Statistics are handy tools. Slice them one way and mediocre financial figures look rosy; dice them another way and the frontrunner in a tight election falls to the back of the pack.
Stats can even make us feel that we are safer from cybersecurity threats than we really are.
The Government Accountability Office drove this point home in a recent report warning that while agencies might be following the letter of the Federal Information Security Management Act, they were ignoring its spirit: namely, making the government's systems safe from attack.
FISMA, of course, mandates that agencies create, launch and document organizationwide security programs for their information technology.
The metrics for tracking progress include inventorying systems and monitoring the status of contingency plans. And this is no sideline effort: The government spent $4.2 billion last year on IT security programs.
In its annual report to Congress, the Office of Management and Budget, which oversees FISMA compliance, noted some significant progress in the government's security programs last year. For example, 24 agencies had bumped up the number of systems that met important statutory requirements for security—as compared to 2003.
The report also noted that agencies have tested contingency plans for 57 percent of the government's systems. That statistic is a long way from 100 percent, but it still represents pretty good progress, right?
Not necessarily. As GAO points out, not all systems are created equal. Statistics alone don't tell us if agencies have contingency plans for their mission-critical systems or for those that hold the most sensitive data. Perhaps that 57 percent applies only to systems that happen to be the easiest to secure but are of lesser importance from a total security standpoint. We just don't know.
The danger becomes apparent when you consider that many agencies, such as the Internal Revenue Service and the Social Security Administration, routinely collect a host of personal and financial information that requires the highest levels of protection.
These databases are alluring jewels to the dozens of international cybergangs, such as the infamous ShadowCrew, that use leading-edge techniques to commit multimillion-dollar identity thefts and run money-laundering operations.
No Real Value
If an agency focuses its security resources to achieve only quick-hit successes, it can report real although somewhat dubious progress in the overall cybersecurity war. But does that make the agency—and its data—as secure as it should be?
GAO suggests the government needs to take a different approach to validating how safe its agencies truly are against systems attacks.
"Reporting information by system risk would provide better information about whether agencies are prioritizing their information security efforts according to risk," GAO says. Otherwise, "agencies, the administration and Congress cannot be sure that critical federal operations can be restored if an unexpected event disrupts service."
Prioritizing systems according to their value to an agency's day-to-day operations or to the sensitive information they hold should be the first step in a top-down approach to allocating security resources.
Help Is Out There
three risk levels spelled out in FIPS 199.
Agencies can find guidelines for carrying out prioritization efforts in Federal Information Processing Standard 199. For its standard on categorizing systems security, the National Institute of Standards and Technology established three levels of risk based on the potential consequences of a cyberattack. The levels range from high (severe or catastrophic impact) to moderate (serious blow) and low (limited effect).
Additional help comes from a NIST IT Laboratory bulletin. The publication describes criteria to help agencies prioritize security strategies and align FISMA goals with capital planning.
According to NIST, agencies first need to consider security at the enterprise level, identifying any IT programs that touch the organization as a whole, such as firewall technology and intrusion detection systems.
Agencies should also collect enterprisewide information about the status, cost and effectiveness of security efforts. NIST notes that similar reporting and evaluations occur at the system level to monitor the security status of discrete technologies that fit into the larger whole.
Prioritization makes logical sense, but we shouldn't fool ourselves into thinking this is a quick fix to better security. Deciding which systems fit into each category will initially be time consuming for agencies already struggling to find enough resources to handle security smartly. And even when the assessments are in place, they'll still be only a yardstick and not a hard-and-fast rule for gauging cyberrisks.
As technology strategist Christopher Michael points out, "You still wouldn't know if securing one high-risk system is better than, say, securing two moderate-risk or maybe 10 low-risk systems."
Michael's reservations are well taken. Prioritization will take time and won't be perfect. Nevertheless, the effort is worthwhile.
OMB should insist that agencies use the NIST guidelines to amplify the annual security reports required by FISMA and that they structure security plans accordingly. Besides the standard statistics that show overall FISMA progress, OMB should report mission-critical leaders, those agencies that serve as models of IT security prioritization.
Such spot-on stats would provide welcome information to lawmakers who oversee the nation's critical infrastructures and would comfort the public, too.