CIOs Weigh Security Opinions with Federal Counterparts in CDW-G Report

Cyber-security concerns include password protection, external malware and lost mobile equipment.

by / December 7, 2009

Recent survey results reveal that federal IT professionals grappled with more cyber-attacks in 2009 than they did in 2008, and that more than half of their agencies experienced a cyber-security incident at least weekly, but when one city chief information security officer (CISO) read that, he wasn't sure if the respondents were in agreement over what an "incident" actually is.

CDW-G surveyed 150 federal civilian and 150 federal defense IT respondents to gauge their experiences in the ever-changing cyber-security landscape and published the results on Nov. 10, 2009, in the 2009 CDW-G Federal Cybersecurity Report: Danger on the Front Lines. Twenty-three percent said their network faced cyber-security incidents at least weekly, and 31 percent said daily.

"When you tell me that the federal government says, 'Hey, we have at least one incident per day,' these are guys that kind of moved up the ladder and probably don't have the kind of experience it takes to even understand what the word 'incident' means," said Michael Hamilton, CISO for the Department of Information Technology in Seattle.

The incidents include external attacks, viruses, lost PDAs and inappropriate employee activity, but Hamilton was still left wondering.

"When I look at US-CERT [United States Computer Emergency Readiness Team] stuff, for example, I know exactly how that is measured, and an incident is somebody who visits a Web site that is booby-trapped and attacks the visitor and there's no anti-virus signature in place and the desktop becomes compromised. Does that happen at least once a day? That happens hundreds of times a day, in an organization of any reasonable size."

Numerous federal IT concerns were expressed in the report, including managing growing numbers of remote endpoints as mobile computing increases in the workplace and the need for more education for end-users on proper technology use. When criminals target governments, they look for the holes.

"What we found in this study is that, oftentimes, the internal vulnerabilities are one of the things that are opening the door to the external sources of cyber-attacks," said Andy Lausch, vice president of federal sales for CDW-G. "This isn't a new topic. I think what our study does is help to raise the consciousness of the discussion and highlight some things that maybe people weren't aware of, one being just the overall prevalence of attacks that are happening."

The data elucidates some interesting findings:

  • When asked what top challenges they faced every each day, 33 percent said malware, 25 percent said inappropriate employee activity or network use, 25 percent said managing remote access, 23 percent said data encryption and 22 percent said end-user education
  • 44 percent said they'd seen an employee post a password in a public place, like a sticky note
  • 66 percent said that inappropriate downloading and Web surfing is the biggest internal threat, 50 percent said lost devices like laptops and PDAs and 40 percent said lost, shared or stolen passwords, and 
  • 60 percent said their mobile computing security challenges had increased over the past 12 months.

"The whole passwords-on-sticky-notes, I haven't seen that since 1980. I don't know what kind of problem they're having with that, but generally that's not a problem we see ever," Hamilton said of his own IT department.

Even Lausch himself was surprised about the password findings.

"I think it's surprising to hear a federal government admit to doing that," he said. But he added that they, like employees anywhere, could slip up do to pressure over meeting work goals. "They're human like the rest of us. Those folks who do that are probably doing that in the name of productivity. They're trying to be quicker in performing their mission."

Kyle Austin, vice president of engineering

for TriCipher, a company that builds password authentication systems, feels that human behavior can undercut optimum password integrity protocol.

"A lot of IT systems will create complex password policies and force the users to use a password they can't remember, and so what's the user do? They have to get their job done. They write it down on a Post-it Note and stick it to their monitor."

And when they have an easy password, they use something simple and general like their pet dog's name and use that same password for a variety of systems.

"These problems have been around for a long time. They kind of always get tossed under the rug," Austin said. "People have been writing down passwords as long as I've been in business, and unfortunately, we need technology to solve the problem because people aren't really going to do it."

The federal government wasn't alone, though, in expressing concern over a growing number of external threats. Forty-seven percent said their biggest threats came from the outside.

Ben Berry, CIO for the Oregon Department of Transportation, said he worries about external threats more than other types.

"I tend to throw a lot of technology at that because you don't know who those people are that come in over the Internet in particular," he said.

Hamilton worries about organized crime hitting his network more than anything else, through corrupted or fraudulent sites loaded with malware that hapless employees can inadvertently download when they visit.

When asked about the No. 1 thing they needed to improve on to ensure better cyber-security, most federal respondents said end-user education. Berry feels that state and local powers should also be vigilant in employee training as well.

He also said that malicious code is mercurial, so agencies should always be vigilant everywhere.

"You never know what you don't know because malware is continually changing, and there could be malware right now in our system that has gone undetected that we are unaware of - much like any other company or organization - until we have something that exposes that," he said.


Hilton Collins

Hilton Collins is a former staff writer for Government Technology and Emergency Management magazines.

Platforms & Programs