The US government’s track record for managing its own internet security is what some would consider subpar. Examples of failure include the breach of systems at The White House and State Department, and incursions affecting myriad other agencies.
To be fair, data breaches have affected government sites across the globe. But citizens have a general expectation that government systems be more ironclad than the average network.
Those expectations have proven to be unrealistic.
With Donald Trump set to be sworn in as the nation’s 45th president on Friday, people are wondering what might be next for government security. So far, the security community’s expectations are low, especially with former New York City mayor Rudolph Giuliani being tapped as a cybersecurity advisor. After the appointment was announced, security experts decided to have a poke at Giulianisecurity.com, the website for the ex-mayor’s eponymous infosec consultancy firm. They found it was powered by a roughly five-year-old build of Joomla! and was packed with vulnerabilities.
With all that in mind, we reached out to several experts to revisit the question:
Since the US government has so much trouble securing its internet-facing systems, would it be better off privatizing the effort?
In other words, bring in security companies from the private sector to manage it all.
The answer was a resounding no.
Some pointed out that the private sector hasn’t done much better, given the rate of daily attacks and breaches against countless companies. Others said the US government has a responsibility to secure its own systems, and that responsibility can’t and shouldn’t be handed off.
Instead, the experts offered suggestions for making government security better.
Stop grading
Eric Cowperthwaite, a Seattle-based practitioner specializing in security issues facing the healthcare sector, suggested government agencies ditch the checkbox and grading approach:
“I think the issue is that incentives and frameworks are wrong,” he said. “In a nutshell, government security managers are incentivized to comply with checkboxes and get a good grade. It has been clear for some time that a compliance regime is not able to look forward at future threats, only historically at threats that have already happened. Worse, the compliance regime becomes a ceiling when it should be a floor.”
No easy solutions
Ken Swick, a St Louis-based security professional, said that as a libertarian and advocate of the free market, he’s all for the privatization of internet security for government sites.
“However,” he said, “as a realist and pragmatist, I realize that a lot of crony capitalism exists and that it isn’t going away anytime soon.” Since privatization is unrealistic at this point, he believes it’s probably best for agencies to better develop internal talent and get them better training. “I do not see any easy solutions in our current environment,” he said. “Hybrid approaches are probably best with a reliable internal group of security subject matter experts to assist across the board.”
Follow the model of large corporations
Dave Kennedy, CEO and founder at TrustedSec, an information security consultancy based near Cleveland, Ohio, suggests that while outright privatization is unfeasible, government agencies can learn much from the private-sector model.
“I think a better approach would be to have a similar structure as large corporations – an organization that is in charge of all security from a federal, state and local level and may have multiple CSOs in charge of the different pieces of the government,” he said. “Infrastructure would be central, which would allow sharing of budget and money and allow a consistent set of controls across the organization.”
Adopting such a system would be one of the largest undertakings ever and having appropriate segmentation and compartmented systems would be highly important, he said. But it could go a long way in improving government security.
Will Trump and the agencies of his administration take any of these ideas to heart? Time will tell, though it’s safe to say no one is holding their breath.
Jim
There is one role that non-governmental people can (and should?) help with: The government should hire ethical hackers to do penetration (and other hacking) testing.
I agree that they should be doing their own security, but they should not also be doing the testing. That’s a recipe for disaster.
Now, in the case of the US, they COULD hire other pieces of the government, like the NSA or FBI. But, I think they have better things to do with their resources.
So hire the experts. (But, get it in writing that they’re white-hats.)
Bryan
Agreed: bug bounty
The bad actors are already trying it–why not let the white hats give it a go?
PIngu
Trump could ask his mate Putin for advice on hacking.