A recent survey of federal information technology managers suggests that many government agencies are poorly
prepared to cope with cyber attacks.
The survey paints a grim picture. It cites misdirected priorities
in cyber-security programs and substandard quality in the software
provided by commercial vendors.
This analysis, published by a government contractor, Intelligent
Decisions Inc., was based on interviews with 25 of the total population
of 117 federal agency chief information security officers.
“We were surprised” by the results of the survey, said
Harry Martin, president of Intelligent Decisions.
Across the board, federal chief information security officers ranked
“patch management” as their number-one security concern—pointing
to shortfalls in the quality of commercial network-security products.
Patch management software is used to protect corporate networks
from Internet-based attacks.
Microsoft Windows operating systems, particularly, have many security
holes, experts note. Hackers often exploit this vulnerability to
steal information or program computers to distribute spam email.
Every time a new Windows problem is discovered, Microsoft issues
a “patch” to fix it. In companies or government organizations
with many computers, it is difficult to ensure that the latest patch
is installed on every computer, especially since Microsoft now releases
patches on a bi-weekly basis.
Patch management software can make a cyber-security manager’s
job easier, because it automatically pushes out patches to every
computer in a corporate network. Many software companies, including
Microsoft, are getting into patch management software and targeting
the government market. Federal IT managers in the survey expressed
dissatisfaction with the quality of the products available.
“It is clearly time for private industry to get serious about
software quality,” said Martin.
The study also reveals a class divide among federal IT security
officers—with those who control less than $500,000 on one side,
and those whose annual budgets exceed $10 million on the other.
“Half a million doesn’t buy you a whole lot in today’s
IT security world, particularly for a large agency,” he noted.
The security “have-nots” are loaded down with administrative
tasks and unable to address “strategic security management
functions,” noted Ted Ritter, director of cyber-security at
Intelligent Decisions. These officers devote 45 percent of their
time to compliance paperwork associated with the Federal Information
Security Management Act, which requires government agencies to protect
their networks. Just 22 percent of their time is dedicated to security
management functions, such as architecture development, inventory
control and vendor collaboration.
The security “haves” spend 27 percent of their time on
FISMA compliance reporting, and almost 50 percent on strategic security
management functions.
Information security officers who control less than $500,000 annually
consider the most important products and services to their agency
to be network security, firewalls, intrusion detection, prevention
systems, authentication and encryption devices.
Officers who control more than $10 million cite authentication-encryption
devices, biometrics for user log-on authentication and security
information management tools as the top concerns.
Among the agencies with large IT budgets is the U.S. Air Force,
which, like other government organizations, has struggled with network
security breaches and patch management issues.
About a year ago, the Air Force chief information officer, John
M. Gilligan, went to see Microsoft’s top executive, Steve Ballmer,
to try to negotiate a software contract that would address security
concerns. The Air Force is the largest buyer of Microsoft enterprise
software.
Last month, Gilligan announced he had signed a $509 million, five-year
deal with Microsoft that consolidates multiple support contracts
for the entire Air Force and automates the installation of patches
to ensure that every one of the service’s 525,000 workstations
is protected, he told reporters.
Internet-based attacks have become all too common, said Gilligan.
“As we become more dependent on networks, disruptions become
costly,” he said. “We were spending more money patching
and fixing than buying new software … The deal with Microsoft
automates the patching.”
While Microsoft software dominates Air Force networks, Gilligan
noted that vulnerabilities also have been found in Cisco, Linux,
Open Source and Oracle systems.
“We have discovered them at the rate of one per day,”
Gilligan said. Not all are serious, but at least two per week, he
added, are caused by computers that have not been patched.
The current patching process is both inefficient and ineffective,
he said. “When we find a fix, it could take months to get it
installed … Patches often are installed manually. We have to
test it many times to ensure it doesn’t disrupt our standard
configuration.”
Under the agreement with Microsoft, the Air Force Network Operations
Command, at Barksdale Air Force Base, La., will pre-test patches
on about 2,000 workstations. Once the testing is completed, the
patching will be pushed to all 525,000 workstations.
Although Gilligan predicts the new setup will better protect Air
Force networks, he acknowledged that that there are no mechanisms
in place to hold software manufacturers accountable for disruptions.
“There are no set metrics for how to measure software performance,”
he said. Nonetheless, the Air Force expects that, in the long run,
the arrangement with Microsoft will pay off. “If we can get
a good handle on the patch management and automation, our experts
can focus on countering more sophisticated threats. I don’t
see patches as the end game.”