New disruptive cyber attacks are on the near-term horizon, said Deputy Defense Secretary William J. Lynn III.
“We have not seen much destruction in terms of cyber threats, but we will,” Lynn said.
Cyber security professionals have always expressed concerns over the proliferation of advanced cyber weapons, but those fears are coming closer to reality. These cyber weapons have made their way to the low end of the capabilities spectrum and also horizontally where just about any type of group or individual can bear cyber arms, according to the deputy secretary.
Lynn said the need for the private sector, which owns or operates 85 percent of the U.S. critical infrastructure, to be on board in defending its systems is paramount.
With that in mind a new report from the IBM Center for the Business of Government said agencies should move away from a “negative approach” of discussing cyber security.
“Much if not all of the public discussion about security provides little or no insight into encouraging positive behaviors, as opposed to discouraging negative activities,” the report said.
The report offers advice for fostering greater security consciousness among workers. Some report suggestions include reminding employees not to write passwords on scraps of paper, discouraging non-work-related chain emails and instructing employees to put sensitive documents away when they leave their desks.
Other guidance from the report, however, provides insight into public sector information management. For example, while many government employees know they shouldn’t install software without proper evaluation and approval, many would not think twice about delaying an approved software update. “Organizations should communicate to employees that updates should be applied as soon as possible on agency workstations and that they must not wait before applying the requisite changes,” the report said.
The report also suggests there should be common guidelines for the security education, training and awareness programs conducted at government agencies. A standard would formalize security efforts government-wide and improve security outcomes.