NDM Article - Cyber Security Gets Short Shrift, Say Federal Info Tech Managers

Sponsors

SIDE BAR

January 2005

Cyber Security Gets Short Shrift, Say Federal Info Tech Managers

by Sandra I. Erwin

A recent survey of federal information technology managers suggests that many government agencies are poorly prepared to cope with cyber attacks.

The survey paints a grim picture. It cites misdirected priorities in cyber-security programs and substandard quality in the software provided by commercial vendors.

This analysis, published by a government contractor, Intelligent Decisions Inc., was based on interviews with 25 of the total population of 117 federal agency chief information security officers.

“We were surprised” by the results of the survey, said Harry Martin, president of Intelligent Decisions.

Across the board, federal chief information security officers ranked “patch management” as their number-one security concern—pointing to shortfalls in the quality of commercial network-security products. Patch management software is used to protect corporate networks from Internet-based attacks.

Microsoft Windows operating systems, particularly, have many security holes, experts note. Hackers often exploit this vulnerability to steal information or program computers to distribute spam email. Every time a new Windows problem is discovered, Microsoft issues a “patch” to fix it. In companies or government organizations with many computers, it is difficult to ensure that the latest patch is installed on every computer, especially since Microsoft now releases patches on a bi-weekly basis.

Patch management software can make a cyber-security manager’s job easier, because it automatically pushes out patches to every computer in a corporate network. Many software companies, including Microsoft, are getting into patch management software and targeting the government market. Federal IT managers in the survey expressed dissatisfaction with the quality of the products available.

“It is clearly time for private industry to get serious about software quality,” said Martin.

The study also reveals a class divide among federal IT security officers—with those who control less than $500,000 on one side, and those whose annual budgets exceed $10 million on the other. “Half a million doesn’t buy you a whole lot in today’s IT security world, particularly for a large agency,” he noted.

The security “have-nots” are loaded down with administrative tasks and unable to address “strategic security management functions,” noted Ted Ritter, director of cyber-security at Intelligent Decisions. These officers devote 45 percent of their time to compliance paperwork associated with the Federal Information Security Management Act, which requires government agencies to protect their networks. Just 22 percent of their time is dedicated to security management functions, such as architecture development, inventory control and vendor collaboration.

The security “haves” spend 27 percent of their time on FISMA compliance reporting, and almost 50 percent on strategic security management functions.

Information security officers who control less than $500,000 annually consider the most important products and services to their agency to be network security, firewalls, intrusion detection, prevention systems, authentication and encryption devices.

Officers who control more than $10 million cite authentication-encryption devices, biometrics for user log-on authentication and security information management tools as the top concerns.

Among the agencies with large IT budgets is the U.S. Air Force, which, like other government organizations, has struggled with network security breaches and patch management issues.

About a year ago, the Air Force chief information officer, John M. Gilligan, went to see Microsoft’s top executive, Steve Ballmer, to try to negotiate a software contract that would address security concerns. The Air Force is the largest buyer of Microsoft enterprise software.

Last month, Gilligan announced he had signed a $509 million, five-year deal with Microsoft that consolidates multiple support contracts for the entire Air Force and automates the installation of patches to ensure that every one of the service’s 525,000 workstations is protected, he told reporters.

Internet-based attacks have become all too common, said Gilligan. “As we become more dependent on networks, disruptions become costly,” he said. “We were spending more money patching and fixing than buying new software … The deal with Microsoft automates the patching.”

While Microsoft software dominates Air Force networks, Gilligan noted that vulnerabilities also have been found in Cisco, Linux, Open Source and Oracle systems.

“We have discovered them at the rate of one per day,” Gilligan said. Not all are serious, but at least two per week, he added, are caused by computers that have not been patched.

The current patching process is both inefficient and ineffective, he said. “When we find a fix, it could take months to get it installed … Patches often are installed manually. We have to test it many times to ensure it doesn’t disrupt our standard configuration.”

Under the agreement with Microsoft, the Air Force Network Operations Command, at Barksdale Air Force Base, La., will pre-test patches on about 2,000 workstations. Once the testing is completed, the patching will be pushed to all 525,000 workstations.

Although Gilligan predicts the new setup will better protect Air Force networks, he acknowledged that that there are no mechanisms in place to hold software manufacturers accountable for disruptions.

“There are no set metrics for how to measure software performance,” he said. Nonetheless, the Air Force expects that, in the long run, the arrangement with Microsoft will pay off. “If we can get a good handle on the patch management and automation, our experts can focus on countering more sophisticated threats. I don’t see patches as the end game.”