Cybersecurity is, of course, very hard for any number of practical reasons, ranging from the complexity of the attack surface to the sophistication of persistent threats. And then, of course, there is the "theater of the absurd" division of reasons why protecting the Federal government domain is so hard. Consider this opinion from the Federal Labor Relations Board (published in July 2014, but of which I just recently became aware). It holds that a Federal agency may not cut off employee access to external email as a cybersecurity measure without first seeking to negotiate the question and get union approval:
This is, to my mind at least, absurd. Though access to outside email is clearly a "working condition" and thus of interest to employees and unions, to make an increase in network security subservient to those interests (as if it were to be bargained for in exchange for a longer lunch hour) is emblematic of the systematic difficulty that the Federal government has in modernizing its approach to all things cyber.
Not surprisingly, the House of Representatives soon moved to correct this problem, considering a bill that would authorize agencies under FISMA to protect their networks irrespective of any union concerns. Sadly, however, the bill which seems to be nothing more than common sense, has languished because of partisan wrangling. Originally HR 4361 was a stand-alone bill that was reported out of House Oversight and Goverment Reform in March 2016. Later (in July 2016) it was bundled as part of a larger package of bills and sent to the Senate. The bill report (H. Rept. 144-599) provides more detail.
Senator Ernst’s companion bill is S.2975. Though it was reported out of the Senate Homeland Security and Governmental Affairs Committee in September 2016 it has yet to be considered on the Senate floor. And it is not likely to be considered. As this letter reflects, the NTEU opposes the bill vociferously. As a result it was opposed by the Democratic members of the House and will likely be opposed in the Senate:
And there you have it ... a perfect expression of why the Federal government can't do cybersecurity. Its ancient ways of thinking and responding just get in the way.