From: tech dirt
from the is-government-too-big-to-learn? dept
The President’s Council of Advisors on Science and Technology (abbreviated unfortunately as PCAST) has just released a report dealing with the nation’s hottest topic since terrorism: cybersecurity. The report’s writers include a host of professors from a variety of scientific pursuits, along with a few corporate figures from the tech world, including Google’s Eric Schmidt and Microsoft’s Craig Mundie.
The report’s suggestions aren’t half-bad.
Overarching Finding: Cybersecurity will not be achieved by a collection of static precautions that, if taken by Government and industry organizations, will make them secure. Rather, it requires a set of processes that continuously couple information about an evolving threat to defensive reactions and responses.
What’s being suggested makes sense. But logic means nothing when confronted with bureaucratic processes. The government, as a whole, isn’t a nimble beast. “Static precautions” are top speed for the behemoth. Turning it into a swift, reactive entity may be an impossibility.
Evidence of the government’s inability to craft functioning and secure software exists everywhere. Currently, everyone’s attention has been drawn to the government’s healthcare site, which has been plagued with problems since it went live and weeks later, after an overhaul, still underperforms and plays fast and loose with personal data.
Entities where cybersecurity is even more crucial aren’t much better. It took the FBI more than decade and several hundred million dollars (spread across two contractors) to come up with functioning software. The DEA is still using Windows Server 2003, despite the NSA’s warnings that the outdated software contains serious security flaws. The Pentagon’s network of unrelated computers is even worse. According to a Reuters investigation, the Pentagon still relies on a variety of different computers, some dating back to the 1970s. Ancient file formats and arcane file management processes make searching for older records a nightmare.
So, nimble the government is not. PCAST’s recommendations do use a lighter tone than the multiple damning GAO reports covering the same ground, but the underlying message is the same. The government may be able to improve, but it seldom shows the desire to, as the first finding points out.
Finding 1: The Federal Government rarely follows accepted best practices. It needs to lead by example and accelerate its efforts to make routine cyberattacks more difficult by implementing best practices for its own systems.
This is a non-starter, as years of failing grades from GAO investigators can attest. Problems that existed a half-decade ago still exist today. Each subsequent report says the same thing: recommendations were made but little evidence was uncovered that these suggestions were ever communicated to those responsible, much less deployed.
Leave a Reply