Warning: Infrastructure not ready for imminent cyber attacks

Survey respondents say chance of attack is high, but preparedness is low

An information technology security strategy based on regulatory compliance has left agencies ill-prepared to respond to a constant stream of cyber attacks, according to a recent survey of federal information technology officials commissioned by Lumension Security.

“The government view of compliance is very prescriptive,” said Matt Mosher, Lumension's senior vice president for the Americas. “They take security seriously because they are under attack. The government’s reaction is to drive security through compliance.”

The survey was conducted in February by Clarus Research Group for Lumension and included interviews with 201 government IT decision-makers. The respondents painted a picture of a government IT infrastructure that already is under attack. One-third said they had experienced an attack by a foreign nation or terrorist organization in the past year, and 61 percent rated the likelihood of such an attack in the next year as high (among those who work in national defense a security agencies, it was 74 percent). The growing volume and sophistication of the threats is a primary concern.

But 42 percent of survey respondents rated the government’s ability to prevent or respond to attacks on IT systems as fair or poor. Only 6 percent rated the ability to respond as excellent.

Defining an attack and identifying its source is difficult, however. Mosher said that an attack was considered any kind of systematic activity that had to be addressed, and not necessarily a successful exploit or a breach of a system.

Attribution of the source of an attack often is uncertain. Although federal IT officials were concerned primarily about threats from nation-states and terrorists, rather than criminal activity, it is difficult to assign a motive or a point of origin to an attack or a probe of government systems. However, Mosher said, “I am sure the government has some sense of where these things are emanating from.”

The inability to adequately secure systems is due in part to the complexity of the infrastructure being defended. “We have so many pieces of infrastructure, that to think they are all are being handled appropriately is hard to believe,” Mosher added.

Still, a majority of survey respondents said they still felt more confident of their IT security today than a year ago because of improved technology, better collaboration between IT operations and security officials, and internal compliance and audit requirements. Ironically, increasing audit burdens and a lack of resources were identified as major challenges in meeting compliance requirements.

Mosher said security is a continuous process rather than an end-state or an event, and that compliance with security regulations does not reflect this.

“As long as compliance is an event, they are always going to be disappointed with the results,” he said.

About the Author

William Jackson is a Maryland-based freelance writer.

inside gcn

  • power grid (elxeneize/Shutterstock.com)

    Electric grid protection through low-cost sensors, machine learning

Reader Comments

Thu, Apr 8, 2010 Mark Massey

Security comes from a state of mind, an approach toward daily operations not just standards, firewalls, and all of the realatively mechancial parts of the problem. The vast majority of real problems come from actions taken by PEOPLE. People need to be trained and trained some more until secure IT practices are natural, not add-ins. Most IT security issues are relatively easy to defend with today's technology IF there are no human mistakes. We as technologists tend to forget this!Train staff and users into thinking and acting securely and the jobs of the hackers and attackers are much more difficult!

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group