Granted, popular enterprise technology is nowhere as secure as it should be, but today's federal cybersecurity woes result more from flawed technology management practices than flawed technology. To that end, we need to foster and reward innovative, effective management processes in the federal computer security arena and terminate the current technology management and oversight philosophy that tolerates and rewards idleness and mediocrity while doing little to actually eliminate them. The standards for acceptable cybersecurity are known: it's time to start holding the people in charge accountable to them. . . .
Over the past several years, various Washington entities, from the General Accounting Office to assorted Congressional committees, conducted surveys and issued reports on the state of the federal government's information security posture. In each case, with few exceptions, the findings range from the scathing to the downright embarrassing, and remain essentially unchanged since the mid-1990s.

Like any other issue involving government oversight, this process has become an annual Washington tradition - the reports are released; there's back-and-forth blather in Congress about how we need "to do more" to secure our federal networks; agency leaders and CIOs are called to testify on the Hill; some more blather, and perhaps a piece of legislation is introduced and dies before reaching the floor; and then the issue recedes into digital memory until next year's survey results are released -- and the process begins anew, with little or nothing really changing.

It's no different than our annual visit to the dentist. We know he's going to admonish us to brush more and cut out the sweets, and we know that we're going to be embarrassed or uncomfortable as he tells us this to our face and makes notes in our patient file, but we endure it year after year, because it's something we have to do for good oral hygiene. Of course, we ignore his advice because it's inconvenient and, besides, candy is a tastier snack than celery.

This seems to be the approach taken by the majority of the federal government when dealing with the security of federal information systems. As you can see in the following articles going back to the late 1990s, there's much bad news and many prescriptions for improving things, but the patient refuses to cooperate....and the dentist is powerless (in this case, unwilling) to force him to change his ways.

In some cases, these reports show marked improvements in specific offices or sub-agencies of the federal government, and those success stories should be made known both to the American people (as a sign that there are clueful security people making a difference in their agencies) and throughout the federal government as a helpful roadmap to improve security practices elsewhere. Unfortunately, these few truly noteworthy success stories are seldom reported by the mainstream press because good news doesn't pull in the ratings the way gloom, doom, and old-fashioned Washington finger-pointing does.

Like the much-vaunted but ineffective "certification and accreditation" process required for government and military systems, these annual assessments are an exercise in bureaucratic idleness designed to "address" but not "resolve" security problems in any meaningful fashion. After several years, the logic seems to be "why fix the problem when talking about it keeps us (and our contractors) employed?"

As a result, and contrary to popular belief and rhetoric, security for federal systems has been reduced to a check-box on our government's annual to-do list -- as long as federal enterprise leaders can prove that work is being done on the matter, that's perfectly acceptable, it seems, because in federal security circles, "activity" (e.g., certification and accreditation) has been confused with "progress" (e.g., actually fixing things) and "job security" has been confused with "effective security." Agency leaders confirming this with Congress each year generally can avoid anything stronger than a verbal reprimand about their job performance, no matter how dismal security really is back home.

The link for this article located at infowarrior.org is no longer available.