Agencies experiencing a widening cybersecurity reality gap

Wednesday - 2/5/2014, 4:54am EST

Jason Miller reports.

Download mp3

Inconsistency among how inspectors general review agency cybersecurity is causing a reality gap.

The progress many agencies are making to secure their systems is not reflected in the annual reports auditors submit to Congress. And this disconnect causes uncertainty around just how well protected federal computers and networks are from attacks.

A recent State Department cybersecurity management alert epitomizes the challenges agencies and IGs face in deciding just how secure their computers are.

On one hand, the Office of Management and Budget, Congress and private sector experts have celebrated State's as a model for the government. The department began continuously monitoring the health of its networks and using risk to make decisions in 2010.

In fact, the Homeland Security Department is modeling the governmentwide continuous diagnostics and mitigation (CDM) program after State's success.

But the recent report by the agency's IG says for the third year in a row, State has similar and significant information management problems. Auditors say State is facing undue risk because of weaknesses in scanning and configuration management, baseline controls and risk management and continuous monitoring.

So who's correct?

Well both are — and that's the rub many agencies are facing.

A government official familiar with the State Department's cyber efforts said the IG's report is absolutely accurate. But the source added, the IG doesn't take into account the fact that State, like most agencies, is facing dozens of recommendations and must prioritize which ones to address based on the associated risks. The official spoke on condition of anonymity because they didn't get permission to speak to the press.

At the same time, IGs are bound by the Federal Information Security Management Act (FISMA) to measure certain cyber compliance areas, some of which are more than a decade old. This means they have to look at certain requirements whether or not the agency decides those changes are a top priority.

"I think DHS tries every year and we provide input to them to make sure they take into account recent trends in information security, known cyber attacks and other information. We try to gauge what they are going to require us to do every year," said Kathleen Tighe, the chairwoman of the IT committee of the Council of the Inspectors General on Integrity and Efficiency and the Education Department's IG. "But sometimes there is a disconnect. But I think IGs try to use within the confines of the FISMA metrics try to target on a risk based way the work they need to and the issues they need to."

Tighe said IGs have to fill out a Federal Information Security Management Act, or FISMA, evaluation form, but they also have flexibility to look at other issues.

Hard skills needed

Alan Paller, the director of research at the SANS Institute, which offers cybersecurity training, said the problem isn't having enough flexibility. Rather, it's a lack of understanding by the IGs about what they are reviewing.

He said IGs, and even those people writing the guidances, don't have the technical skills necessary to truly understand how to best secure the systems.

And therefore, IGs often times are pointing out problems whose solution may or may not improve the agency's security, he said.

"The challenge for the IGs is they have only one set of directions. Their set of directions comes from National Institute of Standards and Technology. That set of directions at this time is something in excess of 13,000 pages. No organization has ever implemented those, including NIST, GAO and the IG shops," Paller said. "They are using a set of measures that are impossible to implement, impossible to even to read all the way through for normal human beings, and because of that, they can look in any direction and find fault, and force people to spend money to do things that may or may not stop attacks."

David Kotz, the former IG for the Securities and Exchange Commission and now director with the Berkeley Research Group, said his experience mirrors the problem Paller described.

"I think the IGs try to take into account the changing cyber requirements, but it's often difficult. It's a big challenge these types of issues for IGs. IGs often don't have the background in information security, and it's difficult for them to really understand the issues," Kotz said. "I remember when I was IG at the SEC struggling with the FISMA audits, because it was hard for me to understand exactly what the issues were. I felt like many times I was almost forced to take the agency's word for it, because I wasn't in a position to understand it and really argue with them. So I think IGs try, but because it's so difficult, often they look at standard metrics, governmentwide standards, and don't necessarily always take into account all the different changing cyber requirements."