Home > Identity Theft > The Federal Government Needs a Cybersecurity Marathon, Not a Sprint

Comments 0 Comments

You may not have heard of Tony Scott, but that may change next week.

Over the past 16 years, he served as the chief information officer (CIO) for both Microsoft and Walt Disney, and from 1999-2005 he was the chief technology officer of information systems and services at General Motors Corporation. He was recruited to become the CIO of the U.S. back in February to stop our nation’s cyber-bleeding, specifically at federal agencies like the Office of Personnel Management, which suffered a monumental breach, the full ramifications of which are still unknown.

In an interview with Federal Times, Scott described our nation’s antiquated data security practices in stark terms.

“Most of the systems, most of the technology you and I use every day was designed and architected in the 1970s or 1990s,” he said, noting even newer systems are built on the same framework. “It’s kind of like trying to put airbags on a ’65 Mustang — it just wasn’t designed for security, wasn’t designed for safety.”

In an effort to jump-start a thorough review of federal systems and hopefully get people thinking, working and most importantly taking the necessary actions to close loopholes, Scott called for something he called a “30-Day Cybersecurity Sprint,” which started on June 12. Federal agencies have to report how they did on Monday, and according to Scott, not every agency will pass muster. “Some will get there, and some won’t,” he told Reuters.

The list of tasks Scott set for the federal agencies he oversees was impressive:

  • Immediately deploy indicators provided by the Department of Homeland Security regarding priority threat-actor techniques, tactics and procedures to scan systems and check logs.  Agencies shall inform DHS immediately of any signs of malicious cyber activity.
  • Patch critical vulnerabilities without delay.  The vast majority of cyber intrusions exploit well known vulnerabilities that are easy to identify and correct.  Agencies must take immediate action on the DHS Vulnerability Scan Reports they receive each week and report to the Office of Management and Budget and DHS on progress and challenges within 30 days.
  • Tighten policies and practices for privileged users.  To the greatest extent possible, agencies should: minimize the number of privileged users; limit functions that can be performed when using privileged accounts; limit the duration that privileged users can be logged in; limit the privileged functions that can be performed using remote access; and ensure that privileged user activities are logged and that such logs are reviewed regularly. Agencies must report to OMB and DHS on progress and challenges within 30 days.
  • Dramatically accelerate implementation of multi-factor authentication, especially for privileged users.  Intruders can easily steal or guess usernames/passwords and use them to gain access to Federal networks, systems and data. Requiring the utilization of a Personal Identity Verification (PIV) card or alternative form of multi-factor authentication can significantly reduce the risk of adversaries penetrating Federal networks and systems. Agencies must report to OMB and DHS on progress and challenges within 30 days.

How Did It Come to This?

It would be an understatement to say that we need to get a better handle on the state of federal cybersecurity in the wake of the mother of all data breaches, the depth and breadth of which continues to unfold over at the Office of Personnel Management. For instance, the agency just revealed that 1.1 million fingerprint records were among the purloined files—that is in addition to the sensitive personal, financial and medical records already reported.

“The government may need to invest in tools that go beyond trying to prevent hacks, and more quickly detect and contain threats, and repair any damage,” Scott also told Reuters.

You think? If my tone seems a little arch, consider the millions of unnecessarily compromised records that got us to this important milestone in the evolution of best data security and privacy practices. It’s simply dumbfounding. There are way more than a billion records “out there.” Scott’s proposed protocols are welcome rain, but we are nonetheless lost in the desert of a very real and very pitched crisis, and nothing will ever un-compromise the records that have been stolen to date.

Our agencies have been defending against tens of thousands of persistent attacks for more than a decade. We have seen intrusions at many federal agencies. Yet it took us this long to initiate a 30-Day Cybersecurity Sprint to do what everyone in the data and privacy business has been screaming for since 2005.

A Sprint or a Marathon?

While I understand the metaphor of a sprint here, we are engaged in a test more like that first 26.2-mile foot race run by Pheidippides from Marathon to Athens to announce the defeat of the invading Persians (for the record, he died soon after). The only difference: we have not defeated our invaders.

The cyber war we’re currently losing could have devastating consequences for our nation, and the rest of the world. We need all the firepower we can get. We need a thoughtful plan carried out by brilliant minds. Perhaps that is Tony Scott’s plan. But we need a culture that puts security first and inculcates everything and everyone from the cleaning crew to the Secretary of every department. Again, that seems to be Scott’s intention, and if so, we are heading in the right direction. We need to protect our people.

As it stands, there is no salve to soothe the millions of people who never signed on to work for the government but who married or live with someone who does, and are now angry and scared. What do we say to the thousands of undercover operatives who risk their lives every day in service to this nation when everything about them, including their personal issues, medical records, even their fingerprints, are now potentially exposed to foreign intelligence operatives and/or will be for sale on the black market to the highest bidder? For them, this is too little too late. The only hope now is to make this a part of ancient history—like that race to Athens.

This story is an Op/Ed contribution to Credit.com and does not necessarily represent the views of the company or its partners.

More on Identity Theft:

Image: iStock

Comments on articles and responses to those comments are not provided or commissioned by a bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by a bank advertiser. It is not a bank advertiser's responsibility to ensure all posts and/or questions are answered.

Please note that our comments are moderated, so it may take a little time before you see them on the page. Thanks for your patience.

Credit.com receives compensation for the financial products and services advertised on this site if our users apply for and sign up for any of them.

Hello, Reader!

Thanks for checking out Credit.com. We hope you find the site and the journalism we produce useful. We wanted to take some time to tell you a bit about ourselves.

Our People

The Credit.com editorial team is staffed by a team of editors and reporters, each with many years of financial reporting experience. We’ve worked for places like the New York Times, American Banker, Frontline, TheStreet.com, Business Insider, ABC News, NBC News, CNBC and many others. We also employ a few freelancers and more than 50 contributors (these are typically subject matter experts from the worlds of finance, academia, politics, business and elsewhere).

Our Reporting

We take great pains to ensure that the articles, video and graphics you see on Credit.com are thoroughly reported and fact-checked. Each story is read by two separate editors, and we adhere to the highest editorial standards. We’re not perfect, however, and if you see something that you think is wrong, please email us at editorial team [at] credit [dot] com,

The Credit.com editorial team is committed to providing our readers and viewers with sound, well-reported and understandable information designed to inform and empower. We won’t tell you what to do. We will, however, do our best to explain the consequences of various actions, thereby arming you with the information you need to make decisions that are in your best interests. We also write about things relating to money and finance we think are interesting and want to share.

In addition to appearing on Credit.com, our articles are syndicated to dozens of other news sites. We have more than 100 partners, including MSN, ABC News, CBS News, Yahoo, Marketwatch, Scripps, Money Magazine and many others. This network operates similarly to the Associated Press or Reuters, except we focus almost exclusively on issues relating to personal finance. These are not advertorial or paid placements, rather we provide these articles to our partners in most cases for free. These relationships create more awareness of Credit.com in general and they result in more traffic to us as well.

Our Business Model

Credit.com’s journalism is largely supported by an e-commerce business model. Rather than rely on revenue from display ad impressions, Credit.com maintains a financial marketplace separate from its editorial pages. When someone navigates to those pages, and applies for a credit card, for example, Credit.com will get paid what is essentially a finder’s fee if that person ends up getting the card. That doesn’t mean, however, that our editorial decisions are informed by the products available in our marketplace. The editorial team chooses what to write about and how to write about it independently of the decisions and priorities of the business side of the company. In fact, we maintain a strict and important firewall between the editorial and business departments. Our mission as journalists is to serve the reader, not the advertiser. In that sense, we are no different from any other news organization that is supported by ad revenue.

Visitors to Credit.com are also able to register for a free Credit.com account, which gives them access to a tool called The Credit Report Card. This tool provides users with two free credit scores and a breakdown of the information in their Experian credit report, updated twice monthly. Again, this tool is entirely free, and we mention that frequently in our articles, because we think that it’s a good thing for users to have access to data like this. Separate from its educational value, there is also a business angle to the Credit Report Card. Registered users can be matched with products and services for which they are most likely to qualify. In other words, if you register and you find that your credit is less than stellar, Credit.com won’t recommend a high-end platinum credit card that requires an excellent credit score You’d likely get rejected, and that’s no good for you or Credit.com. You’d be no closer to getting a product you need, there’d be a wasted inquiry on your credit report, and Credit.com wouldn’t get paid. These are essentially what are commonly referred to as "targeted ads" in the world of the Internet. Despite all of this, however, even if you never apply for any product, the Credit Report Card will remain free, and none of this will impact how the editorial team reports on credit and credit scores.

Your Stories

Lastly, much of what we do is informed by our own experiences as well as the experiences of our readers. We want to tell your stories if you’re interested in sharing them. Please email us at story ideas [at] credit [dot] com with ideas or visit us on Facebook or Twitter.

Thanks for stopping by.

- The Credit.com Editorial Team