The weakest link in Fed cybersecurity may not be technology

Among all the recent focus on upgrading cybersecurity within the federal government, and the billions of dollars pledged to be invested in new technology, what some consider to be the weakest link in the chain is the tech operators.

And that really doesn’t come as a surprise for those tasked with improving the situation, according to a report on federalnewsradio.com.  And training the employees to follow rules and guidelines set down by the security experts only goes so far.

The acting deputy chief information officer for the Commerce Department, Ron Turk, said as much at an event in Washington recently.

“When you talk about anti-phishing, for example,” commented Turk, “2 to 3 percent of the people within your organization are going to click on that email, even after they’ve just been trained in cybersecurity and anti-phishing. They just can’t help themselves, I’m sorry, they can’t.”

The article continued to say that Pentagon officials believe 80 percent of breaches to cybersecurity are caused by poor user behavior and failure to apply updated software patches.  Officials say they are now attempting to identify those employees that don’t follow office procedures and take appropriate actions.

The Defense Department initiated a new program last year, called the DoD Cyberecurity Culture and Compliance Initiative, hoping to shore up the agency’s defenses against cyber attacks.  The justification for the program is based on the idea that every dollar spent on preventing attacks up front saves seven dollars in costs of repairing the breach after the fact.

The Commission on Enhancing National Cybersecurity agrees as well, recommending the government set up a new agency, or re-assign an existing one, to spend all of its resources on defending federal networks and national infrastructure from cyber attacks.  The commission also recommends making the new agency responsible for developing new standards and protocols that IT systems must implement in order to connect to federal systems.

Turk, while agreeing with the recommendations also added that the coding should be done early in the process, instead of adding in later.  Those add-ons could lead to confusion by users and lead to the program not being used to its maximum efficiency.