In April, an FBI poll of some 500 government agencies and corporations revealed that more than 90 percent detected some form of security breach within the last year. The study suggested that computer attacks are common, are often not reported when detected, and that such breaches pose a significant threat to the enterprise.
The IPC cyber security panel of 17 participants from state, local and federal government agencies and private corporations discussed the issue and, for the most part, agreed with the FBI study findings. They also discussed strategies that need to be implemented to guard against future attacks, some of the barriers to those strategies, and how those barriers could be overcome.
Lack of Awareness
The panel concluded that as cyber attacks become more sophisticated and the risks continue to rise, state and local government agencies continue to fall behind in their efforts to combat computer crime. The reasons for this vary but include a lack of awareness and understanding of sophisticated threats and a lack of governance over security issues, including standards, policies and more.
Not surprisingly, the panel thought the core of the problem is a lack of funding, which stems from a lack of understanding. One panel member said that because of the Y2K threat that never materialized, cyber security is being written off as "alarmist" and funding is difficult to obtain.
Others agreed, saying that it is sometimes difficult to convince officials of the need for increased security because of an inability to demonstrate a return on investment. "They say 'you were wrong about Y2K, why should we spend money on this?' And so we don't have a plan," one panel member said.
A key to solving this problem is educating those who call the shots. "Educate the politicians, they make the decisions."
Education, though, should not be limited to just policy makers. "The security staff is oftentimes not as smart as the people they're trying to stop," one panel member said. One common problem that results from this lack of education is that "everyone thinks he's an expert," and that causes raging debates, according to another source. "We don't have enough skilled security practitioners."
What's needed to help solve these and related issues, said panelists, is some governance or authority over security issues, policies and procedures. A common refrain regarding this issue is the need for centralization - the need for a central point or body in the organization to determine best practices or "targets" for the enterprise. "Somebody has to stand up and say 'this is what you need to do.'"
The barriers to effective cyber-security countermeasures, as detailed by the panel, include: