Featured eBooks
Budget Outlook for Fiscal 2025
AI in the Workplace
Asia-Pacific Outlook
Tech

Report: Agencies need to focus on cybersecurity now--or else

Joshua Dean

|

Do something about cybersecurity now. That's the message for federal agencies in a new National Research Council report, "Cybersecurity Today and Tomorrow: Pay Now or Pay Later," which might well be considered a primer on all aspects of cybersecurity. The report was written by the Computer Science and Telecommunications Board of the National Research Council, the research arm of the National Academy of Sciences, the National Academy of Engineering and the Institute of Medicine. Herb Lin, the Computer Science and Telecommunications Board's senior scientist, said information technology has become part of the fabric of American life. Therefore, agencies and businesses need to recognize the "sorry state of information security," he said. The report described the potency of cyberattacks and their potential to destroy the country's critical infrastructure. Cyberattacks "could compromise systems and networks in ways that could render communications and electric power distribution difficult or impossible, disrupt transportation and shipping, disable financial transactions and result in the theft of large amounts of money," it said. To avoid such crises and improve cybersecurity, the report suggested that agencies:

  • Designate a security coordinator and provide this person with the resources and authority to force agency system administrators to focus on security matters.
  • Ensure "adequate information security tools are available, that everyone is properly trained in their use and that enough time is available to use them properly," and that all personnel are held accountable for their actions.
  • Conduct random, unannounced penetration testing, report the results to managers and fix the problems and vulnerabilities that are found.
  • Design networks, information systems and security architectures "under the assumption that they could be connected to a compromised network or a network that is under attack."
  • Complement a defensive strategy with a disaster recovery plan.

NEXT STORY: Report: State Department should reengineer export license process