It seems like we read about government agencies losing data nearly every day.
First came the news in early summer that thieves had their hands on personally identifiable information for 26.5 million veterans, data stowed on a notebook PC stolen from the home of an employee of the Veterans Affairs Department (my former employer). Then, soon after, the world heard about data losses and compromises of personal information by the National Nuclear Security Administration, District of Columbia, Agriculture Department, Internal Revenue Service and Navy. The scary thing is that these incidents are the tip of an ugly iceberg. There are undoubtedly more incidents that have yet to surface publicly.
And even though the notebook containing the stolen VA data has since been recovered, there can be no assurance that a forensically savvy thief has not mirrored the hard drive. Nonetheless, the root causes of these data-loss incidents remain and won't go away unless senior officials take some drastic measures.
Overall, information security in the federal government is in bad shape. Part of the problem results from government enterprises being huge and highly decentralized. The complexities of putting robust information security programs in place across large, geographically distributed enterprises are enormous. Contributing to this problem is a lack of understanding by Congress and the Office of Management and Budget. Neither one has the experience and expertise of a true information security practitioner on its staff, and the result of that practical inexperience is the Federal Information Security Management Act of 2002.
FISMA should provide an actionable framework by which all agencies establish, manage and measure information security programs. Unfortunately, the law mandates that agencies measure the wrong things in the wrong way. For example, an agency can receive 20 points of its annual FISMA grade for certifying and accrediting its systems, but certification and accreditation (C&A) is a paper process that documents the acknowledgment and acceptance of risk. It is therefore possible for an agency to have 100 percent of its systems undergo a valid C&A and yet not have one secure system. Another 10 points of the annual FISMA grade are assigned for training all agency employees in security awareness, but the points are assigned merely if all employees receive training and not on the content, effectiveness or results of the training.
Comptroller general David M. Walker told the House Government Reform Committee this summer that more must be done to help agencies gather the right information. "We have made recommendations previously to OMB and agencies to ensure they are adequately addressing privacy issues, including through the conduct of privacy impact assessments," he says. "We have also recommended that OMB implement improvements in its annual FISMA reporting guidance to help improve oversight of agency information security programs."
But the lawmakers who crafted FISMA failed to specify an extremely important organizational issue that is at the heart of most agencies' security challenges: decentralization versus centralization of security management. The culture at many agencies resists centralized authority, and senior executives who are the custodians of the culture do not realize that a central authority can best and most efficiently manage IT and information security.
The House Veterans Affairs Committee has approved a bill that would call for centralized security at VA, despite the department's current efforts to move toward a federated approach, which is in line with the broader governmentwide eAuthentication initiative. As a Congressional Research Service report this summer about the VA data loss notes, "It was the view of HVAC that VA should maintain a centralized IT management system to maintain control of all IT-related assets, and that a federated model would not optimize IT support and service delivery."
FISMA also fails to give the CIO and chief information security officer (CISO) enforcement authority and the ability to hold people accountable for violating security policies and directives. The law uses the word "ensure" rather than "enforce." According to the VA general counsel, "ensure" gives the CIO no authority and the conscious avoidance of "enforce," which is used in other, similar legislation, reinforces this lack of authority. House Veterans Affairs learned this distinction during hearings this summer about the data-loss incident, and the chairman, Rep. Steve Buyer (R-Ind.), has approached House Government Reform about amending FISMA to resolve this problem.
But FISMA problems aside, it's clear from Congress' annual security grades that security controls simply are not in place to prevent data breaches. The most recent ratings gave the government an overall grade of "D+", which would indicate that many agencies continue to struggle with security.
Where to Begin
Given the complexity and enormity of the security challenge, how can a CIO or CISO begin to improve security? To stimulate agencies to take corrective action, OMB issued a memorandum on June 23 recommending use of data encryption, two-factor authentication and time-out functions if users access information remotely. These are good recommendations, but that's all they are.
The good news is that some agencies are doing these things already. For example, Interior Department CIO Hord Tipton says, "Many of the requirements listed by OMB are already in place in Interior, although we have varying flavors of implementation and compliance. Each year, our programs for privacy and security become more tightly aligned with a constantly improving technical architecture that leads to constantly improving security."
Unfortunately, security practitioners across the executive branch are usually relegated to treating symptoms because their ability to get at the heart of information security problems generally exceeds their authority. The real problems — fragmented and decentralized information security management and the inability to enforce policies and directives under FISMA — cause senior federal information security practitioners to approach their day-to-day duties with tied hands. If agencies can follow these steps, far more effective information security programs can be put in place, even in otherwise recalcitrant enterprises.
First and foremost, an agency head must be a vocal and active supporter of and participant in information security. FISMA rightly placed ultimate responsibility for security on the shoulders of the agency head, but the reality is that the CIO and CISO handle the problem on a day-to-day basis. All too often, information security only comes to the attention of the agency head when a crisis occurs.
Recent data-loss incidents have made data security an executive-level management issue. Only in agencies where information security has executive-level support and participation is there any hope of improvements because the CIO and CISO are otherwise not empowered nor do they have appropriate resources.
Second, agencies must give someone with the appropriate substantive expertise and stature the power to set and enforce privacy and security requirements, including physical security for maintaining records and personnel security for controlling who gains access to records. This person needs to be, at minimum, a chief security officer (CSO) and a co-equal with an agency's CIO, and he or she must have a seat at the executive table.
Pat Howard, CISO for the Housing and Urban Development Department, says, "The primary thing we are doing is reviewing security controls with program offices and system owners, with a particular eye toward either strengthening or affirming the effectiveness of safeguards designed to prevent the disclosure of sensitive data. We are taking a hard look at how users are handling sensitive data — including personally identifiable information — to ensure that it is being properly handled, transmitted, stored, copied, printed and disposed of."
Large agencies such as HUD might want to consider establishing the job of undersecretary for risk management. This would be the executive position with authority for managing all of the risk factors associated with the delivery of the agency's mission and integrating all security disciplines. Not only must this person be an expert in information, physical and personnel security issues, but he or she must also be a thought leader on mission assurance, business continuity, emergency preparedness, process innovation and organizational efficiencies.
Third, the mission-focused interests of high-ranking officials must not hold policies, procedures and assignments of accountability regarding security and privacy issues hostage. In many agencies, CIOs and CISOs must obtain approval from these officials before getting their ideas vetted by the agency head, which results in watered-down policies that are all bark and no bite.
Fourth, agency heads must ensure operating administrations and bureaus don't misapply the information security budget, including funds for cybersecurity and privacy. Appropriations typically fund programs along missions or business lines and not directly to the CIO, so security and privacy initiatives depend on the funding support from the offices that have historically been the cause of the problems that the security practices must address.
The IRS' work points up how crucial it is to allot funding appropriately, based on security need versus by program or mission. "The IRS has a particularly challenging situation as our workforce spends a lot of time on the road conducting audits involving meetings with taxpayers, small businesses and other entities. Our mobile workforce needs to carry sensitive information with them to perform their jobs," says Dan Galik, chief mission assurance officer. "Our data protection strategy is heavily focused on the use of encryption. The applications that the agents use include features that provide for automatic encryption of data on their laptops."
Fifth, agencies should suspend all executive and senior bonuses until the environments for which the executives are responsible receive clean bills of security health from a qualified and competent individual in charge of information security. Agencies do use incentives and special bonuses, although not usually as big or flashy as those of industry. No other single measure will ensure that information security receives the attention and priority it deserves. And if you don't believe it, just suspend all executive bonuses in any agency that has received a failing FISMA grade over the past five years and watch how quickly grades rise.
Set Your Own Course
Although not difficult to implement from an operational or technical perspective, these five measures are tough from a political and cultural perspective. But without taking action, agencies will continue to experience data losses, potentially more serious security breaches and low annual security ratings. One thing is for sure, if agencies don't centralize security management and begin holding senior executives accountable for security failures, then the symptoms of the deeper problems will continue.