I submit that a “no tickee, no washee” strategy might improve US Federal data security.
An article published in the Federal Times states that Cyber attacks on Federal networks are up 40% from last year according to a report compiled by the OMB (Office of Management Budget) that is based on numbers reported by the DHS.
The US spends a lot of money on cyber security, over half of which goes to contractors like Raytheon and SAIC- who are part of the Obama Administration euphemistic private-public “partnership”.
A recent report by INPUT — “Federal Information Security Market, 2010-2015” — predicts that federal investment in information security will rise from $8.6 billion in 2010 to $13.3 billion by 2015 at a compound annual growth rate of 9.1 percent, nearly twice the rate of overall federal IT spending.
“Over the last year, federal agencies have seen a 78 percent growth in cyber incidents. This demand for increased information security is greater than any other current technology, leaving it more immune to the recent federal budget cuts.” Key drivers for the expected increase in investment in information security include a 445 percent increase in cyber security incidents since 2006, a shortage of qualified security professionals, and an increasingly complex and interconnected technology environment. “
In the relationship between the US government and IT security contractors, it’s actually in the interests of the contractors for the number of cyber attacks to go up – since if they went down – they might be out of a job.
The data from the DHS supports this hypothesis by revealing that over 2/3 of Federal agencies have unacceptable data security monitoring systems.
One would assume that the OMB would require Federal agencies to take affirmative action to improve their data security by linking budget to improved data security metrics but instead, the report makes a parveh politically-correct recommendation to improve IT security worker effectiveness instead of IT security countermeasure effectiveness.
In order to improve IT security countermeasure effectiveness in the US Federal Government, the OMB should reduce base payments to contractors and vendors who provide IT security services and data security technologies and link their compensation to a reduction in the damage caused to US government data and network assets. By using metrics and well-defined targets (like 90% of the government agencies doing data security monitoring), it’s possible to reduce Federal value at risk, but as long as contractors are feeding off the Federal milk cow at GSA rates it’s not likely to happen in our lifetime.
Federal agencies suffered 41,776 cyber attacks in 2010, up from 30,000 the previous year, according to the Department of Homeland Security’s U.S. Computer Emergency Readiness Team (US-CERT), which is tasked with defending the dot-gov domain and sharing information with industry and local governments.
Almost two-thirds of US Government agencies are not yet continuously monitoring their systems for vulnerabilities and intrusions at an acceptable level, and 8 percent of agencies had no monitoring program in place.
Last fiscal year, civilian agencies spent 74 percent of their IT security budget on government personnel salaries and benefits and contractors. Overall security spending made up 16 percent of agencies’ IT budgets. Contractors accounted for 54 percent of their staff, and government made up 46 percent. At the Defense Department, 68 percent of IT security workers are government employees.
[...] have written here, here and here about the drawbacks of packaging Federal money, defense contractors and industry lobbies [...]