CYBERSECURITY

Federal IT managers paint bleak cybersecurity picture

The recent hacks at the Office of Personnel Management led Dell Software to survey federal IT decision makers about security at their jobs, and the results were bleak.

Half of respondents said that they relied on at least six different login and password combinations to do their job, which inhibits them from doing their job and creates risks for agencies.

“Six would probably be on the low side,” said Paul Christman, vice president of federal, Dell Software, saying that some of the respondents claimed to have over 30 passwords.

There is a reason these users have so many passwords: “The applications include the identities, and there’s very little reuse of the identities across the applications,” Christman said.

Many of the applications that federal employees use are mission-centric, he added, which is why login credentials cannot be simply shared between mission applications.

That is the root of the problem, Christman said. “Usernames and passwords by themselves are tremendously insecure.” But it is more than that—having so many passwords and usernames means agencies have to invest in the means to manage them independently, which Christman said is expensive.

“The other problem is that the user finds it so burdensome that they find workarounds,” he added, referring the “classic” Word document that people save somewhere on their computers entitled “passwords.”

The survey found that 32 percent of respondents noted employees finding workarounds to avoid IT-imposed security measures.

So, in addition to the extra cost, having so many passwords makes for poor cybersecurity, Christman said.

The National Institute of Standards and Technology has set up a project called the National Strategy for Trusted Identities in Cyberspace to help counteract this problem.

“The idea is to have an identity that is transferrable, protected and durable,” Christman said. The program will also have onboarding and offboarding capabilities in order to, for example, erase login credentials after an employee leaves.

The Dell survey also outlined the importance of having “context aware” security for systems. To explain, Christman referenced his own home security system. The system is set to beep whenever a door leading into or out of the house is opened. If that occurs during the daytime hours, Christman tends to ignore it.

“When I hear the same beeping at 4:00am, the context of time makes that alarm all together different,” he said.

The same is being done for network security.

“If they’re logging in from a network that is known, from a machine that is known, during work hours, and they’re not logging into other parts of the location, which they’ve never been to, we’ll grant access,” Christman said.

However, if an employee tries to snoop around on a Saturday, for example, the network will throw a few security questions at that person.

The company wants better security for everyone in the future. “Dell as a corporation has this concept of security which is layered, connected and then context aware,” Christman said.

He also believes that agencies would be more willing to reap the benefits of the cloud and mobility technologies if they were more confident about security overall. “I think if we start to take security seriously, those things don’t seem so scary,” he said.

The good news is that federal IT decision makers are on board for upping security measures to a context aware approach. An overwhelming 97 percent of respondents said they see the benefits the approach.

The survey pointed at lack of awareness as the greatest barrier to adoption of a context-aware security approach, however.

About the Author

Mark Hoover is a senior staff writer with Washington Technology. You can contact him at mhoover@washingtontechnology.com, or connect with him on Twitter at @mhooverWT.

Reader Comments

Mon, Sep 21, 2015

Helpful piece, as usual. But is it not time to identify the many consultants and support contractors who have advised and run OPM's IT systems for many years? Their acuity for the cyber threat, or lack of it, has a bearing on who is picked to help solve this problem going forward.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here
close

Trending

  • Dive into our Contract Award database

    In an exclusive for WT Insider members, we are collecting all of the contract awards we cover into a database that you can sort by contractor, agency, value and other parameters. You can also download it into a spreadsheet. Our databases track awards back to 2013. Read More

  • Navigating the trends and issues of 2016 Nick Wakeman

    In our latest WT Insider Report, we pull together our best advice, insights and reporting on the trends and issues that will shape the market in 2016 and beyond. Read More

contracts DB

Washington Technology Daily

Sign up for our newsletter.

I agree to this site's Privacy Policy.