by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
FCW : September 30, 2015
September 30, 2015 FCW.COM 31 In my previous two columns, I described the three primary root causes that have led to the massive data breaches and compromises of core mission IT systems in multiple federal agencies. and provided recom- mendations for addressing the first cause: lack of IT management best practices. The remaining two root causes — which are the focus of this column — are misguided IT security practices and a slow and cumbersome acquisi- tion process. Regarding misguided IT security practices, to the government’s cred- it, there has been a fairly aggressive shift in thinking from the traditional Federal Information Security Manage- ment Act reporting approach to con- tinuous monitoring of IT systems and the overall IT environment. I was also pleased to see that Congress passed much-needed reform in the FISMA Modernization Act of 2014, and I hope Congress will work closely with the executive branch to ensure that imple- mentation delivers enhanced security. Nevertheless, when I look at the current cross-agency priority goals for cybersecurity, I believe the govern- ment is still trailing behind current IT security best practices. For example, if you look at the overall objectives, the CAP goals will typically consider objectives of less than 100 percent to be successful, such as 95 percent for automated asset management or 75 percent for strong authentication. Higher numbers are certainly bet- ter than lower ones in those metrics, but we are dealing with adversaries who are advanced and persistent — and who will almost certainly find the holes and exploit them. It is simply a matter of time. Likewise, the Einstein system can aid agencies in detecting threats, and the promise of Einstein 3 Accelerat- ed is the proactive blocking of mali- cious traffic. However, Einstein is only helpful if the traffic is actually going through the system. Many agencies have Internet connections that are not monitored by Einstein, and I posit that this is another example of poor IT management. The government has invested hun- dreds of millions of dollars in the Ein- stein program, yet agencies continue to posture and delay implementation. In effect, these approaches have led the federal government to establish a virtual Maginot Line as its key IT security strategy. Based on the current situation and what I see evolving in the cybersecu- rity industry, I recommend rethinking how we measure success, with a focus along three lines: 1. Enhance automated protection. There is without a doubt a continuing need to pursue cybersecurity tools to prevent intrusions and, perhaps even more important, detect them quickly when intrusions do occur. The Ein- stein program identifies and protects against known “signatures” or char- acteristics of malicious activities, thereby preventing those intrusions. However, more advanced protective capabilities are required to prevent intrusions that the government is not yet aware of, thereby further reduc- ing the government’s attack surface. With enhanced automated protec- tion, network defenders could focus on detecting and remediating only the most sophisticated and potentially BY RICHARD A. SPIRES To avoid massive data breaches in the future, the government must address its cumbersome acquisition process and misguided IT security practices IT insecurity: Aggressive use of security solutions Richard A. Spires has been in the IT field for more than 30 years, with eight years in federal govern- ment service. Most recently, he served as CIO at the Department of Homeland Security. He is now CEO of Resilient Network Systems. CIOPerspective 0930fcw_031-032.indd 31 9/8/15 1:36 PM
September 15, 2015