The U.S. State Department As Cybersecurity Innovator?

I was astounded to read Siobhan Gorman's WSJ article that the U.S. Dept of State's approach to cybersecurity (iPost) is so innovative that very well-known cybersecurity firms are requesting their source code. State is a well-known bureaucratic sinkhole but they appear to be paying attention to improving their cybersecurity issues; at least as far as known threats and vulnerabilities go. And that's the rub.

No one should be compromised through a known vulnerability, yet it happens all the time; especially SQL injection attacks (InfraGuard, INSA, Sony, etc.). So while known threats are still a problem, they shouldn't be. And iPost does nothing to protect from the real problem - customized attacks which are specifically built to compromise a targeted network. That's the real risk; not only to State but government agencies all over the world. So when John Streufert, State's CISO says something like this - "We know anywhere in the world what our risk is", then I have serious doubts about State's understanding of risk management. Risk isn't about what you know. Risk is about what you don't know. And iPost, like many other so-called cybersecurity solutions, does absolutely nothing about addressing that problem.

NOTE: You can read the GAO report on iPost here (.pdf).

Comments