The federal government is scrambling to find a way to respond to security breaches. But it lacks the expertise to cope with the magnitude of the threat, says an Ottawa-based cloud security expert.
The solution, says Graham Thompson, a Canadian partner of the global Cloud Security Alliance (CSA) who trains organizations in how to secure cloud environments, is to hand over the reins to managed service providers.
During the early days of Canada’s Shared Services initiative, the government consulted him on their security implementation guidelines for the new network model they were considering. He saw their lack of in-house security talent first-hand. Part of the reason for it, he says, is that the federal government is taking too broad of an approach to training people for a highly specialized field.
Its training protocols for IT security professionals were similar to those for other government systems that were far less dynamic, says Thompson: taking “the same training attitude for security people as we do for e-mail people—it just doesn’t work.”
Unlike managing a corporate e-mail system, which might only require occasional updates, in the security field, “there are new threats coming out every day. Thousands and thousands of threats are hitting the Internet every day, and you really need the capabilities that I just don’t see being easily obtainable.” This includes DDoS attacks, among other dangers.
“I would say, based on what I’ve seen within the government, they would be much better positioned from a security perspective by using a vendor,” he added. Nobody can stop every security breach at the gates, but private companies have a very strong incentive to respond quickly to mop up after incidents occur. A managed services provider is “going to live and die based on their response,” says Graham.
Whereas a government’s internal investigation might produce a report on lessons learned and at worst, result in someone getting fired, a contracted company has its bottom line—and reputation at stake. With a sea of other vendors to choose from, their business relationship with the federal government could disappear nearly overnight if they fail to meet expectations. “If you’re outsourcing Security-as-a-Service, it’s so easy to migrate. It’s trivial,” says Graham.
Privacy concerns, on the other hand, are anything but trivial. In an August 2012 research paper titled Distributed Security as Cyber Strategy: Outlining a Comprehensive Approach for Canada in Cyberspace, University of Toronto professor Ron Deibert suggested that security providers will be expected to be more transparent about the DDoS attacks, botnet invasions and other IT security incidents they battle.
“As more and more data is entrusted to third parties, governments may have to consider passing laws that put more responsibilities on those third parties to properly secure and handle that data,” he wrote. However, “the lack of frank and timely public disclosure about data breaches, and commitment of adequate resources to data security, are major security issues.”
But Deibert is also critical of government’s “meagre explanations” of what practical steps of its own it plans to take to address cyber-security. Since no central authority can control the actions of all the individuals, and private and public sector institutions on the Internet, he recommended a “distributed security” approach, with responsibility shared among all the different actors.
If there’s any consensus among commentators about government’s handling of network security, it’s that it isn’t doing enough. Suggestions and recommendations are coming from all quarters, but none of them have resulted in a coherent strategy yet. It begins by understanding needs. If the government can offer managed service providers a concrete list of requirements around data security – or work with them in exploring those needs – they should be happy to oblige. Their business, after all, is contingent on meeting client requirements. If they fail to do so, they know how easily they can be replaced.