News

RSA: Users, Not Technology, Are Security's 'Weak Link'

• By William Jackson
• April 22, 2009

"We have to depend on interoperability" for cybersecurity, said Christopher Garcia, director of the Transportation Department's Cyber Management Center. "From a defense-in-depth standpoint, it is important to have multiple products and multiple layers of defense."

Garcia was part of a panel of government and industry experts critiquing interoperability at the RSA Security conference. They concluded that it often is not the technology that interferes with interoperability.

"The products themselves are not the weak link," said Richard George, technology director of the National Security Agency's Information Assurance Directorate. "It is the people who are the weak links. It's not always a technical issue. It is also a management issue and sometimes a leadership issue."

A lack of relationships between stovepipe organizations often blocks the exchange of needed information. Other times, it is a lack of knowledge and understanding of the technology.

"The interoperability piece is a difficult piece," said William Billings, chief security officer of Microsoft Federal. "The more I interoperate, it drives the security portion down."

Microsoft participates in an Interop Vendors Alliance that works with other vendors and with customers to identify and address issues of interoperability. But users need to distinguish between an inability of tools to share information with each other and a lack of training for staff, Billings said. The tools often will share the needed data. "The hard part is how to get the IT staff to pull that out."

Interoperability across organizational boundaries can be more of a problem than interoperability between two different products. Each organization tends to consider itself and its needs as unique, requiring special technologies rather than standardized ones.

George called that attitude "the bane of interoperability. You can't have special people with special needs."

That has led to a culture of stovepipe rather than interoperable solutions, he said. "We have a history of making things that are supposed to work together not work together," he said. "History is not on our side. In the modern world, we count on the vendors" to provide off-the-shelf products that will overcome this.

But on the vendor side, the problem of unsupported and incompatible legacy systems is a barrier to interoperability.

Garcia called interoperability with legacy systems "one of the keys to success" in securing systems. Overall, interoperability is getting better, he said. "But legacy is still a problem." Agencies can't keep up with the change of new products and old products that no longer are supported.

Billings said that many new security features cannot be ported to previous versions of tools because there are too many differences between the versions. The Windows XP and Vista operating systems "were built in different ages," he said.