FEDs 30-Day Sprint is Just the First Step off the Blocks
In the wake of the OPM hack, Federal CIO Tony Scott launched a government-wide cybersecurity Sprint on June 12, giving agencies 30 days to shore up their systems.
The audience for the sprint announcement was clearly the media. Something had to be said and done, for the Office of Personnel Management (OPM) breach is, in some ways, the worst we’ve ever seen in terms of impact on both the US intelligence position and (potentially) the individual victims. Although other breaches leaked more personal information, no breach I’m aware of exposed such sensitive data on so many people. These current and former Federal employees are at risk of identify theft, blackmail or worse because the SF 86 forms disclose medical conditions, drug use, even love affairs or sexual orientation. Other data, including social security numbers may have been captured for any employee or contractor who did no more than work in a Federal office and require a personal identity verification (PIV) card.
According to Federal Times: “During the 30-day sprint, agencies are encouraged to patch all known vulnerabilities; use information provided by Homeland Security to identify and mitigate known threats; limit the number of privileged users and tighten access controls; and “dramatically accelerate” the use of personal identity verification (PIV) cards and other forms of multi-factor identification.”‘
But as we know, the US government can’t even make a purchasing decision in less than 12 months. Like most large organizations, governments are the opposite of agile. Worse, the government is hobbled by outdated project management and procurement methodologies and, as one commentator on the Linked In Security Architecture group put it: “This sprint approach to government security suffers from at least three major weaknesses: It’s a reflexive knee-jerk reaction. It encourages point solutions, which lack any sense of planning or coherence. [And] Scott is mandating the completion of eight major security initiatives across a multitude of entrenched, competing federal bureaucracies.”
Shall we sigh or get a sense of hope? Or both. We might sigh to hear anyone speak of a need to “patch all known vulnerabilities” which is patently impossible and begs for a risk-based approach instead. We might hope to hear that the government might adopt “other forms of multi-factor identification” acknowledging the insufficiency of the smartcard in the era of mobile devices and cloud-based, federated applications.
Perhaps this “sprint” will be followed with new, more strategic announcements that start to get to the roots of how an organization that spends more than any other on security can improve its results.