Federal IT managers paint bleak cybersecurity picture

The recent hacks at the Office of Personnel Management led Dell Software to survey federal IT decision makers about security at their jobs, and the results were bleak.

Half of respondents said that they relied on at least six different login and password combinations to do their job, which inhibits them from doing their job and creates risks for agencies.

“Six would probably be on the low side,” said Paul Christman, vice president of federal, Dell Software, saying that some of the respondents claimed to have over 30 passwords.

There is a reason these users have so many passwords: “The applications include the identities, and there’s very little reuse of the identities across the applications,” Christman said.

Many of the applications that federal employees use are mission-centric, he added, which is why login credentials cannot be simply shared between mission applications.

That is the root of the problem, Christman said. “Usernames and passwords by themselves are tremendously insecure.” But it is more than that—having so many passwords and usernames means agencies have to invest in the means to manage them independently, which Christman said is expensive.

“The other problem is that the user finds it so burdensome that they find workarounds,” he added, referring the “classic” Word document that people save somewhere on their computers entitled “passwords.”

The survey found that 32 percent of respondents noted employees finding workarounds to avoid IT-imposed security measures.

So, in addition to the extra cost, having so many passwords makes for poor cybersecurity, Christman said.

The National Institute of Standards and Technology has set up a project called the National Strategy for Trusted Identities in Cyberspace to help counteract this problem.

“The idea is to have an identity that is transferrable, protected and durable,” Christman said. The program will also have onboarding and offboarding capabilities in order to, for example, erase login credentials after an employee leaves.

The Dell survey also outlined the importance of having “context aware” security for systems. To explain, Christman referenced his own home security system. The system is set to beep whenever a door leading into or out of the house is opened. If that occurs during the daytime hours, Christman tends to ignore it.

“When I hear the same beeping at 4:00am, the context of time makes that alarm all together different,” he said.

The same is being done for network security.

“If they’re logging in from a network that is known, from a machine that is known, during work hours, and they’re not logging into other parts of the location, which they’ve never been to, we’ll grant access,” Christman said.

However, if an employee tries to snoop around on a Saturday, for example, the network will throw a few security questions at that person.

The company wants better security for everyone in the future. “Dell as a corporation has this concept of security which is layered, connected and then context aware,” Christman said.

He also believes that agencies would be more willing to reap the benefits of the cloud and mobility technologies if they were more confident about security overall. “I think if we start to take security seriously, those things don’t seem so scary,” he said.

The good news is that federal IT decision makers are on board for upping security measures to a context aware approach. An overwhelming 97 percent of respondents said they see the benefits the approach.

The survey pointed at lack of awareness as the greatest barrier to adoption of a context-aware security approach, however.