The Culture of Cyber Insecurity
Data breaches at the Office of Personnel Management, Target, Sony and others have gotten everyone’s attention on the issue of cybersecurity and the challenge of securing personally identifiable information. Agencies are reviewing systems; the White House, Defense Department, OPM, the FBI and others are investigating the OPM breach; and Congress is holding hearings. There will be requests for money for better technology, and agency leaders are making promises about securing employee data. All good. Right?
Not necessarily. The OPM breach exemplifies the cultural problem that besets the cybersecurity of the government and the private sector – the failure to recognize that cybersecurity is a challenge that must be owned by the entire enterprise. Everyone – CIO, CISO, CFO, COO, communications, human resources – must be part of plans and programs necessary for effective cybersecurity. It is a massive technology challenge that requires the best tools and talent. I am not a technologist, so I will leave the technical aspects of the issue to my ICF colleague, Sam Visner. His paper on Whole of Enterprise Cybersecurity Planning and Recovery is a great read and it makes the point – effective cybersecurity requires programs that are end-to-end (from plans through incident response) and involve the entirety of an enterprise.
At the same time we are using the best available security tools, we must also address the culture issues that contribute to vulnerabilities or the technology cannot protect us. This culture reduces cybersecurity to “merely” a technical challenge. Let’s take a look at a few examples:
Shut it down! Oh … Not so fast.
When a system that manages and processes sensitive data has glaring security deficiencies, the first reaction may be to shut it down until the problems can be fixed. OPM’s inspector general made just such a recommendation – “We recommend that the OPM Director consider shutting down information systems that do not have a current and valid Authorization.” – in his November 2014 Federal Information Security Management Act Audit. The threat of shutting down a system is one way to protect vital data and force program managers address security issues. So what happened when OPM temporarily shut down the e-QIP system because of security flaws? There was an immediate response from Sens. Mark R. Warner (D-Va.) and Timothy M. Kaine (D-Va.), who were legitimately concerned about the effect of the shutdown on security clearance processing. There was also a letter from the Professional Services Council, writing on behalf of the contractor community, asking OPM to clarify how it would mitigate the effects of its decision. Both OPM’s decision to temporarily shut down the system and the questions about the impact of that decision were equally sound. OPM would be criticized no matter which decision they made. Shutting down critical systems is an extreme risk mitigation action that is not always practical. It can indicate a flawed tool, sloppy development or inadequate program management that allowed a product to get to the point where it needed to be shut down.
It’s Mine – Keep your hands off
Many agencies decentralize control of IT and allow program offices to manage the technology that supports their program, rather than having a team of experts who understand technology and a fully engaged leadership team who know what information needs to be protected. They are focused on driving their program rather than what is going on under the hood. The desire to control every aspect of a program is common, and it is based partly upon fear that someone else will not do the work as well and partly on the purely parochial interests of power and control. The harm that parochial culture can cause grows as our systems become more complex and more interconnected. In fact, correcting that cultural flaw is one of the primary objectives of the Federal Information Technology Acquisition Reform Act (FITARA). FITARA will give Department Chief Information Officers much greater control over such programs. The result should be a focus on security throughout the acquisition, development and deployment processes.
Here – you take care of it
The flip side of the control culture is the “fire and forget” culture that assumes senior leaders do not need to stay engaged in system development, acquisition, deployment and operations. Agency leaders often identify a need for a new system, pick a program manager, then disengage. When senior leaders do not remain engaged with big projects, budgets can get out of control, scope expands to undeliverable levels, and the projects can go off the rails and fail. The same applies to the security aspects of systems. Rather than being an integral part of the project, security can be an afterthought that mission-focused program managers do not address throughout the project.
Security is the CIO’s job. Or the security officer’s
Anyone but me. The OPM breach may change the culture of “It’s not my job” when it comes to security. The lock on the door is irrelevant if users of a system fail to close the door. For example, agencies are mandating use of smart cards and a Personal Identification Number (PIN). But what happens when someone cannot remember the PIN? Too often the PIN is written on a Post-it note or piece of tape on the card. All it takes is one card with a PIN written on the back to give an intruder access to a system. The problem is even worse for agencies who still have user IDs and passwords. How many people have passwords “hidden” under a desk pad, keyboard or in a drawer where, of course, no one will ever find them? And how many people are disciplined for that offense? I’ve never seen an employee disciplined for what is, in effect, blowing a hole in the agency’s security efforts. We have to start holding everyone accountable for behavior that weakens security. That is harder than it might seem, because (a) the offenses are not considered to be serious and (b) the culture of Washington is to find someone senior to blame and fire that person. Firing someone may make everyone feel better for a few days, but it does nothing to change the cultural problems that get us into these messes.
“What amazes me when I look into a lot of intrusions, including some really big ones by multiple different types of actors, it often starts with the most basic active spear-phishing, where somebody is allowed in the gate and penetrates a network simply because an employee clicked on something he or she shouldn’t have.”
— DHS Secretary Jeh Johnson
No technologist can solve this problem – everyone in an enterprise must own it. It is much harder to hold employees accountable when agencies invest so little time in training them. From inadequate annual refresher training to placing people in roles for which they have inadequate training, agencies are not providing their employees with they skills they need to do their parts. Given the potential harm that breaches can cause, more in-depth training, tailored to the employee’s role, is critical
Cybersecurity involves the entire workforce and involves every aspect of an enterprise’s organization. Technologists must install and manage effective cybersecurity technologies – operators just judge the operational risks they can accept. Financial managers must decide what financial consequences they are prepared to accept, and make the sustained cybersecurity investment necessary to mitigate those consequences. Human resources and training professionals must help build a workforce (and workforce awareness) to face the cybersecurity challenge head-on. This holistic approach to designing, building, implementing, and managing an effective cybersecurity program represents the real shift the public and private sector must make.