The most recent report from the President’s Council of Advisors on Security and Technology identified a broad range of vulnerabilities in public sector IT. The council cited government agencies for failing to follow best practices that help fend-off attacks, including their slowness to upgrade from the increasingly vulnerable Windows XP and Windows Server 2003 operating systems.
PCAST raised many legitimate concerns in its report. However, its recommendations deserve additional scrutiny because some of them aren’t practical. For example, many agencies are working with constrained budgets and are in no position to overhaul hardware fleets just to update to Windows 8. Solutions to the government’s most pressing issues – consolidating its IT systems, staying on top of increasing network data volumes and mitigating insider fraud – likely should focus first on streamlining existing systems and processes before requiring substantial upgrades.
Overall, the PCAST document correctly diagnoses the key ailments in federal government IT but doesn’t always prescribe the optimal remedy. Some of its solutions are on the mark – the suggested auditing process could be a useful guide for organizations as they refine security practices. However, others may be skewed toward the interests of vendors seeking to sell additional cloud services to agencies. Finding middle ground will require greater input from agency IT departments and a more balanced assessment of the government’s financial position.
PCAST urges federal government to improve security practices
The report called out government agencies for rarely following best practices, a criticism that is likely familiar to managers that have seen similar sentiments raised in numerous Government Accountability Office findings. But what are government agencies specifically failing to do?
For starters, they’re not updating critical software, or doing so only very slowly. Outdated operating systems are still critical cogs in the government’s IT machinery. As recently as 2012, the Drug Enforcement Agency was using Windows Server 2003, and many agencies did not begin Windows XP migration until years after the release of Windows 7. The National Security Agency has been outspoken about the vulnerabilities of older versions of Windows, which lack the hardened security features of their successors.
Official support for both XP and Server 2003 will end over the next two years, making it important that organizations update to at least Windows 7 (Vista is not widely adopted) or adopt virtualized solutions. InformationWeek’s Mathew Schwartz floated the latter idea as a way to set up locked-down XP implementations that wouldn’t require the newer hardware needed to run Windows 7 and 8.
Schwartz’ recommendation takes a slightly different tack than the PCAST contributors’ suggestions, but it could be more in line with the current realities of government IT. Many agencies, most notably the Department of Defense, operate at considerable scale, and even smaller outfits rely heavily on contractors to maintain basic systems. Accordingly, coordinating major hardware and software updates is a logistically and financially challenging process.
The DOD’s IT issues and the feasibility of PCAST’s recommendations
The U.S. Army’s ordeal with upgrading its IT and email systems demonstrates the unique scope and challenges of federal government cybersecurity. In 2009, the Army gave up on trying to implement an Army-wide messaging solution and instead turned to the Defense Information Systems Agency.
DISA rolled out a version of its Enterprise Email system, based on Microsoft Exchange, in February 2011 but didn’t complete the process until July 2013. The system serves 1.5 million users, making it one of the largest Exchange deployments in the world, and has to run under DOD security specifications on DOD hardware.
Although the project took more than two years to finish, building such a system cannot be done in a day. While one can urge agencies to speed up their processes, doing so would require a depth and breadth of cultural change that itself would take years. More pressingly, agencies often face uncertainty about how much money they will have to work with from one year to the next, making it important for security solutions providers to be pragmatic about improving processes.
To its credit, PCAST made an overarching observation about government security practices highlighting the importance of replacing discrete measures with continuous monitoring strategies. Government agencies have already reached similar conclusions and are taking steps to implement continuous processes as mandated by version 2.0 of the Federal Information Security Management Act and guidance from the National Institute of Standards and Technology.
“Cybersecurity will not be achieved by a collection of static precautions that, if taken by government and industry organizations, will make them secure,” stated the report. “Rather, it requires a set of processes that continuously couple information about an evolving threat to defensive reactions and responses.”
Still, the PCAST authors seemed out of touch with specific developments at the federal level, and some of their recommendations seemed to hold benefits for the private sector but not necessarily for agencies. It barely touched upon Initiatives such as the Department of Homeland Security’s Continuous Diagnostics and Mitigation program and the Federal Risk and Authorization Management Program, which provides guidance and requirements for integrating cloud services. Suggestions for improved information sharing between the public and private sectors seem good in theory, but it’s unclear how much they’ll do to shore up government IT.
On the software front, the PCAST authors have their hearts in the right place – old versions of Windows, as well as other widely used applications such as Adobe ColdFusion, are real security vulnerabilities, but addressing them doesn’t have to be a black-and-white matter of either not upgrading and being attacked or spending millions to remake the IT department. Pragmatic solutions can address the particular requirements of government, working within tight budgets and at scale while ensuring security.
At a top level, security experts and developers should focus on how to get the most from what the government already has. Agencies should also focus on procuring hardware and software that is built for the long haul, with tightly interwoven security features.
“It is important to influence designers of future computers and software so that security controls can be installed before the fact and as an integral part of the system,” stated a recommendation from the 1970 Defense Science Board Task Force on Computer Security. “It is also important to ascertain what can be done with equipment presently installed or owned by the government.”