Our befuddled government has boldly decided to update cybersecurity guidelines that were issued in 2000, apparently finally cognizant that online security no longer needs to be concerned with dial-up access and bulletin boards. Now we can all thrill to tedious documents detailing the existence of “insider threats” and how to deal with them. Ideas include monitoring of users by superusers. Should we tell them Edward Snowden was a sysadmin with precisely that kind of access?
Some of the draft minimum requirements in the rewrite are aimed at reducing “the potential for abuse of authorized privileges” and “the risk of malicious activity without collusion.” In addition, agencies should “continuously monitor, log and audit” the network activities by “privileged users” with sweeping access “to detect misuse and to help reduce e risk from insider threats.”
You’ll be cheered to learn that encryption is now recommended except when not feasible. However, many government systems are so paleolithic, like OPM which was broken into, that they don’t support encryption and don’t have the money to upgrade.
Secure government systems will require sending billions to upgrade governmental IT, including creaky COBOL programs originally written when JFK was president. That’s the reality of governmental IT today.