List of hacked government agencies grows: State Department, White House, NOAA & USPS by Darlene Storm.
Shaming the government isn’t an effective strategy to promote cyber security.
In part because improving governmental cybersecurity must be accomplished without:
- Changing any current personnel
- Changing any current practices
- Changing any current software
- Increasing burdens on users or programmers
- Increasing burdens on contractors
What if we were to remove those limitations and gave agency personnel some “skin in the game” so to speak?
What if an agency (subject to verification by the GAO) went unhacked for a fiscal year and its staff, below the appointed leadership level, not only got an annual bonus of 10% but also received a 10% raise for the next two fiscal years?
Plus favorable PR for being an unhacked federal agency.
How much effort do you think an agency’s staff would put into contracting for secure software and enforcing security practices?
For very large agencies, like the Department of Defense, it might be necessary to break security down on a chain of command basis. To keep slackers from pulling down other commands.
As the situation stands now, no amount of security failures or breaches has any impact on anyone. Has Booz Allen Hamilton suffered any penalty for Edward Snowden? Sysadmins at the White House feeling uneasy? When there no consequences for failure and no rewards for success, mediocrity is a certainty.
Mediocrity in cybersecurity = cyberinsecurity.*
* To anticipate the objection “…that’s just not how government agencies are run…” I would append “now” and observe there is always a first time.