Federal guidelines on how to protect computer systems did just the opposite, a US congressional committee heard.
In a scathing attack on the Federal Information Security Management Act (Fisma), Alan Paller, founder of the Sans Institute, told the subcommittee on government management organisation and procurement, part of the committee on oversight and government reform, that Fisma slowed down every security process and took away key resources from projects that would allow agencies to act and react quickly to cyber attacks.
Paller welcomed government plans for continuous monitoring of IT systems. "This is the single most important element [of cyber security] you will write into the new law," he said.
Paller said protecting IT systems was like an arms race. "Each time the defenders build a new wall, the attackers create new ways to scale that wall," he said.
He said four "terribly damaging" provisions in federal law had led to wasteful processes that slowed down US defences and "threw away billions of dollars that were acutely needed to protect systems".
The law required clear audit trails, but these had led to "reports that answered the wrong questions", said Paller.
"[They] rewarded ineffective behaviour and created a cadre of people who call themselves security professionals but who proudly admit they cannot implement security settings on systems and network devices or find a programming flaw," he said.
Fisma had created and rewarded a culture of compliance rather than security," Paller said. Federal and state governments were "radically short of money", but they were forced to spend it on reporting rather than security, he said. "Writers who know how a few words about security and federal regulations now make 50% to 80% more money than the people who actually secure systems and networks and applications," he said. "It is as if we paid the compliance staff at a hospital more than the surgeons.
"The four processes that had led to this situation were the federal information security controls and audit manual, the annual report implemented by federal CIOs and inspectors-general, the certification and accreditation report-writing process and the security controls assessment under Special Publications 800-53, Paller said.
"The people who wrote Fisma, and the people who set up these wasteful processes did not know, and do not know, how the attacks are being carried out and how the threat is changing, so they ask the wrong questions," Paller said.
He said the audit missed key steps in the Centre for Strategic and International Studies' Consensus Audit Guidelines. These steps were critical in the eyes of the National Security Agency, US-CERT, the Department of Energy Labs, the Department of Defense Cyber Crime Center, and forensic IT security specialists "who clean up after attacks and who actively penetrate systems on behalf of the nation".
He said the nation's attention should be on real-time monitoring of its information systems and networks to prevent or mitigate attacks as they happened. "Oversight must be focused on the effectiveness of the agencies' real time defences," he said. "Anything less continues to waste scarce resources and leaves us unacceptably vulnerable." he said.