Government Approaches to Cybersecurity - What are your tips?

Published: 2009-11-23
Last Updated: 2009-11-23 18:55:11 UTC
by John Bambenek (Version: 1)
2 comment(s)

On the heels of a recent Govenment Accounting Office (GAO) finding that many US federal agencies still are failing to adaquetly protect their systems, the National Institute for Standards and Technology (NIST) has issued new draft guidelines to revamp how the US government protects its own networks and to make up for the perceived failings of FISMA. (You can find the new guidelines here). While still in draft form, it appears the philosophy was to front-load security considerations and monitor throughout the life of the resource.

Ultimately, it's part of the ages old problem in security. Most organizations exist for reasons unconnected to cyber-security so how do you get them to invest in something that isn't their core business or necessarily increases sales (or decreases costs). For private organizations, regulation comes into play where organizations are forced into a security posture under threats of fines. This is so prevalent, I've heard more than once when presenting risks that "if there's not a law or regulation, then I don't care". It's a special problem for governments because regulations are not as "binding" on the same entities that enforce governmental regulations to begin with. The problem the US has (and other governments for that matter) aren't difficult ones to solve, they are known vulnerabilities or gaps with known solutions. The problem is making it part of the culture and getting the investment.

Businesses, also, have to deal with lost business or lawsuits in certain types of data breaches while, generally, the government faces no such risk. This paper has tips for selling security to management, but not all of it applies in governmental shops. Ultimately, it comes down to awareness, good risk analysis with costs and benefits and solid policies.

What are your tips for making the sale for security in government shops? (Will post the best answers in a follow on diary Wednesday)

Related news:

Australian Government Overhauls Cybersecurity Under New CERT-Australia


John Bambenek
bambenek at gmail /dot/ com

2 comment(s)


One can weigh he *huge* hassle factor of trying to deal with an infection or a data breach after the fact against the hassles of having controls and measures in place to prevent the infection in the first place.

There is a lot of the CYA mentality in the government as well. Nobody wants to be the one to be held up as the guy who screwed up in some way or another. While ideally nobody gets an infection it would still be better for a person/division if someone else got infected rather than you.

Usually the 1st line of defense in the government is to prohibit all sorts of non-work related things. And while lots of people might complain about it, in the end it is the government's computers and network, and they can make the rules as they see fit. If you want to go to facebook on your lunch break, do it on your phone and not your office computer.
I've spent many years on/off at government sites and on the networks. As I write this comment, security has become (at least where I am) a bunch of check boxes on a page, i.e. useless and pointless.

I think this article, illustrates a good way to balance usability while maintaing security. The more I think about this approach the more I like it. If the government followed this approach then I think things would improve.

The "controls" have become so ridiculous where I am at that we (the sysadmins) know how to circumvent them and routinely have to do so, to do our work. Problem is our workstations (desktop and laptops) are on the same network as the servers. Sure different VLAN, zoned (i.e. firewall) off, but still close enough and with enough trust that serious problems could occur. The people with the pay grade that get to make the decisions are not leaders nor have a clue, or so it appears from down in the trenches where I sit. Even with all the controls in place, viruses and other malware still manage to get into the network in various ways. Everything appears to be knee jerk reactions and trying to fix the immediate problem, instead of taking a step back and looking at the bigger picture.

I agree with the previous comment, "...facebook on your lunch break, do it on your phone..." government computers belong to the government and should not used for such things. Read the DoD login banner... At the same time the policies in place in government networks need to realize that valuable information resides outside .mil, .gov, and access to those things should be possible while sitting at a government facility.

Diary Archives