In the movie “Apollo 13,” the saga of the near fatal moon mission, there is a harrowing scene toward the end of the film that has reminded me of the last several days in cyber world. Two of the exhausted astronauts get into a horrific argument over their plight. The commander, Jim Lovell, equally tired tells them to “stop bouncing off the walls” as their problems will remain the same after whatever time they waste yelling about it. So, it is with our current beatings taking place over the OPM information breach and its potential consequences.
Whatever the finger pointing and vituperative remarks, there remain four fundamental issues that must be addressed in our Federal government’s cyber world, or the mistakes of the past will continue to be repeated:
First, we need to the address the “ignorance” of senior managers regarding their IT systems. This problem lies with the challenge of getting government IT guys wrapped in their own world to better explain exactly what the risks are to their management and their personnel. Legacy systems and no centralized buying procedures have been a bane of IT people within the government and that needs to be fully explained as well. But, also, it would not hurt for the senior managers to take some time to listen and fully engage with their IT people.
Second, contractors must be able and willing to tell the truth about the vulnerability of their systems and government procurers have to stop beating them up for it. No contractor – no matter how good they are — wants to say their product can’t fully protect the system they are bidding to install and/ or proposing to protect. The government must also understand that there is no such thing as 100 percent security in any system – no matter what the promises.
Third, everyone needs to understand the challenge of internal threats and outside capabilities to break into systems will exist no matter what. This is a simple case of risk management in a risk averse age. No matter what we spend on security, how often we give background checks or polygraphs to the information handlers, something is going to happen. If you don’t want your “crown jewels” stolen, limit your access to them. But realize that there will always be some form or way to get to them.
Fourth, and finally, this is the moment for a true public-private partnership on the subject of IT security. Both sides need to come together to discuss best practices in a comprehensive way now. The government simply cannot do this on its own. There is too much going on that is cutting edge in the private sector, and government ignorance of the full field of what is available is costing us too much in privacy and in national security threat to its employees.
As much as it is a feel good exercise to beat up OPM, bouncing off the cyber walls gets us nowhere. We know the problems. It is up to senior members of our government to act swiftly to take care of them.
Ronald Marks is a member of the GW Center for Cyber & Homeland Security’s Board of Directors.