The fantasy and reality of government security

In the movies the government has always got the best toys, the cutting-edge technology and the tightest security standards.

In the movies the government has always got the best toys, the cutting-edge technology and the tightest security standards. Those who have worked on security projects within the government know that in real life government security standards and implementations can vary all across the range from quite serious to laughable.

Over the last few years in fact government departments have been earning poor or failing grades on cyber security. This may be about to change with a US$355 million investment in government cybersecurity included in the recently passed stimulus act. It's about time too: Just last week a private company notified the government that they had discovered the blueprints for Marine One (the president's helicopter) on a filesharing network node in Iran.

If we believe the movies then a file as sensitive as the blueprints for the presidential helicopter fleet would be encrypted, biometrically protected and stored in a bunker at an undisclosed location. It's a bit unfair to bash government security in this case because the file was leaked from the desktop of an employee of a private contractor. Because the vast majority of this type of work is outsourced, the security depends as much on enforcement of standards at third parties as it does on the security within government. But we have to wonder: why wasn't encryption required for this type of file? Why was this type of file allowed on an unmanaged desktop? And why was peer-to-peer software installed on the same desktop?

Most federal systems are moving to compliance with the Federal Desktop Core Configuration (FDCC) standard. This standard requires that desktops meet certain configuration standards that effectively "lockdown" the desktop. Even without the FDCC standard however, it is hardly a leap of imagination to expect defense contractors to disallow P2P software and remove administrator privileges from users. This was not just a breach of security by one employee, but more a complete lack of controls in the contractor's IT department.

Security inside the government or in the contractors used by the government is not uniform or consistent. That in itself is part of the problem. Numerous studies have shown that the vast majority of security breaches originate with a few well known security vulnerabilities. The golden rule of security therefore applies: Fix the top problems and remove 80 percent of the risk. Then focus on the more difficult 20 percent. Hopefully the government investment in cybersecurity will be focused on the top risks and on security with outsourcers and contractors not just federal systems.

A side note: Nemertes Research is conducting interviews for our security benchmark. We are interviewing CSOs and directors of security across all industries and company sizes. All the interviews are anonymous and we share benchmark results with the participants. If you want to find out what others are doing about security, send me an e-mail at to participate in our benchmark.