Debate Over State's Cyber Strategy

Michael Ono posted a column on Sunday at The Huffington Post citing an April inspector general report criticizing the State Department's alternative cybersecurity practice of continuous monitoring. The process is an alternative to the long reporting cycles required in the 2002 Federal Information Security Management Act.

The (relatively) new cyber strategy, pioneered by State Department Chief Information Security Officer John Streufert, has been held up as a better way to protect systems because it requires information security managers to focus on securing systems against known threats. But Ono wrote the inspector general found, "automated security tools failed to monitor department firewalls and databases, problems that could allow access to hackers and spies. A poorly configured database also could compromise private U.S. passport information that the department stores."

Ono said The Huffington Post Investigative Fund interviewed some cyber experts and found some critical of the report. One of the more sharp quotes came from Fred Schneider, a computer science professor at Cornell University and a member of the Information Security and Privacy Advisory Board for the National Institute of Standards and Technology:

It's like complaining about somebody who discovered a cure for cancer because it's not also a cure for the common cold.