GAO has tried to put together a report on Cyber Security Strategies for the Nation, but this is a task that can't be undertaken by an agency that doesn't have responsibility for the national infrastructure. This report has regurgitated all the findings from past years without getting to the real issues that drive cyber security in any of the environments they are responsible for. I don't blame GAO for this. They tried to do something they should never have been tasked to do.
There were similar reports written over the years, but none better than a simple one done by the President's Council on Integrity and Efficiency in the mid 1980's. That said that there were really three things, which I shortened for this piece, wrong with the way cyber security was being done.
First, the policies for security of information systems were too complicated for most people to understand. That is more complicated than just reading and comprehending what a policy says. It means the implementation of a given policy must be understood by the people who have to do it. That often means somebody other than a security function, since security rarely does the actual work. Our systems today are governed by a list mentality fostered by NIST policies that are based on lists of controls that are not well understood, nor responsive to the threats information systems have today. Organizations do some of these controls, but not all of them, and there is no way to measure the effectiveness of the holes that are left. Vendors put some of those holes too and those cannot be known or compensated for by following a list. The interactions of systems in large-scale networks makes discovery of faults and flaws almost impossible to find since organizations cannot go outside their own systems to discover them.
Second, the policies are not reflective of what is needed to protect systems from existing threats. They actually put this a different way in the report: there is not a proven relationship between policy and security level attained in a system. The government follows the lists without knowing if the implementation of them leads to a secure system. The reports on cyber incidents in government clearly show they do not.
Third, the quality of people required to do the security of a system is a difficult standard to meet. Since the 80's, standards for cyber security training has been outsourced by the government to private firms that test for all kinds of things that no single person can possibly know. The tests have become more general because nobody could pass ones that tested knowledge of all of these areas. When the first CISSP test was first given, only about 10% of the people who took it got a passing score. Was that a reflection of the test, or the knowledge of the people who took it? The tests, and similar ones from other testing organizations, have been watered down to the point that they are not good measures of how well a person will perform any task on the job. There is no profit in having a majority of people not able to pass a test.
GAO cannot write a report on what the nation needs to do for cyber security because government is only responsible for a small part of the layers of networks that government uses. They need to ask the people who do security of networks what should be done to make them more secure. The Financial Sector used to be the leaders in this because they did what kept criminals from stealing money from them at unacceptable rates. I would start there.
No comments:
Post a Comment