Recent headlines remind us we have a long way to go in protecting sensitive data.
In recent weeks, we learned that hackers in China breached an Office of Personnel Management database holding large volumes of highly sensitive personal information on employees and contractors with security clearances. (Story)
And another cyber attack targeting federal contractor USIS may have compromised personal data connected to Department of Homeland Security employees. (Story)
Several important efforts to beef up cyber defenses in the federal sector are in motion. Among them:
■ DHS’s Continuous Diagnostics and Mitigation (CDM) program, which aims to outfit all federal agencies with at least basic capability to monitor and mitigate their cyber vulnerabilities in real time. (Story)
■ DHS’s Einstein program — a suite of intrusion-detection tools available to federal agencies. (Story)
■ The National Institute of Standards and Technology’s cybersecurity road map called the “Framework for Improving Critical Infrastructure Cybersecurity.” Released earlier this year, the framework offers guidance to organizations on an effective risk-management approach toward cybersecurity. (Story)
And there are many others. And while they’re all helpful steps in the broader effort to secure critical networks, databases and infrastructure, far more can and must be done.
In a June speech to a conference, Michael Daniel, the special assistant to the president and cybersecurity coordinator, said a key problem is that people do not understand the “economics of cyberspace.”
In other words, the tools and methods of good cyber hygiene, information sharing and identity management are well known, but the will to use them and to adopt basic security protocols is lacking.
“Many of the same fundamental weaknesses in our collective armor remain,” Daniel said. “And we know how to fix most of these vulnerabilities from a technical point of view, but we can’t get people to implement them.”
Changing human behaviors — whether it’s adopting effective password protection practices, carefully screening emails for phishing attacks, taking inventory of software and devices on a network, etc. — is critical in the cyber fight.
And that means making sure everyone gets the message that they are critical stakeholders in an all-hands cybersecurity effort and are reminded frequently of the basic steps they must take to do their part. In the federal sector, there should be effective oversight and accountability in place to make sure federal, military and contractor employees are, in fact, practicing good cyber hygiene.
In short, cybersecurity requires nothing less than a top-to-bottom culture change.