Others say that gap is larger by orders of magnitude.
Aaron Tantleff a partner in the Cybersecurity Practice at Foley & Lardner, added that given, “mass connectivity amongst devices via the Internet of Things, lack of security of all sorts of other devices and the lack of sufficiently trained cybersecurity experts, no wonder there’s vulnerability.”
Second, it is tough for government to manage the online security of critical infrastructure when much of it is in private hands. Instead of mandates, with significant penalties for failure to comply with them, government mainly issues advisories and recommendations.
Third, it is tough for government to compete with the private sector for talent.
“The federal government continues to lag behind because it has to pay IT staff on a government pay scale,” said John Bambenek, manager of threat systems at Fidelis Cybersecurity. “For aspiring and experienced IT staff, the private sector is simply a much more lucrative and attractive career option.”
Updating servers and laptops isn’t as sexy as other spending projects. No congressman ever attended a ribbon cutting for a shipment of new computers.
John Bambenek, manager of threat systems, Fidelis Cybersecurity
But, experts also say there are things government could, and should, do better. Price said security requires both, “protection measures and for our adversaries to be deterred from attacking. We did many things right with regard to the former, but the fact that we are still experiencing foreign hacking says that we have a lot more work to do on the deterrence side.”
Tantleff noted that some vulnerabilities persist, “because we elect to maintain them, presumably – oddly enough – for security reasons.”
He pointed to a blog post by Michael Daniel, the former White House cybersecurity coordinator, who argued that, “disclosing a vulnerability can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack, stop the theft of our nation’s intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks.”
Daniel added that it would not be in the national interest to build up, “a huge stockpile” of undisclosed vulnerabilities. But, of course, the definition of a “huge stockpile” could generate huge debate.
An obvious way for government to improve would be to update its technology, and experts note that in a budget approaching $4 trillion, surely money exists to improve hardware and software. But they say the political will is lacking.
“When it comes to spending money, security always falls behind other priorities,” Bambenek said. “Updating servers and laptops isn’t as sexy as other spending projects. No congressman ever attended a ribbon cutting for a shipment of new computers.”
Sign up for CIO Asia eNewsletters.