There is a growing stigma concerning the U.S. government’s lack of robust data infrastructure to ward off cyber attacks, especially as the news of a hacking on the Office of Personnel Management is still fresh.
The OPM hack serves as a confirmation of the ongoing struggle government agencies are having when it comes to fighting cyber criminals, as well as maintain the security of their computer systems. The attack on OPM is, in fact, just the latest of a string of similar events that we have witnessed in the past befell various government agencies.
What drives this trend is the fact that a great majority of applications used by government agencies in the United States do not meet the prescribed software security standards and that agencies are slow to patch security loopholes once found. This is according to a study conducted by Veracode, an application security company based in the U.S.
Veracode noted that in many scoring benchmark for security practices, the government constantly lags behind the private sector. For a couple of reasons. One, government agencies are still employing legacy scripting and programming languages that need to be updated.
Some of these programming languages data back to the 1990s, such as the ColdFusion, which is very old already. Modern languages include Java and .NET.
There’s also the issue of poor self regulation and the lack of security policy implementation. Why is this so? Unlike the private sector, there is little sense of competition within the public sector, which does not spur much effort to modernize software resources.
But it would have been quite fine, nonetheless, even if old programming languages remain in use as long as security issues are fixed at once upon detection. The problem with government agencies is the snail pace actions to remedy security flaws, which lead to further vulnerabilities.
The government’s inordinate focus on compliance is also part of what contributes to poor security practices. Instead of basing their assessments on risk factors, they become too busy complying with what regulations they intend to fulfill, though sometimes unnecessary and not called for by the circumstances.
Third party applications are also part to blame. The government’s reliance on outsourced services often leads to a weak state of software security because there is no standard in place for software suppliers to test their product for compliance with security policies.
Then there’s the lack of security experts who are qualified to review applications and software prior to their deployment in government agencies.
What needs to be done to address the constant cyber problems facing government agencies is evaluate the supply chain, hold suppliers accountable and invest in training for security experts.