The fantasy and reality of government security

In the movies the government has always got the best toys, the cutting-edge technology and the tightest security standards.

Those who have worked on security projects within the government know that in real life government security standards and implementations can vary all across the range from quite serious to laughable.

Over the last few years, in fact, U.S. government departments have been earning poor or failing grades on cyber security. This may be about to change with a US$355 million investment in government cybersecurity included in the recently passed stimulus act. It’s about time too: Just last week a private company notified the government that they had discovered the blueprints for Marine One (the President’s helicopter) on a filesharing network node in Iran.

If we believe the movies then a file as sensitive as the blueprints for the presidential helicopter fleet would be encrypted, biometrically protected and stored in a bunker at an undisclosed location. It’s a bit unfair to bash government security in this case because the file was leaked from the desktop of an employee of a private contractor.

Because the vast majority of this type of work is outsourced, the security depends as much on enforcement of standards at third parties as it does on the security within government. But we have to wonder: why wasn’t encryption required for this type of file? Why was this type of file allowed on an unmanaged desktop? And why was peer-to-peer software installed on the same desktop?

Most U.S. federal systems are moving to compliance with the Federal Desktop Core Configuration (FDCC) standard. This standard requires that desktops meet certain configuration standards that effectively “lockdown” the desktop. Even without the FDCC standard however, it is hardly a leap of imagination to expect defense contractors to disallow P2P software and remove administrator privileges from users. This was not just a breach of security by one employee, but more a complete lack of controls in the contractor’s IT department.

Security inside the government or in the contractors used by the government is not uniform or consistent. That in itself is part of the problem. Numerous studies have shown that the vast majority of security breaches originate with a few well known security vulnerabilities. The golden rule of security therefore applies: Fix the top problems and remove 80 per cent of the risk. Then focus on the more difficult 20 per cent.

Hopefully the government investment in cybersecurity will be focused on the top risks and on security with outsourcers and contractors not just federal systems.

-Andreas Antonopoulos is a senior vice-president at Nemertes Research of Mokena, Ill.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now