Yesterday brought news that the inspector general for the Department of Homeland Security (DHS) has found gaps in DHS’s cybersecurity. Politico reports that, according to the IG:
[T]he agency for months failed to patch its systems regularly against known cybersecurity threats or scan its networks consistently, in real time, to keep out digital malefactors.… Some at DHS even had been using an old, soon-to-be unsupported version of Microsoft Windows, according to the IG, whose conclusions are drawn from earlier studies issued throughout 2013. DHS also lagged in developing a more secure system to ensure the right employees are accessing the right data.
Nobody should take any pleasure in this report. DHS, after all, bears primary responsibility for defending the .gov domain against cyber intrusions. The IG’s report follows close on the heels of a report from the President’s Council of Advisors on Science and Technology.
The council—which has among its memberships luminaries such as Eric Schmidt, executive chairman of Google, and Shirley Ann Jackson, president of Rensselaer Polytechnic Institute—scathingly concluded that the federal government “rarely follows accepted best practices” for cybersecurity and that needs to “lead by example” rather than by direction.
The council also concluded (in words we only wish we had written) that “industry-driven, but third-party-audited, continuous improvement processes are more likely to create an effective cybersecurity culture than are Government-mandated, static lists of security measures.” Yet we proceed apace with the development of a static federal cybersecurity framework under the direction of the National Institute for Standards and Technology.