Who Watches the Watchmen, Part 2: Uncle Sam, Are You Naked?
"The International Strategy for Cyberspace" is what the White House calls its plan for assuring the free and secure flow of information online. But "free" and "secure" don't always mix so easily. In fact, the U.S. federal government's own internal IT systems are hardly a paragon of security themselves.
The United States federal government last month released the country's first comprehensive international strategy for cyberspace.
This lays out President Barack Obama's vision for the future of the Internet and outlines how the U.S. will partner with other countries to achieve that vision.
Assuring the free flow of information, the security and privacy of data, and the integrity of the interconnected networks themselves are all essential to American and global economic prosperity, security, and the promotion of universal rights, the strategy intones.
But within the plan's language, one might spot a contradiction: It's difficult for security and openness to walk hand in hand. Ask any IT security person.
About the Comprehensive International Strategy
The first of the strategy's focal points is establishing international cooperation on various fronts.
"There is much government can do with a global strategy to enhance leadership, architecture and best practices," Steven Sprague, CEO of Wave Systems, told TechNewsWorld.
The plan is "a roadmap and strategy to get everyone on the same page, which is itself a start," Danny McPherson, chief security officer of Verisign, told TechNewsWorld.
The establishment and embrace of international cooperation and collaboration laid out in the strategy "is a step in recognizing that the Internet itself is a global network of networks with no central authority or point of control," McPherson added.
Yet another focal point of the strategy is to reduce intrusions into and disruptions of U.S. networks, ensuring robust incident management, resiliency and recovery capabilities for information infrastructure. More on that later.
The Emperor's New Clothes
However, the strategy may be stymied by the overall condition of the federal government's IT security.
An audit of the U.S. Health Information Technology (HIT) infrastructure, published May 16, found that there were "no HIT standards that included general information IT security controls."
There also were no general security controls during prior audits at Medicare contractors, state Medicaid agencies and hospitals, the report stated.
General IT security controls are what ensures an organization's IT infrastructure is secure.
NASA didn't fare any better. A report of the results of an audit of NASA's IT security released in March noted several security flaws were found, and problems that were discovered during a previous audit last year had not been addressed.
The Office of the Inspector General, which conducted the audits, indicated that NASA's vulnerable to computer incidents that could have a "severe to catastrophic effect" on its assets, operations and personnel until it addresses these deficiencies and improves its IT security practices.
"Many enterprise IT departments see audit recommendations as just that: recommendations," Kurt Johnson, a vice president at Courion, told TechNewsWorld. "If they feel the likelihood of a breach is low enough and that they have adequate controls in place to protect their most sensitive data, they may take their time in implementing additional security measures to meet audit recommendations, or concentrate only on the most vital recommendations."
NASA didn't respond to requests for comment by press time.
Military and government agencies suffered data breaches at least 104 times in 2010, up from 90 breaches in 2009, according to the Identity Theft Resource Center, a nonprofit organization that tracks reported data breaches nationwide in the U.S.
The Mote in Uncle Sam's Eye
Perhaps Washington should address the federal government's IT security problems before turning its attention outward.
"I think cybersecurity needs a reboot," growled Wave Systems' Sprague. "Clearly the current methods are not making progress, and we are losing the battle daily. We're suffering a loss of intellectual property, loss of identity, the loss of cash, the loss of privacy," he added.
Verisign's McPherson took a kinder, gentler approach.
"We're very reactive today. Most controls and compliance represent good basic hygiene but are often stale well before they are deployed," McPherson said. "A determined attacker with modest resources is sure to prosper -- he's only got to be right once. The good guys have to be right 100 percent of the time, and most of their resources are spent on missile defense and whack-a-mole," he added.
"The question is: Will new leadership help the U.S. turn the corner?" Wave Systems' Sprague asked. "We need to invest in cybersecurity at scale and we need to put real regulations in place."