Modern field guide to security and privacy

Opinion: After OPM hack, 3 steps to improve government cybersecurity

The Office of Personnel Management breach returns the spotlight to the insecurity of federal networks, which can be strengthened if Washington starts acting a bit more like Silicon Valley.

|
Illustration by John Kehe

Along with millions of other former and current federal employees, I'm fairly certain criminal hackers now have my personal information. As an assistant secretary at the Department of Homeland Security until earlier this year, the government stored many of my personal and professional details – Social Security Number, addresses, employment history, security clearance information – and facts about my family, too. 

The scope of the Office of Personnel Management breach is now reported to involve as many as 14 million people. On it's own, that's a devastating network compromise with vast implications. But taken together with other major breaches at the federal level, it represents a total security fail.

There's not much we can do now to take back what's been stolen, but the government can make a few easy to implement changes that'll vastly improve network security – and help prevent the next hack.

First, scrap the government acquisition system for cybersecurity. Simply put, the speed of innovation in cybersecurity has made the current multiyear government systems acquisition process irrelevant. Likewise, government acquisition risk-management models, which highly favor mature technologies, are rendering acquired technology obsolete as soon as it is fielded. As David Cowan of Bessemer Venture Partners recently said, “There is no such thing as a mature cybersecurity technology.”

The government must be free to jump to where the best companies are going, scrapping massive integrated systems in favor of a nimble architecture for information technology and cybersecurity. In that architecture, cybersecurity features are purchased as a service and incorporated as an application program interface, but only for so long as the technology actually meets the threat.

Second, the government needs to get venture capitalists into the game. Every industry, including the technology industry and its major cybersecurity players, are outsourcing research and development in whole or in part to startups. This means that venture capitalists serve as a screening mechanism for bringing new technologies and innovations to the market, or to incorporation as features into larger products. Venture capital firms and even In-Q-Tel – essentially, the intelligence community’s investment arm – share the risk involved with developing new technologies.

Working with these communities should be job No. 1 of the proposed Defense Department and Homeland Security offices in Silicon Valley so that government can leverage what venture capitalists and start-ups are already doing for industry.

Finally, Congress needs to continue to give strong authorities to DHS and the Office of Management and Budget to truly enforce basic cybersecurity standards for the federal government.

Last year’s reforms to the Federal Information Security Management Act were a good start, but adoption of new technology, meeting minimum standards for cybersecurity, and making networks available for intrusion prevention, detection, and investigation activities cannot be optional on the part of each federal department and agency. Too much time is being wasted as federal departments and agencies argue over who gets what access to what networks, and how quickly new technology has to be deployed. DHS’s first cybersecurity directive to close critical network vulnerabilities, issued to all federal agencies in May, is a good first start, but this needs to be the first of a much more aggressive series of directives aimed at closing critical cybersecurity gaps.

For the sake of my personal information and that of all of my former colleagues, let’s stop waiting around for the next breach and act now. 

Alan Cohn is of counsel in the national and homeland security practice at Steptoe & Johnson LLP and a consultant on security, technology, innovation and government. He was formerly the Assistant Secretary for Strategy, Planning, Analysis & Risk at the Department of Homeland Security.

 

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Opinion: After OPM hack, 3 steps to improve government cybersecurity
Read this article in
https://www.csmonitor.com/World/Passcode/Passcode-Voices/2015/0612/Opinion-After-OPM-hack-3-steps-to-improve-government-cybersecurity
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe