July 11, 2009 - Eric M. Fiterman

Just days before perpetrators executed one of the broadest denial of service attacks against federal-interest IT systems, the Government Accountability Office was on the Hill presenting its recommendations for reforming FISMA; including plans to enhance and improve testing, policy, communications, reporting and auditing.

While reforming FISMA sounds like a good idea, placing additional administrative burden on security resources that clearly have work to do seems like a step in the wrong direction.

With IT security resources so heavily invested in policy, audits and compliance reporting, where is the room for real innovation and progress?

Whether North Korea or another fringe group was behind the attacks, the group responsible was able to construct a series of disruptions that exploited vulnerabilities that have been staring us in the face for years. Most troubling is that these recent attacks have again highlighted inadequacies in our ability to address technical challenges of this scale.

One of the problems is that legislators and regulators have looked to FISMA and the myriad of other mandates to keep systems resilient and secure against emerging security threats. This is not a sustainable approach - the "audit and compliance" exercise is simply not suitable for dealing with state-sponsored, agile and anonymous groups of attackers with nothing but time on their hands and a high-speed Internet connection. The FISMA effort is just one example of a heavyweight process that emphasizes reporting and audit at the expense of making some real substantive progress.

The federal government collectively needs to adopt a forward-leaning, anticipatory mindset, to meet - head-on - an adversary that is very comfortable in an offensive information environment. We need to spend less time talking and reporting about security and more time building security into our culture and technology. With IT security resources so heavily invested in policy, audits and compliance reporting, where is the room for real innovation and progress?

While the damage caused by this incident is being debated, it's important to underscore that these attacks had the potential to be much worse. Sure, the lights are still on, the networks are still up and order has been maintained. But what about next time?

Eric M. Fiterman is a former FBI special agent and founder of Methodvue, a consultancy that provides cybersecurity and computer forensics services to the federal government and private businesses.

* * *

Other blogs from Fiterman:

• Preventing Exposure of Sensitive Information
• Cloud Danger: Drag and Drop Theft
• Not All Regs Are Equal