Government Cyber Efforts May Focus on Wrong Things

(Image: Shutterstock)

Focusing solely on cybersecurity practices to prevent breaches won’t result in the security that government agencies need, according to Dale Meyerrose, former chief information officer and information sharing executive for the U.S. Intelligence Community.

“We talk about cybersecurity as if that is the end. It is not. I don’t care about cybersecurity. I care about protecting the enterprise, I care about protecting the activity, I care about protecting the value,” said Meyerrose. “Cybersecurity in and of itself cannot fix the issue.”

Dale Meyerrose (Photo: LinkedIn)

Meyerrose, who spoke Tuesday at the Cyber Resilience Summit in Reston, Va., said most security professionals think of a network like a physical boundary to protect, which doesn’t work in cyberspace.

“They don’t want your network, they want the stuff that’s in your network. So why are we protecting the network?” he said.

According to a Department of Defense inspector general report, 87 percent of intruders into their networks were employees and insiders. This includes both malicious and accidental exposure by privileged users.

“Insider behavior accounts for 90 percent of all hacks and attacks,” said Meyerrose. “It’s social engineering by and large. It’s acts of omission and commission. Why do we give cybersecurity problems to cybersecurity professionals when they can’t fix it in the first place?”

Meyerrose also criticized the hiring and education practices of the U.S. government, explaining that the common requirement that workers have a university degree isn’t practical, due to the fact that many of the best cyber experts don’t have degrees and universities are reluctant to institute cyber programs.

“The United States’ higher education system doesn’t produce people that work in that business,” Meyerrose said, adding that he has worked with universities throughout his career and struggled to sell degree programs that focus entirely on cybersecurity.

By contrast, industries that often hire employees without much higher education, such as the video game industry, are capable of responding to threats much faster, in one week, than the government’s average of two years.

“The best cybersecurity folks in any industry are in the video game industry,” said Meyerrose.

He explained that another problem in government cybersecurity is the antagonistic treatment of industry contractors, expecting failure before it even occurs.

“Those tribal attitudes exist and exist more often than not,” Meyerrose said. “Out in the corporate world, when you take on a partner, you’re a partner. You’re not treated like the enemy.”

Ultimately, Meyerrose said leadership needs to invest more directly in changing the cybersecurity culture and practice of their organization.

“I truly believe we’ve got to change the cybersecurity business; we’ve got to change the software business,” said Meyerrose.

Jessie Bur
About Jessie Bur
Jessie Bur is a Staff Reporter for MeriTalk covering Cybersecurity, FedRAMP, GSA, Congress, Treasury, DOJ, NIST and Cloud Computing.
3 Comments
  1. Anonymous | - Reply
    Having worked with Dr. Meyerrose, MGEN ret, over the past two decades, I was delighted with his articulation of the real cyber situation facing the federal govt. As promised, he did not sugar coat the problem, and called out the many flaws of the current thinking being driving by the Defense Industrial Base actors. Thank you Dale for you continued thought leadership and support of the IT-AAC efforts to usher in new thinking and standards of practice outside the reach of the DIB power brokers. John Weiler, IT-AAC
  2. Anonymous | - Reply
    Digital Rights Management can protect the actual data. It is an excellent solution when someone tries to physically take your data. Data is encrypted at the file level in a manner that requires a user to validate the level of rights they have to the data before it is decrypted. Even then, a user cannot do anything they want with the data. The ability to restrict what the user can do, i.e. only view and not print, copy, modify or delete is possible. I have never understood why we do not use this to provide the final layer of security to protect our most valuable data...
  3. Anonymous | - Reply
    Excellent topic. Where I might contribute is the observation that our focus is the protection of enterprise information and the assumption the THE INTERNET is the only way to interconnect the Enterprise. The competing demands for greater remote work flexibility and higher levels of engagement, security and oversight present real structural problems if we maintain this assumption. A more functional, secure and cost effective use of networks can be seen in the Air Force recent implementation of an Intranet architecture. Understanding the relevence for strategic employee deployment (think COOP) and secure network infrastructure of Enterprise Centers might create a Plan B "Safe Harbors" approach to the current Plan A "Manage the Tides of the Internet"

Leave a Reply

Recent