Federal agency leaders fall behind hackers in security expertise

Featured eBooks
Whole-of-State Cybersecurity
The State of Trust in Government
Cybersecurity in State and Local Government
By Jonathan Ewing
 

Connecting state and local government leaders

By Jonathan Ewing

|

Federal systems and network security managers who often lack adequate training for their jobs are finding it nearly impossible to fight numerous and increasingly sophisticated cyberattacks. The Defense Department sounded a wake-up call last year during its Eligible Receiver 97 exercise. Before DOD network managers were out of their beds one Monday morning, they were hit with the news that several DOD systems had been maliciously hacked into the night before, and the security of data

Federal systems and network security managers who often lack adequate training for
their jobs are finding it nearly impossible to fight numerous and increasingly
sophisticated cyberattacks.


The Defense Department sounded a wake-up call last year during its Eligible Receiver 97
exercise. Before DOD network managers were out of their beds one Monday morning, they were
hit with the news that several DOD systems had been maliciously hacked into the night
before, and the security of data on weapons systems, personnel and troop movements had
been compromised. Simultaneous attacks had taken out international telecommunications
networks and power systems.


When word came that it was only a test, the relief was palpable.


“In terms of systems insecurity, an attack like that would be a total
nightmare—the kind of thing you never want to see in real life,” Jim Christy, a
DOD computer crime investigator, said. “Your mind starts running down alleys looking
for an answer, and you realize that the range of the hacker profile is vast, that you
could be looking for evidence from a foreign intelligence agency or a terrorist, an
industrial competitor or just a disgruntled employee.”


Before the early 1990s, such security problems did not exist, Christy said, because
dedicated systems ran on mainframes or discrete Unix networks.


“Looking back, it seems that the government’s transition to using
off-the-shelf parts was inevitable,” he said.


But the less costly, commercial systems are a two-edged sword. “Once we began to
use them, the tools and methods for breaking into our systems increased,” Christy
said. “By using commercial parts, our security became less of a secret.”


Federal security mavens are fighting back. The Justice Department and the FBI in
February established the National Infrastructure Protection Center at FBI headquarters as
a clearinghouse for security incidents, in government and in the private sector.


NIPC has 125 security experts from the National Security Agency, CIA, FBI and other
agencies. When a cyberattack occurs, the center’s security team acts fast to collect
information on the attack from the affected agency, usually from the systems
administrator. Amassing cyberattack data is only one part of NIPC’s multipronged plan
to help agencies prevent attacks.


“We are not the nation’s super-systems administrators or security officer,
responsible for securing everyone’s infrastructure or system against intruders or
advising on the latest security software or patches to fix vulnerabilities,” said
Michael A. Vatis, NIPC chief and an FBI deputy assistant director.


“That role must be filled by systems administrators in each company, by chief
information officers in government agencies and by industry groups and other
entities,” he said.


Because agency systems administrators have the most knowledge about their networks,
they are best suited to oversee security, agreed Mark A. Boster, deputy assistant attorney
general for IRM. And stronger security is a vital part of the overarching systems
architecture the Information Technology Management Reform Act requires agencies to build,
he said.


The Environmental Protection Agency holds a similar view, said Jerry Slaymaker, senior
adviser to EPA CIO Alvin Pesachowitz.


“For some time at EPA we’ve held the point of view that it is wise to involve
the systems administrators with security,” Slaymaker said. “They’re the
ones familiar with the needs of the workers and the capabilities of the systems.”


Boster, who is also chairman of the CIO Council’s Security Committee, added,
“What we’re finding is that the systems administrators are often people with
intimate knowledge of the system and are therefore uniquely qualified to deal with system
penetration and security.”


But therein lies a problem, he said.


In agencies the first line of defense has been sysadmins, Boster said. But federal
sysadmins have not been trained in security. Many are former clerical staff members who
showed an aptitude for computers, he said.


Their duties might include loading new software, system maintenance and other mundane
operations. Security duties may be more of a burden than they can handle, Boster said.


“They’re already working very hard just to maintain their network, so when
additional duties are assigned, managers will need to find a creative way to add the
additional burden of security and education,” he said.


The stakes are high and not just in training. Spending on network security worldwide
will edge toward $2 billion this year and is expected to jump to nearly $3 billion next
year.


The quest for security demands a balanced approach, said Alan Paller, director of
research for the Sans Institute Inc., a security research organization in Bethesda, Md.


“What is really important is not to invest all of your money at once because this
stuff is constantly getting cheaper and changing all of the time,” Paller said. 

NEXT STORY: GSA posts schedule sales, contract details and other buying info on Web

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.