Cyber security experts warned on Thursday that the U.S. government is failing to learn the lessons of past computer and intelligence breaches and often exhibits a careless attitude towards securing the data it keeps.
The testimony came in a hearing on Thursday before the U.S. House of Representatives Committee on Financial Services. Experts were asked by the Committee to testify about whether the federal government can be trusted to keep sensitive data from the financial services industry safe while it analyzes it to spot unfair practices. Experts told the committee that the government has made little progress in securing sensitive government and military networks and faces huge obstacles to make its computing infrastructure safe from malicious hackers.
The hearing, titled “Oversight of the Office of Financial Research and the Financial Stability Oversight Council” was called as part of a re-evaluation of the Dodd-Frank financial reform legislation.
Among other things, Dodd-Frank created two new offices: the Office of Financial Research (OFR), whose mandate was to collect data from financial services firms, and the Financial Stability Oversight Council, which was charged with monitoring system risk in the financial system and making policies that avoid the near-collapse of the financial system that occurred in late 2008. Data submitted by financial services firms to OFR is to be used to support the work of the Financial Stability Oversight Council, according to the law. Among other things, OFR is looking to standardize the way parties to private financial contracts are identified in the data it collects on behalf of the Council. The House of Representatives, now under Republican control, has made repealing that law – or curtailing it – a stated political priority and the hearing Wednesday ask whether Uncle Sam can be trusted to keep reams of Wall Street data safe, given the sorry state of security on government and military networks.
Alan Paller, the Director of Research at The SANS Institute and one of a panel of experts who testified before the committee on Thursday, says that lawmakers are making a fair point.
“Carelessness pervades federal cyber security both in government and in the major contractors,” Paller wrote in an e-mail exchange with Threatpost. “That carelessness has led to critical losses that are actively damaging to national security.”
Paller has been a longtime advocate of the notion that the federal government should take a leadership role in promoting more secure products from private industry.
“[The federal government] is the only institution that has the purchasing power to make effective security reasonably priced,” Paller wrote.
But that’s a challenge that has mostly gone unanswered at the federal level. While there are some examples of excellence within government, Paller wrote, there’s little evidence that the government can recognize, learn from and adopt those best practices across its many branches.
Paller blamed what he calls “federal cyber security management” for “elevating report writing to a billion-dollar industry that gets in the way of effective security.” Despite the uproar over repeated incidents of cyber espionage, and other mishaps – like the leak of data on millions of Veterans – there are few consequences for public sector workers who miss the mark.
“The lack of consequences for people who overlook important weaknesses, including the inspectors general and auditors, will continue to make federal cybersecurity weak,” Paller warned.
Also testifying before the Committee Dr. Nassim N. Taleb, a Distinguished Professor, New York University Polytechnic Institute and author of The Black Swan, as well as Dilip Krishna, Vice President of Financial Services, Teradata Corporation and Dr. John Lietchy, Director of the Center for the Study of Global Financial Stability at Pennsylvania State University.
Rather than scrap the OFR, however, Paller thinks that Dodd-Frank could be the incentive to create a model, and the Department of the Treasury a model of IT security that could be studied and copied across the federal government.
“The committee may use this information as a reason not to move ahead with OFR, but I would rather they used it as a reason to move ahead,” he wrote.