Root cause summary as described in my testimony for the Senate Appropriations Subcommittee on Financial Services and General Government on the recent Office of Personnel Management (OPM) data breaches.
During the decades of the 1970s and 1980s, organizations could build and deploy IT systems with little regard to security issues. This was not necessarily a management failure since there were very few concerning security issues prior to the broad use of the Internet and the rise of the ubiquitous data networks. However, beginning in the 1990s and up to the present, many organizations — government and private sector alike — have failed to effectively adapt with the changes in IT and the evolving cyber security threat.
When I served at IRS and then at DHS, we would all-too-routinely discover IT systems outside of the IT organizations’ purview that had been developed and deployed without the proper IT security testing and accreditation.
This highly distributed approach to IT management has led to a situation in which many organizations struggle with managing and maintaining a dispersed infrastructure and disparate systems. In far too many instances, hardware and software assets are not systematically tracked, software is not routinely updated and patched, and critical hardware and software has reached end-of-life; and in some cases, no longer even supported by the vendors.
While well intentioned and appropriate for its time, the Federal Information Security Management Act (FISMA) skewed the approach for government IT information security. Originally passed in 2002, it set a course for how IT security effectiveness has been measured in government. While there are some good components of the law, the unintended consequence is that it forced CISOs to look at the controls for individual systems, when in reality, IT systems across the government were already becoming more interconnected, and viewing systems in isolation hid the impact on the larger enterprise security posture.
Additionally, based on OMB guidance, FISMA was implemented during a period when the cyber threat was still emerging and the evolution of technology hadn’t yet recognized the necessity of a security development lifecycle. In fact, until very recently, systems would be certified and accredited based on a three-year cycle, which, while perhaps manageable, is comical when looking at the rapid evolution of technology and the cyber-threat environment. The law required the generation of paper-based reports, which diverted time, resources and personnel from effective security efforts.
At both the IRS and then DHS, I was consistently reluctant to put my confidence in the yearly FISMA report since it did not reflect the reality of the true security posture of our overall IT environment. That can only be done by proper use of tools that continuously monitor the IT environment and are able to react and mitigate threats in near-real time.
Government and even some large private sector organizations can be ponderously slow and make it difficult to buy commercial solutions that help address vulnerabilities. When I was at DHS, I was a proponent of the Continuous Diagnostics and Mitigation (CDM) program, but it was dismaying to see how long it took — two plus years — to implement Phase 1 and for agencies to go through an additional competitive process within the CDM program itself to obtain capabilities. I am all for fair competition, but with sophisticated adversaries that will exploit any and all vulnerabilities, the government is even more vulnerable when it takes many months, if not years, to be able to deploy new IT security capabilities.
Even the best cyber security tools in the world require talented people who know how to use them. The shortage of cyber security professionals across the country continues to be significant problem, making it difficult for IT organizations to have the skills in place to implement a robust and effective cyber security program.
In my next blog post, I’ll explore weaknesses of Misguided IT Security Practices and cover three significant ways to improve security practices.
A holistic view to protect your organization >> There is no single cyber security product or service that offers complete protection. The best solution involves an organizational alignment between people, process, and technology.