WASHINGTON — Securing government IT systems is a high-stakes game. Like the private sector, the government is under constant attack from legions of hackers looking to infiltrate and exploit software and architecture vulnerabilities.
But Uncle Sam may have it worse: Fleet-footed companies aren’t saddled with a sprawling bureaucracy and Byzantine procurement process that can hinder the government when trying to fend off threats to targets like Pentagon databases or major weapons systems.
That’s one reason that federal agencies are looking to work in concert with the private sector to develop a more nimble set of cyber defenses.
In introductory remarks before a panel discussion of industry experts on cybersecurity here at the National Press Club, Rep. Jeff Miller, R-Fla., aimed to send a clear message that the government is waking up to the new threats that are the byproduct of a hyper-networked world.
“Cyberspace is now a major battlefield for national and economic security,” said Miller, the ranking Republican on the House Subcommittee on Terrorism and Unconventional Threats and Capabilities.
Recent cyber skirmishes in nations like Estonia and Georgia have shown that targeting a country’s digital infrastructure is quickly writing itself into the basic military playbook, Miller said.
But government cybersecurity is a much broader than national defense. IT permeates the operations of the government, from the top levels of national security to the army of functionaries scurrying around Capitol Hill with their heads buried in their BlackBerries.
“We have some folks on the Hill who are Twittering. I don’t Twitter, but we all know what it is,” Miller said. “We’re all aware of the changes in the world and cyberspace. Technologies and social tools like Twitter and Facebook are rapidly becoming more and more pervasive, and demonstrate that the information technology systems that we need today must be developed and acquired with the knowledge that they will enter a highly contested and highly integrated network.”
But “highly integrated” may not fully capture the scope of the problem.
Streamlining the bureaucracy
Part of the difficulty in shoring up national cybersecurity is the ongoing debate over who is — and should be — in charge of federal cybersecurity.
At present, responsibilities and authority are splintered across a variety of agencies, including the Department of Homeland Security, the National Security Agency and the FBI.
Those agencies operate in extensive partnerships with IT companies in the private sector on the cybersecurity front. Broadly drawn, the relationship has the government spelling out the requirements, and the industry providing the technology.
[cob:Special_Report]Representatives of several of those firms were on hand at this morning’s discussion, where they emphasized the need for government agencies to embrace a more collaborative, flexible approach to cybersecurity — and one that does away with some of the arcane bureaucracy that has made the government famously sluggish, the panelists said.
Partly as a result of the different agencies sparring for primacy in cybersecurity, many projects are handled piecemeal, with no serious effort made to implement a government-wide defense mechanism, the panelists said.
Page 2: Obstacles ahead
The government may already be moving toward addressing the issue. President Obama recently commissioned a sweeping 60-day review of cybersecurity efforts throughout the federal government, with the aim of getting a handle on the tangle of overlapping efforts and responsibilities.
In addition to the review, headed by former Booz Allen consultant Melissa Hathaway, Obama has pledged to create the position of national cyber adviser, who would report to him and develop a coordinated cybersecurity policy.
Obstacles to collaboration on security
Jerry Briggs, managing director of the federal government practice at Accenture (NYSE: ACN), agreed that the quicksilver nature of cyber threats demands a more nimble response from the government.
“Quite frankly, while we’re arguing about primacy, the threat continues to evolve,” he said, bemoaning a procurement process that can often languish for 12 to 24 months.
“When I think of this, I think of an old Wayne Gretsky quote. He said, ‘I don’t skate to where the puck is, I skate to where the puck is going to be,'” Briggs said. “The challenge is figuring out where the puck is going to be.”
Relations with industry are further constrained by the problem of “overclassification,” where useful information that would be benign in the hands of contractors is thrown in with high-level secrets and kept under lock and key.
A more nuanced system of classifying information could help in that process, said Terry Wallace, who oversees all basic science programs at Los Alamos National Laboratory.
“When you’re focused only on the architecture, you’re also missing perhaps the most important thing that’s going on now and that’s the evolution of what we consider classified or sensitive information,” Wallace said.
In firm agreement was Bill Vass, the chief operating officer for Sun Federal, the government contracting subsidiary of Sun Microsystems (NASDAQ: JAVA).
Vass championed a tiered level of security, similar to what Sun has implemented to regulate its internal information. The software and systems giant has classified its data into seven segments, ranging from freely available information, such as its stock price, to highly classified materials protected by advanced biometric systems. In between are gradations of information secured by technologies of increasing sophistication.
Beyond a more intricate approach to classified data, Vass put in a plug for a subject very near Sun’s heart: open source software.
[cob:Special_Report]Rep. Miller called for the Defense Department to shore up its IT supply chain to guard against foreign enemies inserting malicious code into systems headed for the U.S. government. With all of today’s software — open or proprietary — coded at least in part overseas, Vass said the best way to secure the software supply chain was to scrap proprietary products in favor of open source.
“If you open source it, they can’t hide anything in the code,” Vass said. “By making it open source it requires you to write much better code because everyone can see it.”
He cited research from the Department of Homeland Security that found that federal IT infrastructure such as middleware, databases and desktop environments were on average six times more secure than their proprietary counterparts.
Of course, implementing secure systems at the Pentagon and the agencies, and even top-level government contractors, wouldn’t be a panacea for government cybersecurity. Companies like Lockheed Martin or Raytheon may have the budget to spend lavishly to secure their systems, but the reality is that the big names farm out much of the work for sensitive government projects to subcontractors working on much scanter resources.