Cybersecurity culture shift is more than people, official says

Earlier this week a presidential commission told agencies they need to make cybersecurity a core function in the next administration, but getting there is easier said than done.

The government is still constantly inundated with cyber attacks and the weakest link is not the computers, but the humans using them.

Rod Turk, the acting deputy chief information officer for the Commerce Department, recognizes that, but getting government employees to abide by the cybersecurity rules set out for them is a tough job. That’s why IT managers need a multi-layered approach to cybersecurity and cybersecurity training.

While the government invests in training and classes to promote cyber hygiene, there is no guarantee they will stick.

Advertisement

“When you talk about anti-phishing, for example, 2 to 3 percent of the people within your organization are going to click on that email, even after they’ve just been trained in cybersecurity and anti-phishing. They just can’t help themselves, I’m sorry, they can’t,” Turk said during a Dec. 7 Pillars of Cybersecurity event in Washington.

Agencies have tried to crack down on federal employees with lackluster cybersecurity habits in the past.

Pentagon officials said 80 percent of cybersecurity breaches are caused by defensive lapses like poor user behavior and failure to apply software patches.

In an attempt to tighten ship, last year the Defense Department implemented the DoD Cybersecurity Culture and Compliance Initiative. The program was a new regime of no-notice inspections, mandates for commanders to incorporate real-world cyber scenarios into all of their unit training and a yet-to-be-determined amount of spending to make military networks more defensible, based on the premise that every dollar spent on up-front security prevents $7 of costs in fixing a breach after the fact.

But Turk’s recommendations go beyond just training users.

“You have to really have an in-depth layered approach to cybersecurity so you do have to use tools to potentially explode those payloads as they present themselves in your organization, so you can have a reasonable chance of that payload not even reaching the desktop to begin with,” Turk said.

Turk added that cybersecurity needs the funding and resources to do its job.

That’s something the Commission on Enhancing National Cybersecurity seems to agree with.

The commission said the government needs to create a new agency — or reassign an existing one — to focus solely on defending federal networks and national critical infrastructure. That agency would also be in charge of consolidating all civilian federal agency network connections into a single, more defensible infrastructure and setting new standards that IT systems have to meet in order to connect to the network.

But things that are coded can also make an impact on user error. Turk said when the government is creating homegrown code, security needs to be built upfront, planned and put in early.

“It’s cheaper and more effective. Otherwise you get code that looks like the Winchester House. … The Winchester heiress, she builds this house because a seer told her that as she continued to build her house, in perpetuity basically, she would never die. So, what she did is she put in a room here and put in a room there. I read on the Internet just a couple of weeks ago that they actually found a room that they didn’t even know existed for the last 50 years,” Turk said. “My point on this is when you have code where security is added on it just becomes a bolt on to the application, a bolt on to the system. Typically it is not optimized, it’s not being used to its fullest extent and it’s not as effective as it would be if it was planned in right in the beginning. That’s part of the cybersecurity culture, where even in your programs the management of the organization drives in that thought process right at the beginning.”