[BreachExchange] Government IT is an Atari Game in an Xbox World

Wed Feb 24 19:03:21 EST 2016

http://townhall.com/columnists/timsummers/2016/02/23/government-it-is-an-atari-game-in-an-xbox-world-n2123368

Since 2014, most major American government agencies and key personnel, from
the United States Postal Service (USPS) to the White House and the CIA
Director have fallen victim to an assortment of hackers.  Although the
private sector data breaches captured our attention, the federal government
proved to be a lucrative target for hackers.  Therefore, it should come as
no surprise to anyone that the White House would introduce a new
cybersecurity plan.

 As part of the Cybersecurity National Action Plan (CNAP), a strategy that
will increase cybersecurity spending to just over $19 billion, the
government proposes to: (1) use $3 billion to overhaul federal computer
systems; (2) build a cyber corps of professionals within the government
using scholarships and relaxed office attire; (3) strengthen public-private
partnerships; (4) launch a national cybersecurity awareness campaign; and
(5) establish a commission to create cyber strategy. In addition to these
strategic talking points, the plan proposes the creation of a federal chief
information security officer (CISO) position.  The CISO would be
responsible for executing the White House’s five-point plan throughout the
government.

Anyone who has paid attention to the plethora of successful cyber-attacks
against the U.S. government knows that this plan should have been announced
a long time ago. In 2015, we saw the U.S. Office of Personnel Management
(OPM) had lost 21.5 million records for current and former government
employees, including security clearance data. Just in case you missed it,
that data also included millions of sets of fingerprints.  Just a few
months later, the personal emails of CIA Director John Brennan and DHS
Secretary Jeh Johnson were hacked by a hacker claiming to be a high school
student. Many cybersecurity experts suggest that every part of the U.S.
government has probably already been hacked, even though the White House
has claimed that cybersecurity is one of its top priorities over the past
several years. It seems that we’ve finally reached a breaking point.

But we’re not out of the woods. There are some serious flaws with the CNAP.
First and foremost, cybersecurity tutorials, sponsored by the government,
and the encouragement of two-factor authentication are great. Companies in
the private sector have been doing both for over a decade. Fortunately, our
government is finally catching up. Also, spending $3 billion on an IT
system overhaul is incredibly overdue. As President Obama suggested, our
“government IT is like an Atari game in an Xbox world.”[1]  If this analogy
is correct, our government IT is almost three decades behind. That means
that the U.S. government has security like Swiss cheese, riddled with holes.

Then there’s the effort “to build a corps of cyber professionals across
government to push best practices at every level” where the White House
proposes to do more “including offering scholarships and forgiving student
loans – to recruit the best talent from Silicon Valley and across the
private sector.” Isn’t this what the CyberCorps: Scholarship for Service
was supposed to do? The CyberCorps OPM web site describes the program as “a
unique program designed to increase and strengthen the cadre of federal
information assurance professionals that protect the government’s critical
information infrastructure.”[2] That sounds remarkably similar to the
President’s new proposal.

But the fed is going to have a hard time recruiting the best talent from
Silicon Valley when they are offering Atari salaries when Xbox salaries are
the norm. The average salary for cybersecurity professionals is
$116,000[3]. To make matters worse, the cybersecurity czar position
established by the CNAP only offers an insultingly small salary range of
$123,000 to $185,000.  The current average annual salary for a CISO in the
Washington D.C. metro area is $225,000 and goes up to $334,000 in some
cases[4]. The salary disconnect is one of the reasons that JPMorgan Chase
was able to establish a cybersecurity center near the National Security
Agency (NSA), offer huge salaries, and hire away some of the agency’s best
and brightest[5].  It is also one of the reasons why so many cybersecurity
professionals are leaving government, heading to Silicon Valley, and being
paid millions to build startups[6].

The White House is going to have to make a more assertive move in
cybersecurity if it plans to protect U.S. innovation from cyber threats.
Thus far, we have just barely scratched the surface and even after it is
implemented, our government will continue to be an Atari in an Xbox world.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160224/631b4232/attachment-0001.html>