Advisory Panel Offers Suggestions To Strengthen US Cybersecurity, But Is The Government Capable Of Change?

from the is-government-too-big-to-learn? dept

The President's Council of Advisors on Science and Technology (abbreviated unfortunately as PCAST) has just released a report dealing with the nation's hottest topic since terrorism: cybersecurity. The report's writers include a host of professors from a variety of scientific pursuits, along with a few corporate figures from the tech world, including Google's Eric Schmidt and Microsoft's Craig Mundie.

The report's suggestions aren't half-bad.

Overarching Finding: Cybersecurity will not be achieved by a collection of static precautions that, if taken by Government and industry organizations, will make them secure. Rather, it requires a set of processes that continuously couple information about an evolving threat to defensive reactions and responses.
What's being suggested makes sense. But logic means nothing when confronted with bureaucratic processes. The government, as a whole, isn't a nimble beast. "Static precautions" are top speed for the behemoth. Turning it into a swift, reactive entity may be an impossibility.

Evidence of the government's inability to craft functioning and secure software exists everywhere. Currently, everyone's attention has been drawn to the government's healthcare site, which has been plagued with problems since it went live and weeks later, after an overhaul, still underperforms and plays fast and loose with personal data.

Entities where cybersecurity is even more crucial aren't much better. It took the FBI more than decade and several hundred million dollars (spread across two contractors) to come up with functioning software. The DEA is still using Windows Server 2003, despite the NSA's warnings that the outdated software contains serious security flaws. The Pentagon's network of unrelated computers is even worse. According to a Reuters investigation, the Pentagon still relies on a variety of different computers, some dating back to the 1970s. Ancient file formats and arcane file management processes make searching for older records a nightmare.

So, nimble the government is not. PCAST's recommendations do use a lighter tone than the multiple damning GAO reports covering the same ground, but the underlying message is the same. The government may be able to improve, but it seldom shows the desire to, as the first finding points out.
Finding 1: The Federal Government rarely follows accepted best practices. It needs to lead by example and accelerate its efforts to make routine cyberattacks more difficult by implementing best practices for its own systems.
This is a non-starter, as years of failing grades from GAO investigators can attest. Problems that existed a half-decade ago still exist today. Each subsequent report says the same thing: recommendations were made but little evidence was uncovered that these suggestions were ever communicated to those responsible, much less deployed.
Finding 2: Many private-sector entities come under some form of Federal regulation for reasons not directly related to national security. In many such cases there is opportunity, fully consistent with the intent of the existing enabling legislation, for promoting and achieving best practices in cybersecurity.
This one has problems as well. What this looks like is an invitation for the government to use the heavy hand of regulation to force private entities to rise to a level of security the government itself is unwilling to obtain.

The government should use its existing powers to ensure private entities protect the sensitive data it gathers on Americans during the course of business (rather than use this as an opportunity to expand power, as the report points out), but it's highly hypocritical to hold businesses to a higher standard than it applies to itself.
Finding 3: Industry-driven, but third-party-audited, continuous-improvement processes are more likely to create an effective cybersecurity culture than are Government-mandated, static lists of security measures.
This goes back to the overarching finding.
Finding 4: To improve the capacity to respond in real time, cyberthreat data need to be shared more extensively among private-sector entities and—in appropriate circumstances and with publicly understood interfaces—between private-sector entities and Government.
For this to work best, this needs to be voluntary (and encouraged by proper incentives), rather than presented as "mandatory" (or worse, "compelled") -- especially in terms of feeding info to the government. Private entities may also be reluctant to share with others in their own field for fear of exposing sources or methods. This, too, is problematic and cannot be solved simply by attempting to legislate the reluctance away.
Finding 5: Internet Service Providers are well-positioned to contribute to rapid improvements in cybersecurity through real-time action.
Of all the things I'm worried about in this list of suggestions, this is my chief concern. Everything said here is true. ISPs are in a better position to gain unique insight on attacks. The problem is, when faced with the daunting task overhauling its own processes and practices, the government may instead decide to toss the problem to ISPs and let them do the work -- and shoulder the blame.

Once again, this needs to lean towards voluntary to have any chance at success. A utopian projection would see industry and the government working hand-in-hand to repel cyberattacks. But buck-passing and scapegoating usually falls heavily on the private sector in the event of a failure -- the sort of thing that doesn't engender cooperative relationships.
Finding 6: Future architectures will need to start with the premise that each part of a system must be designed to operate in a hostile environment. Research is needed to foster systems with dynamic, real-time defenses to complement hardening approaches.
This is solid advice as well, but doing so will mean more thoroughly vetting potential contractors, as well as carefully overseeing each step of the process. Again, history shows us that government agencies are willing to hire contractors despite their past (often massive) failures. If a responsive, secure system is going to be built, it needs to be done by the right people and tested thoroughly throughout development. It can't just be tossed to the lowest bidder and peeked in on occasionally. That's how you end up with a $500 million system that has to be scrapped as soon as it goes live.

The problem with recommendations like these is that it's almost guaranteed they will never be acted upon with any sincerity. They may get folded in with half-baked efforts aimed at cybersecurity, but what's being recommended is fundamental change.

Lawmakers have pushed various versions of cybersecurity legislation, almost all of which is aimed at gutting protections in the private sector and increasing government power. The biggest torchbearers for the "cyberwar" threat helm agencies that have vested interests in weakening private sector security. The government is largely unwilling to clean up its own backyard and this report, no matter how on point or well-written, won't change that.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cybersecurity, pcast

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. identicon
    Anonymous Coward, 10 Dec 2013 @ 4:49pm

    Meet the new boss--same as the old boss

    I've worked in security for decades. I've seen the reports, the committees, the laws, the regulations, the procedures, the checklists, the audits, the initiatives, the roundtables, the mandates, I've seen it all.

    None of it has ever worked. It's not working. It's not going to work.

    What works is giving authority to experienced hard-nosed people and letting them do what they know how to do.

    Let me give you an example. Most people know about Spamhaus because of their anti-spam blacklists -- which are quite good, albeit insufficient. But one of the things that Spamhaus also does is publish the DROP (Do not Route Or Peer) list. It's a list of network allocations that are 100% given over to known spammers, phishers, and abusers. They update it frequently. I've used it and checked it for years and have never found a mistake in it -- that is, they're thorough.

    As a result, it is presently a BCP in network defense to refuse to accept or send traffic to networks on the DROP list. Not filter it. Not check it. Not sanitize it. Just drop it on the floor and move on.

    Exercise for the reader: try to find any government agency at any level (federal, state, local) in the US that is actually doing this.

    That is one of several hundred egregious mistakes that are being made on a daily basis -- which is why the report cited here will, in the end, simply be another in a long line of total failures. What's needed aren't more reports: what's needed are people to whom things like the DROP list are second nature, things they do automatically.

    Otherwise, well, "government IT security" will continue to be the laughingstock of the world.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Make this the First Word or Last Word. No thanks. (get credits or sign in to see balance)    
  • Remember name/email/url (set a cookie)

Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it

Email This

This feature is only available to registered users. Register or sign in to use it.