Government IT security: Running to stand still

This article has been updated to correct the job title for Joji Montelibano.

Information security in government has improved in the last year, according to a panel of government officials speaking June 14 at the Symantec Government Symposium.

“I believe that we are better today than we were six months ago,” said Rear Adm. Mike Brown, assistant secretary for cyber and communications at the Homeland Security Department.

But that doesn’t mean we are staying ahead of the bad guys, said Joji Montelibano, Insider Threat Technical Team Lead at the Software Engineering Institute CERT program at Carnegie Mellon University. “We’re getting better, but so are they. It’s a different game.”

Related stories:

Stuxnet is not Superworm, researcher says

Nation's cybersecurity suffers from a lack of information sharing

Protecting a government IT system in a rapidly evolving threat landscape is much like running a race in Lewis Carroll’s Looking-Glass land: It takes all the running you can do to stay in the same place.

Defenses might have improved, but the people who are attacking government systems are improving more, said Matthew Stern, program director at US-CERT. “We’re on the backslide, and we have to do something disruptive” to halt the efforts of hackers. “We need to drive up the risk and drive down the reward.”

One of the keys to getting ahead of the bad guys is to improve information sharing and cooperation among agencies, and between government and the private sectors, panelists said.

“We’re doing a much better job across government of correlating with each other” and cooperating with industry, said Sherrill Nicely, CIA deputy chief information officer. But the wide variety of roles within government and differences between government and industry still are creating barriers to effective, timely information sharing.

“It’s a matter of trust,” Stern said. A lot of sharing is being done on a personal basis through backchannels, but institutionalizing that personal trust is not easy.

The freedom of the bad guys to collaborate and share information puts the defenders at a disadvantage, particularly in a threat landscape that has changed profoundly in the last year, said Symantec president and CEO Enrique Salem.

The emergence of the Stuxnet worm in July 2010 was one of the biggest shifts, Salem said. “This was the first time we saw a move away from espionage to sabotage.” But he is confident it will not be the last. “Once you see an attack like this, others will follow.”

Although the numbers of vulnerabilities and exploits continue to rise, attacks are becoming more targeted. Salem said that three quarters of attacks now hit fewer than 50 computers. That might be good news in terms of volume, but it illustrates a trend that has led to a spate of high-profile breaches of government and contractor systems in the past year, with a new one cropping up seemingly every week.

The use of socially engineered attacks to gain access to IT systems and the theft of intellectual property from high-value targets are among the greatest threats facing agencies today, panelists said. The use of social engineering is blurring the line between insider threats and those coming from outside the network perimeter, because the attacker often can operate in the enterprise with legitimate, if improperly obtained, privileges.

While sharing information between organizations remains a challenge, sharing information within organizations often is just as difficult, said Montelibano. Legal and organizational barriers between departments, including human resources, security and information assurance, make it difficult to identify behavior that should be monitored, he said.

About the Author

William Jackson is a Maryland-based freelance writer.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.