Heartbleed raises IT issues for federal government
The discovery of the Heartbleed vulnerability is one of the most significant cybersecurity events in recent years. Heartbleed represented a major flaw in the widely used OpenSSL encryption library, putting a huge number of firms at risk of data exposure or loss.
One organization that was particularly affected by this revelation was the U.S. government, as NextGov contributor Jason Thompson reported. The writer noted that OpenSSL has played an essential role in the development of government services over the Internet, and that this cybersecurity issue raises serious questions about the viability of open source solutions in the public sector, and the general risks posed by an increasing reliance on various IT initiatives. At the very least, a renewed focus on cybersecurity efforts is likely necessary for government agencies.
Open source and the federal government
The writer asserted that while Heartbleed was the most significant, obvious open source security issue to emerge, there is additional evidence to suggest that these solutions may not be sufficiently protected for government agencies.
A key example of the danger posed by Heartbleed in the federal sphere can be found in Secure Shell. Thompson pointed out that Secure Shell protocols operate in the background of most government networks, providing cybersecurity by encrypting connections and controlling access to sensitive agency data. Recently, a website security company challenged hackers to attempt to use the Heartbleed vulnerability in order to steal private Secure Shell security keys. Four hackers accepted the challenge and were successful.
For this and other reasons, identity and access management is seen as a major cybersecurity concern for the federal government, Thompson asserted. The rise of machine-to-machine activity has required a much greater emphasis on IAM control in order to determine which end-points can access a given IT resource. Manual authorization is simply not a viable option when there are so many automated connections on government networks.
"Machine-to-machine data transfers require a secure encrypted channel," the writer explained. "For this reason, most of the identities that enable these processes use Secure Shell for authentication and authorization. However, holes exist in the governance of identities that use Secure Shell."
This puts a wide range of government IT assets at risk of a data breach.
As the writer pointed out, these issues are not limited to open source. Third-party hackers will inevitably discover a given software solution's vulnerabilities eventually, no matter how well-designed it is. There was nothing unique about OpenSSL and the Heartbleed flaw other than the scope of its vulnerability – there is no inherent cybersecurity issue associated with OpenSSL or open source software in general.
But that doesn't mean that federal leaders should simply shrug off Heartbleed as an unavoidable problem. On the contrary, agencies should use this occasion to reconsider their approach to cybersecurity, shoring up their defenses wherever possible.
When it comes to open source, there are a number of specific cybersecurity issues for agencies to consider, according to Thompson. These include whether the software is being monitored effectively, how frequently encryption keys are changed and whether the solutions are supported by third-party vendors.
This last point is particularly critical. As government agencies continue to rely more on IT services to deliver mandated performance, there is a serious shortage of IT professionals within the public sector. As IT adoption outpaces IT expertise, the potential for serious complications rises. Government entities can mitigate this risk by working closely with third-party IT services providers and consultants to ensure that data migration and other aspects of implementation and deployment are handled as securely and smoothly as possible.