by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
FCW : August 30, 2015
August 30, 2015 FCW.COM 31 In June, I testified before the Senate Appropriations Committee’s Financial Services and General Government Sub- committee about the recent Office of Personnel Management data breaches. Given that I never worked at OPM, my testimony described broader systemic issues that must be addressed if we are to better protect our government’s data and IT systems. I am presenting the substance of that testimony in a series of three columns covering the root causes of the govern- ment’s IT security issues and offering recommendations to address them. Three primary root causes have led to the massive data breaches and com- promises of core mission IT systems at multiple federal government agencies. 1. Lack of IT management best practices. The very best cybersecu- rity defense is the result of managing IT infrastructure and software applica- tions well. During the 1970s and 1980s, agencies could build and deploy IT sys- tems with little regard to security issues. That was not necessarily a management failure because there were few security issues to be concerned with prior to the broad use of the Internet and the rise of ubiquitous data networks. Beginning in the 1990s and up through the present, however, the federal government has not properly managed its IT because it has failed to effectively adapt with the changes in IT and the evolving cybersecurity threat. For example, when I served at the IRS and then at the Department of Homeland Security, we would all too routinely discover IT systems outside the IT organization’s purview that had been developed and deployed with- out the proper IT security testing and accreditation. That highly distributed approach to IT management has led to the deployment of thousands of data centers across the federal government. Today federal agencies struggle to manage and maintain that dispersed infrastructure and those disparate systems. In far too many instances, hardware and software assets are not systematically tracked, software is not routinely updated and patched, and critical hardware and software have reached their end of life and, in some cases, are no longer even supported by the vendors. And although I am a big proponent of cloud technology, I am concerned that many agencies are not necessarily using cloud capabilities to streamline and simplify their infrastructures but instead are creating new stovepiped IT infrastructures. The complexity of main- taining a sea of vastly different systems in an ocean of differing IT infrastruc- tures makes it impossible to properly secure an agency’s IT environment. 2. Misguided IT security practices. Although well intentioned and appro- priate for its time, the Federal Informa- tion Security Management Act (FISMA) skewed the government’s approach to securing IT information. Passed in 2002, the law set a course for how IT secu- rity effectiveness has been measured in government. Although the law has some good components, the unintended conse- quence is that it forced chief informa- tion security officers to focus on the controls for individual systems. In real- ity, IT systems across the government were already becoming more intercon- nected, and viewing systems in isolation hid the impact on the larger enterprise security posture. BY RICHARD A. SPIRES In the first of three columns, a former government executive discusses what’s really needed to prevent another massive data breach The root causes of government IT insecurity Richard A. Spires has been in the IT field for more than 30 years, with eight years in federal govern- ment service. Most recently, he served as CIO at the Department of Homeland Security. He is now CEO of Resilient Network Systems. CIOPerspective 0830fcw_031-032.indd 31 8/6/15 9:59 AM
August 15, 2015
September 15, 2015