Why the Federal Government Sucks at Cybersecurity

[Commentary] A new report from the software security firm Veracode found that civilian federal agencies -- those largely unconnected to the military or intelligence communities -- rank dead last in fixing security problems in the software they build and buy. That’s particularly relevant given that the massive hacking attack on the US federal government’s Office of Personnel Management has exposed the personal information of at least four million people, and that number is likely to grow as the criminal investigation proceeds and more information comes to light.

The attack on the OPM, likely carried out by a group based in China, was significant for the damage caused, but it’s only the latest in a long string of computer security incidents at federal government agencies, the numbers of which have increased by more than 1,100 percent since 2006. Why aren’t government agencies fixing their flaws? Because no one is requiring them to do so, says Veracode CTO Chris Wysopal. “They don’t fix them because there’s no regulation or compliance rules that require it,” he said. Additionally, government agencies often work with outside contractors to build their software or to deploy commercial software, Wysopal said. Often when security problems are discovered, government contracts don’t specifically require that the contractor fix the problem. Government agencies tend to follow what IT pros call a policy-based approach to computer security, where agencies check off a list of requirements set by lawmakers and regulators that they have to follow. Private companies typically do the same thing, but they also add to their mix a risk-based approach. “With a risk-based approach, you look at what you have that attackers might want and what’s in place to stop them,” Wysopal said. “Both approaches are valid, but everyone should do both.”