Federal Security Policy – Rhetoric vs. Execution
Rhetoric on the importance of cybersecurity policy from the highest levels of government, usually in the form of mandates and legislation, has been a common theme over the past few years. At the recent Cybersecurity Innovation Forum in Baltimore, MD on January 29th, the White House’s top cybersecurity official, Michael Daniel, spoke at length about the broadening security threat posed by the “Internet of Things.” Mr. Daniel emphasized the importance of recognizing this threat as the “new normal” and taking care to implement best practices and thoughtful technology strategies in defense of critical infrastructure and sensitive networks. However, perhaps the most pertinent part of the “Cyber Czar’s” discussion was his allusion to the fact that government agencies are put at greater risk because of bad business practices and the misuse of technology.
In timely fashion, a Senate report released on February 4th on “The Federal Government’s Track Record on Cybersecurity and Critical Infrastructure” broadcasted a litany of negligent security practices that consistently put government networks in harm’s way. Despite ~$65 billion  in Federal spending on computer security since 2006, Sen. Tom Coburn’s report outlined an alarming number of instances where agencies have failed “to take even the most basic steps towards securing their systems and information.” A few significant findings from the report included:
- Failure to install routine software patches and updates – in one instance allowing hackers to steal private information on 104,000 people from the Department of Energy, to include social security numbers and bank account data in July 2013;
- Sensitive data stored on unprotected drives – a 2011 audit at the Nuclear Regulatory Commission revealed a drive that stored inappropriate data such as details of nuclear facilities’ cybersecurity programs, information on security procedures at fuel cycle facilities, and a Commissioner’s passport photo and credit card image;
- The use of weak or “default” passwords and improperly configured password controls to protect classified networks, such as those within DHS’ National Protection and Programs Directorate and the Department of Energy;
- A prevalent lack of vigilance with respect to reporting of malicious activity, review of security practices, and enforcement of basic security policies within government IT organizations.
Sen. Coburn’s report sheds light on persistent challenges across government organizations to follow through on cybersecurity mandates and take the emerging threat seriously, despite the numerous warnings over the past few years from government officials that identify cyber attacks as a priority threat against our nation. To protect U.S. networks, we need a more disciplined approach by those individuals who administer security policy within the Federal government. A concerted effort to follow through on government mandates needs to be enforced in order to effect true progress.
 The Federal Government’s Track Record on Cybersecurity and Critical Infrastructure http://www.coburn.senate.gov/public/index.cfm?a=Files.Serve&File_id=f1d97a51-aca9-499f-a516-28eb872748c0
 Congressional Research Service