit all the wire services.  Of course the Lion was also major in the PLA army.  Now China openly admits this April they have 2 divisions and elite cyber groups that specialize in cyber warfare.  We only have one if that; come on 30 days is not enough to secure govt infrastructure; we have been under attack for 15 years; hello US govt, catch a clue.  "Awake the sleeping giant"
Two components are missing from government system security:  1) the will to enforce regulatory requirements and 2) adequate funding. Frequently, when there is a standoff between system security and operational necessity security is asked to step aside or look the other way.  On the funding side, the government excels at providing regulation, directives, and guidance for securing systems but fail to take into account funds necessary to become compliant.  The 30 day sprint is just lipstick on a pig.
Some of these 30 day fixes show how far behind some areas of the government are when it comes to understanding the seriousness of having security in place.
You can say that again.  The government really needs to have some kind of plan for regular migration of many of its IT systems instead of treating them as one time purchases too.   It should be part of the fixed budget.