What is the government's weakest cyber security link?

In an interview with a blogger earlier this year, Colonel Gary McAlum, a cybersecurity expert and former chief of staff of US Strategic Command’s Joint Task Force Global Operations, identified what he considered a weak point in the government's cyber security: Government contractors.

"The federal government hasn’t always done a very good job of defining what they need contractors to do and what level of performance they need to provide in the area of cybersecurity," he told the blogger. "However, you are going to see acquisition regulations being modified and contracts modified over time to be much more specific, and companies will continue to provide highly skilled and certified personnel. All of which is good and needed. However, contractors should continue to realize that they are being targeted by the same cyber threats that are focused on government networks by virtue that they are doing business with the government. They should focus on securing their networks and protecting information as much as the government is trying to do and, wherever possible, demonstrate excellence and innovation."

Tom Davis, a former Representative from Virginia, echoed these points yesterday during a panel for the Senate Subcommittee on Federal Financial Management, Government Information, Federal Services, and International Security.

"We have many cases of contractors taking computers home," Davis told the committee. "In one case an employee took a computer home and it wasn't even encrypted. We've lost sensitive information because we have people leaving their offices with laptops ... we should be making it hard for [cyber criminals], not making it easy."

He said that part of the problem is that contractors are often hired "ad hoc" from different government agencies, with very little inter-agency communication. When asked what key players the government should emulate, Davis pointed to the banking industry, which he said is constantly having to deal with these security issues.

In the second panel, John Streufert, a Chief Information Security Officer in the State Department, argued that cumbersome red tape often stands in the way to effective cyber security strategy.

"Ongoing demands for Certification and Accreditations studies every three years are the most problematic for our goals," he said. "The Department spent $133 Million over the last six years amassing a total of 50 shelf feet, or 95,000 pages, of final C&A documentation for about 150 major information systems. The electronic working files that support this process over the same period contain 18 Giga-bites of documents with over 33,000 working files. This does not include databases for tracking system inventory, and tracking plans of action and milestones to pending weaknesses."

He said that all these reports come to a cost of roughly $1,400 a page, and that they produce results on paper "which are often extraordinarily accurate but out of date within days of being published and are only indirectly connected to the new threats heading toward the Department minute to minute."

One solution to this, he said, was the adoption of a system called CyberScope, which he described as a "secure, streamlined, interactive data collection platform" that provides more efficient reporting and allows analysis across federal agencies.

Though both panelists addressed different weaknesses, each weakness essentially amounts to an obstacle to greater government efficiency when it comes to streamlining cyber security measures. Many experts agree that until we have an efficient, comprehensive system across all agencies, we won't be truly safe from cyber security threats.

Stay informed. Sign up for updates

News Headlines

Recent Comments