What’s Missing in the way the Government does Security?
Posted December 16th, 2008 by rybolovI love transition time. We get all sorts of strange people who come in, issue their letters on how they think the Government can solve the major cybersecurity issues for both the Government’s IT systems and for the rest of the US as a whole. And then, they all leave.
Nobody actually implements the suggestions because it takes time, effort, and money to get them done, and all that anybody ever wants to give is talk. Talk is cheap, security is not.
Many years ago when I became an infantryman, our guest speaker at graduation made one of the most profound statements that I remember over 8 years later: “Infantrymen vote with their feet”. In other words, we’re doers, not talkers, and at one point in our lives we decided that something was important enough to give up 4 years of our lives, maybe more, for this cause. Even Colonel Davy Crockett after he lost re-election to the House of Representatives wrote “I told the people of my district that I would serve them as faithfully as I had done; but if not … you may all go to hell, and I will go to Texas.” He died less than 3 years later at the Alamo. That, ladies and gentlemen, is how you vote with your feet.
My personal belief is that the primary problem the Government has with security (on both sides of the InfoSec Equities Issue) is that there is a lack of skilled security practitioners upon which to draw from. If you think about everything we’ve done to date, it’s almost always a way of compensating for our lack of skilled people:
- Reducing security to a bunch of checklists
- Providing templates to non-security staff
- Automation wherever possible
- “Importing” non-security specialists such as accountants and technical writers in security roles
- Building a “Franchise Kit” upon which to base a security program
- Reserving key decisions for trained security staff
As an industry, we have failed (at least in the public sector) at generating people with the skills to do the job.
And in light of this, my challenge to you: have a good idea and think you know how to solve the information security? Yes, we need those, but what we really need are IT security infantrymen who are willing to be doers instead of talkers. To answer the title of my blog post, the thing that the Government is missing is you.
Infantry Action Photo by Army.mil
So how can you help? I know moving to DC is a bit of a stretch for most of you to do. This is a short list of ideas what you can do:
- Learn how the Government secures systems: don’t just dismiss outright what people in DC are doing because conventional wisdom says that it is failing miserably, and don’t listen to people who do the same.
- Actively recruitment of techies to “embrace the dark side” and become security people: We need more technically-savvy security people.
- Answer the call from DHS when it comes: living in DC is isolating from the rest of the world and all fo the good ideas that are out there. Maybe you have a phenomenal microstrategy on how to secure IT. They/we need to know them. The Government cannot succeed at securing cyberspace (whatever your interpretation of that phrase means) without input from the private sector.
- Don’t engage the Government only when there’s money in it for you. ~$8B is a ton of money, but if you’re doing your job right as a vendor, you’re solving their problems as a first priority, not a second.
- Build a better education system for security staff and make better career paths to get people from the technical disciplines into security.
Similar Posts:
Posted in Army, Rants, The Guerilla CISO | 8 Comments »
Tags: blog • dhs • government • infosec • security • training
December 17th, 2008 at 4:15 pm
You know, I’ll have to respectfully disagree with you that the problem is a lack of skilled security people. Your position is based on the assumption that all skilled security people will actually agree on the best course of action. Even if government had all the skilled security people that they need they would still have problems because there is no way to gain consensus on what to do.
As you well know government agencies are made up of numerous types of different corporate culture. What is acceptable risk for one culture isn’t acceptable risk for another culture. FISMA has done a long way towards helping to establish a framework within which risk based decisions can be made but it will never present a one size fits all type solution for government. We can push all sorts of required baseline controls but if they don’t make sense in an environment then they are just a waste of time and money.
IMHO, if you really want to know what is missing in the way government does security then that would be fostering a risk-based approach to security rather than a compliance-based approach. The audit/checklist mentality that government currently has is as a result of the way that FISMA has currently been enforced (and subsequently little to do with the effectiveness of the FISMA framework itself; again IMHO). What you need to do is change the way that government thinks about and approaches security. It is an easy thing to say but a very hard thing to actually do. If agencies can start making security decisions based upon their individual level of acceptable risk rather than compliance concerns then you will start to see real improvement in security.
December 18th, 2008 at 12:16 pm
There is a saying, “You get more of what you reward.” The government rewards compliance, not risk management. There is actually a reasonable explanation for this. Measuring compliance consistently is relatively easy, and measuring risk consistently is very difficult. Measuring and managing risk takes knowledge of security design and architecture among other skills. These skills require higher paid individuals.
From what I’ve seen lately, certification testing often consists of some interviews, a cursory review of documentation, and security scans using automated tools. Writing *real* targeted tests based on the system architecture is hard, and therefore goes by the wayside.
Further, about the worst thing a government security manager can do (as far as FISMA score is concerned) is have a system that is not accredited. I would argue this actually negatively affects security, and rewards mediocrity. Do you, as a security manager, really want to be informed of a risk you can’t afford to mitigate? The skilled security folks will be able to identify your risks much better than the less skilled ones. Is that what some (most?) government security managers really want?
So, why pay for skilled security staff when the less expensive ones do the job better?
December 18th, 2008 at 3:17 pm
@MikeW
Very interesting point of view, makes a ton of sense. Sounds like the future version of a blog post. =)
December 18th, 2008 at 4:06 pm
@MikeW
I couldn’t agree more. What you described is symptomatic of the problem.
On one of your points, an unidentified risk is still a risk. Just because you don’t ask the question doesn’t mean the risk doesn’t exist. Personally I’d rather get ding’d for a risk I identified then had to accept (for say funding or functionality reasons as an example) rather than for missing a risk that should have been identified.
December 18th, 2008 at 4:49 pm
@Graydon McKee
In theory, if we’re all rational people, then acceptable risk is OK. But not everybody is rational and has the same version of “acceptable”.
December 21st, 2008 at 6:46 pm
Its true that there is considerable pressure to accredit, but those who have experience in government as a CISO or CIO understand accrediting for the sake of a higher FISMA score is a career “death wish” in the long run. Accrediting systems without testing or a lack of diligence in determining the risk of an operational system is the dream of every OIG or GAO auditor. OIG and GAO understand the pressures that are put on IT executives to accredit and support the mission of the agency. They would love to find out that a CISO/CO or CIO/DAA did not exercise thier responsibility or full authority to deny a systems operation just for the sake of a higher FISMA score.
FISMA, and by extension certification and accreditation (C&A), were never meant to directly make a system “secure”. Contrary to what MikW says, C&A IS a risk management tool. At least, if you are using it correctly it is. You all have written about the limitations of C&A, but the key to C&A is not accreditation, but defining security requirements from the beginning, effective testing and continuous monitoring. If CISO and other government security professionals are not performing these well then you are taking advantage of the tools that are being given to you–and thus, you are not doing your job.
Newspapers and media alike point fingers at policy, but I believe the lack of security given the tools available is caused by two things. First, individual CISOs and CIOs do not understand (or are scared to use) the tools and authority that is given to them. Secondly, there are no advocates for the difficult decisions that a CISO or CIO must make. The pressure is to deploy, but the testing and available information says don’t deploy. The “good guys” need a break for once.
I use governance to help with the authority challenge and it works pretty well. Governance is often thought of as the tool of Enterprise Architects and hardly ever muttered in the world of the tactically-focused CISO or CIO. I believe this needs to change. Every agency and Department needs to involve the mission programs in risk decisions. Information governance is what is needed since IT security is fragmented in the the Federal government. Privacy, CSO, classification authorities, Real Estate, and policy offices need to weigh in if a system is going operational. Deploying a major IT system is more and more a risk decision for the agency and less the program.
Until other stakeholders have a voice and can weigh-in on the security concerns CISOs and CIOs will continue to run with flagrant inconsistency in the decisions and recommendations that they make and FISMA and NIST will take the brunt of this cricism.
January 8th, 2009 at 1:59 pm
If we are going to continue down the FISMA path (which seems to be likely), one of the first things that needs fixing is the make up of the certification teams. I can’t count how many times I’ve been involved in an ST&E where a member of the certifying team refuses to listen to how you’ve actually secured the system, because you haven’t done it the way the specified checklist requires.
These people aren’t actually IA / INFOSEC people. They’re former system administrators who decided they wanted to make a little more money and maybe travel a bit. They do not have the necessary security mindset – they just want to check the boxes on their lists and collect their paychecks.
January 9th, 2009 at 11:02 pm
Hi Mark
Interesting take on things. I haven’t seen that to be much of a problem, I’ve seen much more of the opposite where people from an audit/controls assurance (think accounting and SOX/A-123 controls) branch out into “security audits”.
However, in a roundabout way, I think you’re confirming what I’ve been saying for a long time, that what we need are more well-trained security people.