To Fix Cybersecurity, We Need to Understand It More Completely

Sue Marquette Poremba
Slide Show

Post-OPM Breach: Closing Today's Federal Security Gaps

The Office of Personnel Management (OPM) breach is in the news again. As you may have heard, it is much worse than originally thought, with nearly 22 million records compromised. With this news, this breach is the second one in less than three months that has hit a little too close to home for me personally.

It’s also not surprising. Our government is ridiculously lax in its cybersecurity efforts, especially when you consider the amount of personally identifiable information held in government databases. Remember, the OPM breach didn’t just have Social Security numbers and birthdates. PII revealed also included things like fingerprints and findings from security clearance investigations. The stealing of this data has created a new level of identity theft problems for the individuals affected, according to the security experts at NuData, who provided the following commentary to me in an email:

Fraudsters are learning that information coupled from various breaches can create more comprehensive 'identity bundles,' which sell for a higher value to hackers. With more complete information, more fraud can take place.

Not surprisingly, as we find out more about this breach – and I don’t think this is the end of it – and because this is Washington, D.C., there are calls for accountability and heads to roll. In fact, OPM Director Katherine Archuleta has resigned in response to this latest news.

I agree that there needs to be some outrage, but I’m not sure the resignation of an agency director is going to solve the deeper problem. The cybersecurity system in government – and in most organizations – isn’t broken; it was never functional in the first place. It’s why it is so easy to exploit.

It’s not functional because those who are responsible for fixing the problem don’t really get cybersecurity. You can’t put the tools in place if there is no budget for cybersecurity. Who is in charge of making sure there is an adequate security budget? In industry, it is the C-level decision makers. In government, it is Congress (or the state legislature or other elected officials). If there is no allocation for security within our government agencies, how is it supposed to be instituted?  


There is also a serious lack of understanding of how slowly cybersecurity detection works. It takes months for breaches to be discovered, and often that happens from an outside source, not by the organization itself. A Wired article written by Senator Ben Sasse expressed outrage over how long it took to discover the OPM breach (and he prematurely blames China, even though there has been no word yet on who committed the breach – another bad habit when it comes to cybersecurity). What the senator doesn’t understand is that this is more common than he realizes, and this is not the first government agency to suffer a serious breach. Nor will it be the last until something is done.

What this latest news shows me is that not even our leaders, let alone the public, understand cybersecurity and the tools necessary to address potential threats well enough to seriously attack the problem. Until that happens, you can fire all the directors you want. That won’t fix a single vulnerability or catch a malicious insider.

Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


Add Comment      Leave a comment on this blog post
Jul 18, 2015 12:57 AM Gary Thompson Gary Thompson  says:
I really liked this post. I have been in the security business for a couple of decades and I always assume the knowledge is there. It's amazing that so many still know so little. At this point, most corporations are admitting that they have already been breached but aren't sure where or when. Twenty years ago, I brought a tray of cups and coffee into a customer's conference room and said "this is your problem, you spend more money on your coffee service than you do security." Today's budgets have skyrocketed but clearly haven't been able to keep either the government or businesses safe. Now that there are so many bad actors around the world with tools they can easily get on the internet, or criminal organizations who are constantly trying to get around current safety measures--it is tough enough just to keep current with the security measures at hand. I've heard there are solutions out there now that can detect APTs and BOTs that are already inside organizations. No surprise since stopping the bad actors from getting Into the network doesn't seem to be working... Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.

Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.