“Wouldn’t that be delicious — if they attacked us from the inside?”
The “they” in that comment, from a Housing and Urban Development Department techie, are terrorists. And “the inside” no longer refers solely to the brick and mortar walls of agencies but to wherever government data resides, which increasingly includes mobile computing devices.
In this mobile data environment — where a concern is that data could fall prey not only to criminals bent on financial havoc but also to those with more dire designs — the government has stepped up its focus on securing mobile systems. In the wake of recent public incidents where the theft and loss of systems’ exposed data to criminal misuse, the Office of Management and Budget re-emphasized what it expects of agencies:
• Encrypt all data on mobile systems that carry agency data, unless the agency’s deputy chief has deemed the information nonsensitive.
• Allow remote access only with two-factor authentication where one factor is provided by a device separate from the computer used to gain access.
• Use a “time-out” function for remote access and mobile devices, so users must re-authenticate to gain access after 30 minutes of inactivity.
• Log all computer-readable data extracts from databases holding sensitive information, and verify each extract, including sensitive data that has been erased within 90 days or whether its use is still required.
The growing level of data sharing across agencies, which derives in part from federal efforts to improve efficiency and drive down costs, complicates things.
On the technical side, biometrics offers one way to address the two-factor authentication requirement, says Joe Broghamer, acting chief technology officer for the Homeland Security Department. It’s possible because of the work agencies simultaneously have under way for the governmentwide identification cards mandated by Homeland Security Presidential Directive 12, he says.
“People will tell you biometrics aren’t here yet, but they are — granted that the standards for biometrics aren’t firmed up yet,” he says. At DHS, the agency uses fingerprints for its secondary authentication factor.
But many, if not most, issues hinge on how well people follow the rules. To that end, the newest of the Line of Business initiatives, the Information Systems Security LOB, will prove crucial, says Michael C. Smith, managing partner for the effort.
“Having 24 or 26 agencies with a security awareness program doesn’t make any sense,’’ he says. Instead, the LOB will tap the two to three best programs and extend them for use governmentwide. Agencies can then be assured that their employees know what they must do and agencies’ CIO and IT security organizations can focus on enforcement, Smith says, because ultimately, they will still be accountable for the data.