Federal networks are only as strong as the people accessing them, which makes humans the weak link in security.
“So long as authentication is based primarily on human-defined and -managed passwords, our systems will be compromised,” said Phil Quade, chief information security officer at Fortinet. “Despite persistent training and warnings, passwords are almost always compromised because they are too easy to guess, used for too long — extending the duration of exposure of compromised passwords — and repeated across different accounts, allowing a compromise on one machine to lead to compromises on others.”
Debra Marchese, vice president of information systems at federal contractor UTRS, said, “Everyone is trying to get a handle on how we protect systems. There are different levels of protection. No matter how many layers of security you have, vulnerability [will] always exist if users don’t have good cyber hygiene and don’t have a vested stake in securing systems. If it’s too difficult, people will find a way around security to get their job done. Bottom line: It comes down to end users.”
From her point of view, proper network security must be part of everyday computer use rather than something that is addressed once a year by top leaders. And the only way to do that is to have an appropriate level of investment in people. Unfortunately, Marchese said that approach runs counter to how the government arranges its priorities.
The first thing agencies take into account is cost. “They’re worried more about cost than people,” she added. “Now we heard that the Obama and then the Trump administrations didn’t want to put funding in place to control the user element. Technical solutions can only go so far.”
Furthermore, multifactor authentication methods are not foolproof, and fingerprint readers and retinal scanners having the potential to be “wonky,” Marchese said. However, Common Access Card authentication might not be too burdensome on a trusted computer if administrators post a certificate on the computer every 30 days using Google Authenticator or something similar, she added.