Total security against cyber attacks is impossible in the foreseeable future, but secure IT systems are cheaper than insecure ones, a US congressional committee has been told.
Former US Air Force CIO John Gilligan told the subcommittee on government management organisation and procurement, part of the committee on oversight and government reform, that despite spending billions of dollars on IT security, the nation's computer systems remain vulnerable.
"Our current cyber defence mechanisms are so fragmented and weak that a malicious individual with almost no computer skill can download a 'canned' attack program from the World Wide Web and can cause significant harm to cyber systems in government and industry," he said.
Gilligan said system complexity was one reason why IT security was hard to do. Another was that the Federal Information Security Management Act of 2003 (Fisma) "measured the wrong things".
Fisma had many good points, but its implementation encouraged departments to spend more on compliance than on actually securing systems, he said. Likening Fisma to a treadmill, he said the federal government had "burned a lot of calories" but was still a long way from its destination.
Quoting National Security Agency figures, Gilligan said about 80% of attacks were unsophisticated. The US government had spent "literally billions of dollars per year", but had not implemented basic safeguards against these threats, he said.
A document, 20 critical controls for effective cyber defense: consensus audit guidelines, outlined the steps to take against the 20 most common attacks. The US state department has implemented them with growing success, and more departments were following suit, he said.
These "good hygiene" control measures would not ensure that the trillions of logic statements that make up federal computer systems were absolutely correct, but they provided the solid foundation security that would defeat 80% of attacks, he said.
A further control was to use the Air Force-developed Federal Desktop Core Configuration (FDCC). This ensured that "out of the box" Microsoft operating systems were locked down by ensuring that more than 600 optional settings were securely enabled.
"While the FDCC is a good start, we need to duplicate this effort for every other software and hardware component, as advocated in the 20 critical controls," Gilligan said.
Another recommendation was to automate IT asset management. This saved money because departments paid only for software licences they used and could manage their IT stock better.
Locking down systems also cut helpdesk calls and improved system availability. Automated patch distribution cut demands on networks and system administrators, leading to lower staff costs and less system downtime.
Gilligan's experience of using good hygiene as set out in the 20 controls led him to believe that security benefits were achieved with cost savings, not extra cost, he said. "This is an example of an ultimate no-brainer for a CIO," he said.