WASHINGTON (AP) — Leaders from across the District of Columbia municipal government gathered last April for a summit on cybersecurity, where they agreed in writing on the need to improve computer safety training for its workers. Yet nearly a year later, no organized, across-the-board training is offered for employees even though electronic data theft from governments is on the rise.
Information technology experts see training as a vital component of cybersecurity and D.C. officials acknowledge their own employees should be better educated on computer use, especially as governments face increasingly sophisticated cyber-threats and as human errors have contributed to widespread data breaches.
But officials say they’ve put plans for such training on the back-burner while they continue efforts to improve network security, including through new tools and products as well as additional levels of monitoring and inspection. Those improvements are more efficient and longer-lasting than educating thousands of workers who may not be in their jobs permanently, contends Rob Mancini, the District’s chief technology officer
Dc government employees not yet offered cybersecurity
1. WASHINGTON (AP) — Leaders from across the District of Columbia municipal
government gathered last April for a summit on cybersecurity, where they agreed in
writing on the need to improve computer safety training for its workers. Yet nearly a year
later, no organized, across-the-board training is offered for employees even though
electronic data theft from governments is on the rise.
Information technology experts see training as a vital component of cybersecurity and
D.C. officials acknowledge their own employees should be better educated on computer
use, especially as governments face increasingly sophisticated cyber-threats and as
human errors have contributed to widespread data breaches.
But officials say they’ve put plans for such training on the back-burner while they
continue efforts to improve network security, including through new tools and products as
well as additional levels of monitoring and inspection. Those improvements are more
efficient and longer-lasting than educating thousands of workers who may not be in their
jobs permanently, contends Rob Mancini, the District’s chief technology officer.
“You don’t start talking about what people should do unless you know you’ve got
protections in place to help,” Mancini said in an interview. “You don’t go educating users
until you’ve got something behind it.”
2. The federal government has identified cybersecurity as a critical
priority, unveiling new efforts to fight the theft of trade secrets and discourage
intellectual property theft. In his State of the Union address, President Barack
Obama urged Congress to pass legislation to help protect computer networks from
attack and warned that American enemies are exploring ways to sabotage the
power grid, financial institutions and air traffic control system. Companies including
Facebook, Twitter, Microsoft and Apple have been recently hacked, as have
financial services companies that maintain credit card account information.
State governments, repositories of personnel information, financial
data, emergency operations plans, health care records and other documents, are
particularly vulnerable targets. A 2012 study by the Deloitte consulting firm and the
National Association of State Chief Information Officers found that less than a
quarter of the state information security chiefs felt confident in their state’s ability to
protect data from an outside threat.
D.C. officials, recognizing the problem, organized an exercise last April to
gauge the government’s cyber-attack readiness.
A section of the after-action report, obtained by The Associated Press
through a public records request and marked “exercise sensitive,” identified as a
primary area for improvement “cyber-security training for District employees at the
awareness, performance, and management levels” and said participants had agreed
on the need to raise employee workforce education efforts. But in responding to
follow-up requests for written cybersecurity training materials that are provided to
employees, neither the office of chief technology officer nor the homeland security
agency said they had documents to produce.
3. D.C. Homeland Security Director Chris Geldart said D.C. was studying
other jurisdictions’ best practices, acknowledging, “We need to improve on this.”
Paul Quander, the deputy mayor for public safety, said he believes some
employees have received some type of training and that notices and alerts about
cybersecurity are distributed on occasion within the government. But he said he’s
not convinced training is the most efficient safeguard, in part because of employee
turnover, and that he’d prefer a system-wide approach that lessens the chance of
an employee error opening the door to a cyber-attack. He declined to elaborate on
the record.
Though there’s no guarantee a tech-savvy workforce can thwart an
Internet attack, experts say cybersecurity education is increasingly important as
adept hackers, capable of preying on a computer user’s mistake, judgment lapse
or open social media account, develop more tools to penetrate government
websites.
When it comes to cybersecurity, “the weakest link can impact an entire
network,” said Eric Chapman, deputy director of the Maryland Cybersecurity
Center at the University of Maryland.
“If you have one user who’s fundamentally unaware of what a spear-
phishing email looks like, the entire enterprise is vulnerable,” he added, referring to
a ploy in which computer uses receive legitimate-looking emails that offer plausible
explanations for requesting personal data, along with a link. Hackers can gain
access to sensitive data once the recipient clicks on the link.
Breaches frequently involve a degree of human error.