5 ways the U.S. government can get security right
- By John Bradley
- Nov 23, 2015
First there was the situation with Hillary Clinton’s official email, some of which was stored on a private server. In May, the IRS disclosed the theft of information on more than 100,000 Americans. And in June, the records of more than 21 million people -- including Social Security numbers, birthdates and security-clearance information -- were stolen from the Office of Personnel Management, making it one of the largest breaches in U.S. history.
And these security incidents are just the tip of the iceberg.. A survey this spring of 1,800 federal information security professionals revealed that the government’s security posture hasn’t improved over the past two years. Another recent survey found that the biggest threat to federal cybersecurity is the “negligent insider,” followed by zero-day attacks, mistakes by government contractors and then failure to patch known vulnerabilities. And the Government Accountability Office published data on Sept. 29 that found 15 to 24 federal agencies had persistent weaknesses in cybersecurity in 2013 and 2014.
So, what should the U.S. government do to tackle this problem head on? Here are five ways to improve the cybersecurity of the federal government:
1. Get control of BYOD and shadow IT
Hillary Clinton isn’t the only official to mingle official and personal emails. Mobile security firm Lookout analyzed its user base and found more than 14,600 devices associated with government networks. The company surveyed more than 1,000 federal employees in June and found that half of them have used personal devices to get email; almost as many had downloaded work documents on those devices. While more than half said they were aware of the risks of using personal devices at work, 85 percent admitted to doing it anyway.
Agency IT managers should inventory the devices and applications employees are using, and take advantage of software that helps enforce compliance policies and monitor usage of and access to government data and systems. There are also great tools, like Google’s Android for Work, that allow for managed partitions so employees can have personal email separate from work email on the same device, enabling agencies to better enforce data loss protection rules.
2. Train federal employees to follow best security practices
Whether it’s reminding workers (including high-level officials) to avoid clicking on phishing emails or requiring IT to patch systems right after updates are available, IT managers can’t do too much training in the workplace. The IT department is expected to understand what’s at stake with poor security practices, but end users may not. That’s why reaching them with that message and security tips they can easily follow is vital.
Posting reminders in public areas, sending test phishing emails and providing incentives all are likely to accomplish more than a mere mention in a new employee policy manual. Phishing of government employees is a particularly insidious problem because a victim’s list of contacts can easily lead to more sensitive government accounts. I recently received a very legitimate looking phishing email from a government official I know whose LinkedIn account had been compromised. Social networks are a handy tool for scammers looking to leverage professional associations.
Meanwhile, the SANS Institute’s list of Top 20 Critical Security Controls is a great checklist that, if followed, will help IT admins stop most of the attacks out there. And new security standards are emerging all the time. For instance, the National Cybersecurity Center of Excellence released a guide for controlling user access to systems based not on role or job title but on user attributes, such as certifications, IP address, group, employee status, etc. This will make it easier for IT departments to terminate network access instantly for the thousands of employees who leave the payrolls every year.
3. Federate identity for employees, partners and contractors and use multifactor authentication
One of the biggest problems in security today is the requirement that users remember a password for each network, website, application and service they use. People end up choosing weak passwords and re-using them, which gives hackers the key to other unrelated systems. So far, attempts to provide federated and managed identities that rely on trusted digital credentials and single sign-on, like connect.gov, have languished. Meanwhile, money spent on multi-factor authentication for government, including personal identity verification smartcards that were mandated more than a decade ago, has not translated into broad use.
OAuth and other protocols enable provisioning tokens that allow government to enforce multifactor authentication for email clients. There are tools in place to improve security across systems and users, but they are useless if no one uses them.
4. Use strong encryption
This may seem like a no-brainer, but using strong encryption will protect data from network intruders and protect laptops and mobile devices if they are lost or stolen. However, security must extend beyond laptops and phones. The OPM, for example, said it couldn’t use encryption to protect its sensitive files because the computers storing the data were so old they couldn’t support newer versions of encryption programs.
Disk encryption can protect mobile devices, and for equipment used by high-level officials firmware passwords can prevent the machine from being reset or booted up.
5. Offer bug bounties
Government officials complain that there aren’t enough qualified security professionals being hired, but they are ignoring a large community of independent security researchers who could be helpful in finding weaknesses in government systems. Private companies are adopting bug bounty programs that compensate hackers for disclosing vulnerabilities in software, services and websites. These programs not only motivate hackers to report security problems, but they greatly improve the chances that organizations and corporations will be able to find and fix security holes before the bad guys find them. If the U.S. government is willing to pay for vulnerabilities that law enforcement can exploit for surveillance and anti-terrorist purposes, it should also pay to find weaknesses in its own systems to help defend against attacks.
Cybersecurity may seem like a technical problem, but changing cultural processes and systems that are decades old takes strong leadership, drive and commitment. Unfortunately, change doesn’t happen quickly in government. If we landed humans on the moon but can’t be bothered to use multifactor authentication, we shouldn’t whine about getting compromised by hackers in China or Russia. It’s time now to take a giant leap step for security.
John Bradley is senior technical architect, Ping Identity.