The Biggest Threats to Government Security – 2

Many shrieking eels advancing

Pity the government entities that have to deal with information security.  If they get it right, no thanks will be forthcoming.  If they get it wrong, they live in fear of mortifying headlines.  What are their shrieking eels?

Government has special challenges pursuing modern information security goals.

  • Confidentiality – access to information is limited to the right people.  Government doesn’t always have the latest and greatest technology, which can lead to system administrators having access to everything.
  • Integrity – information is accurate.  This is tough.  Without the profit motive business has to force correction there’s only indirect feedback from citizens and self-starting conscientiousness of some government employees.
  • Availability – information can be accessed reliably.  Frankly, I’m not sure why government does as well as it does on this count.  Perhaps it’s a combination of dedicated civil servants and more public visibility combined with the enabling platform of the web.

There are some across the board threats against the information security goals.
1.  Dysfunctional approval process

  • Two bad things can occur.  There can be no oversight, producing insecure systems or there can be over the top oversight, which often produces no systems at all.
  • ​For classified information, stringent requirements are supposed to be apply to new systems.  That sounds good, but in practice, systems are secured more by generating paper than by testing.  Industry, when it cares, cares about real world tests.
  • Never done it before x 100,000.  Because shared solutions and shared standards within the government are rare, most projects have to be figured out individually, with little benefit of reuse or lessons learned.

2. Wrong Priorities

  • The primary challenge in getting a new system approved is fear.  Since security folks get beaten up for failures and ignored for successes, some decide the safest approach is “no”.  This produces huge time delays and needless expense to deal with a “jump”, “how high”, “higher” cycle that ends by either wearing out the requester, the approver, or by political pressure.
  • Myopic focus is on incoming email and network based threats, perhaps because the tools are fairly mature, neglecting insider threats, where big name failures have occurred and neglecting the vulnerability of data.​

3. Bad technology approaches

  • Buzzwords vs. technology.  Multi-tier, Virtualized, Object Oriented, Cloud.  All of these are valuable technologies  or approaches that every government organization should care about.  Unfortunately these concepts often get treated as buzzwords, producing nothing but incomplete or unused systems.
  • Kitchen Sink.  Seemingly more often than not requirements for security products consist of a compilation of the different capabilities from competing vendors.  Rather than buy the most useful option, the purchaser tries to get an all-things-to-all-men solution.  Unsurprisingly those systems either do all things poorly, or worse yet, only meet the requirements by creative interpretations.
  • Let’s invent the Internet!  Closely related to the buzzword problem, some organizations get so enthused about a commercial technology that they decide to invent their own version, competing with man years of testing, development, and feedback.  Such only-a-mother-could-love solutions don’t live long.

What’s the future outlook?  Not bad, given that improving technology will eventually sweep everyone forward.

Save

1 thought on “The Biggest Threats to Government Security – 2”

  1. I definitely agree with your sentiments. Government security has been lacking for the past couple of years. I believe that they don’t focus mainly on their security. It could result in a disaster, if they allow themselves to be victims of these types of reasons. Hopefully, they can focus and prioritize the needed improvements across different fields.

Comments are closed.