I kind of got smacked in the head over this new Verizon Data Breach Report which shows the majority of data breaches are in the category Public, i.e.:
"The Public Administration sector consists of establishments of federal, state, and local government agencies that administer, oversee, and manage public programs and have executive, legislative, or judicial authority over other institutions within a given area. These agencies also set policy, create laws, adjudicate civil and criminal legal cases, provide for public safety and for national defense. In general, government establishments in the Public Administration sector oversee governmental programs and activities that are not performed by private establishments. Establishments in this sector typically are engaged in the organization and financing of the production of public goods and services, most of which are provided for free or at prices that are not economically significant."
How do government CISO's manage to get together, when they must find it difficult to look each other in the face? We can do nothing to complain about government security but we have some frightful examples in OPM, IRS and CMS which can never seem to get it right. OPM is talking about establishing another agency to do security clearances which should put more distance between their own malfeasance and the memory of the number of security clearance records lost by that agency. Nobody can ever digest all the things that happened to lose that much personal data, but almost nobody has been disciplined for what has occurred in any of these incidents. Government does not take the security of our data seriously and "works hard for us" by deflecting blame to anyone else it can find.
We have two basic things wrong with government security: (1) policy is made in NIST, when NIST was never supposed to make policy - only issue guidance which can be followed or not (they euphemistically call this "tailoring" and that is why they got the unclassified sensitive responsibility) and (2) there are no mandatory security features that any government system must have to secure it from outside.
A long time ago, I had invited a staffer from the hill to talk about how the Computer Security Act came to be and why it gave responsibility to NIST for unclassified sensitive. I think he stunned our group when he said, "Because we didn't want anything to be done about it." Give NIST those things that we do not want to deal with or get involved in. Unfortunately, the list mentality of NIST was adopted by other government agencies and spread like wildfire. Nobody wanted to deal with security of computer systems and they got their way. The White House basically ignores it.
There are no mandatory standards for security anymore and that is going to change. DoD, I have heard, has recently discussed dumping the NIST way of life and joining the real world, establishing basic policy, and making some of it mandatory for all parts of the agency. Somebody has to start. For the past 10 years people in our business having been making things up because there are no clear requirements (or in the NIST case, 30,000 requirements for a system that have to be tailored to fit the round hole). We should have dumped them a long time ago.
No comments:
Post a Comment