Security officials play nice

Federal agencies are deploying more sophisticated network scanning tools than ever before. But even high-level information security officials often have little power — other than persuasion — for getting network users to plug the security holes identified through scans.

The situation that information security officials described today at an event in Washington, D.C., was no surprise to anyone familiar with the way large bureaucracies such as the Veterans Affairs Administration or the Federal Aviation Administration operate.

Pedro Cadenas Jr., the VA's chief security officer, said his office and the VA's Inspector General's Office are the only two groups within the VA who are authorized to run scans of the entire wide-area network. But Cadenas has to use "friendly reminders" to get others to fix security problems.

"We're not writing any tickets," Cadenas said.

Friendly reminders, however, have proved fairly effective, he said. When information security staff members can say with authority that they have discovered rogue devices attached to the network, or open connections that should be locked down but are not, the owners of those devices and connections usually fix the problems, he added.

Open connections are often referred to as leaks. VA officials found several thousand leaks along their perimeter on a recent scan of their network, Cadenas said. For that and for subsequent scans, Cadenas' staff used a scanning tool made by Lumeta Corp., the company that sponsored the security seminar.

Cadenas said the VA operates under unusual security constraints with regard to medical devices attached to its network. Information security staff members, for example, have no authority to apply security patches to the computers that control medical devices. Unpatched computers are vulnerable to infections by malicious code — such as the recent Sasser worm.

The recent Sasser worm infected 192 of the VA's machines, Cadenas said. This was a light hit, considering the 240,000 employees who are connected to the VA network.

Tom O'Keefe, deputy director of the FAA's cybersecurity office who also spoke at the Lumeta event, said he could not disclose the number or kind of vulnerabilities FAA officials discovered when the agency ran its first security scan. Similar to Cadenas, O'Keefe said all that his staff members could do with the findings was "just cajole."

More worrisome to O'Keefe, however, is the fact the FAA needs an influx of talented security people who can understand and use such tools. There are no reserve players when it comes to government information security, O'Keefe said. Prospective employees "are all going someplace else," presumably into private-sector jobs, he said.

Trying to lure talented people into government to handle the challenging but "cool job" that awaits them in the FAA is one of O'Keefe's biggest challenges, he said.