EPA data breach highlights worrying trend

GAO reports federal data breaches of personally identifiable information increased by 19% from 2010 to 2011

In the war over government data security, the statistics indicate the bad guys are winning. And some security experts say any hope of reversing that trend will take "a whole new paradigm" in IT security.

The U.S. Government Accountability Office (GAO) reported last week that federal data breaches involving unauthorized disclosures of personally identifiable information increased by 19%, or about 13,000 to 15,500, from 2010 to 2011.

At least some of the time, victims of those breaches are being left in the dark about it for months. About 123,000 Thrift Savings Plan participants whose personal information was compromised in a July 2011 breach were not notified until this past May.

That is not the only instance. The Washington Business Journal reported that the U.S. Environmental Protection Agency (EPA) waited until last week to notify 5,100 employees and 2,700 "other individuals" of a data security breach last March that exposed their Social Security numbers and banking information.

Greg Long, head of the Federal Retirement Thrift Investment Board, responding to questions from the Senate subcommittee on government management oversight, said the thrift board had followed federal guidance in responding to the attack, but didn't have the funding for a notification plan.

Daniel Berger, president and CEO of Redspin, a security assessment vendor, told CSO Online that the increase in breaches is no surprise, given that attacks have become, "more sophisticated and persistent. Groups such as foreign governments, organized crime, and hacktivist networks have the capability for multi-dimensional, coordinated, ongoing attacks against specific entities such as U.S federal agencies."

Berger said traditional perimeter defenses and other security controls are "no match for such attacks. A whole new paradigm is needed."

Tony Busseri, CEO of Route1, an IT security firm, suggested to Federal Computer Week that a piece of that new paradigm has to include better technology.

The EPA breach, reportedly caused by a virus in an email attachment on a contractor's computer, points again to the vulnerability of human error.

"We cannot just have policy-based approaches to cybersecurity," Busseri said by email. "It has to be technology-based too. If we rely upon the human condition - i.e., we expect someone to adhere to a policy -- and that's the only protection we have, we're going to have failure. By nature people are prone to making errors."

John Steven, internal CTO of Cigital, also said technology is lagging, especially when it comes to protecting usernames and passwords. "Credential thefts are not new vulnerabilities," he said. "These are system bugs that have been there for seven years and are being exploited now."

Steven said that is happening in both the private sector and government. "When the Yahoo [data breach] story broke, I went back and looked at three of my clients. We had reported critical vulnerabilities in password protection, an they had opted not to fix them," he said.

And the problem is made worse because of the human factor -- too many people using the same user name and password for multiple sites, he said.

Tanya Forsheit of InfoLawGroup said it is too simplistic to conclude that the GAO's statistics mean there is an actual increase in breaches.

It could be that there is better and more accurate reporting of them, Forsheit said. However, she added that "policies, procedures, controls, etc. -- a strong information security program -- is the best medicine to mitigate the risk of a breach."

"It does not mean that breaches won't still happen, of course," she added. "There is no such thing as perfect information security."

Still, shouldn't there be a requirement for more timely notification of potential victims of breaches?

The problem, say both Forsheit and Daniel Berger, is that there is no single standard. "State and federal breach notification laws govern how quickly an organization is required to notify affected individuals of a breach," Forsheit said. "Those deadlines depend on the particular law involved. The 46 state laws are all different, and the federal laws that do exist -- under HIPAA/HITECH, and separately for federal agencies -- are different still."

John Steven said he would support a stronger, unified policy on notification, but added that it will not cure the problem on its own. "It's one leg of a stool," he said. "The key is to build the system correctly, so it is designed to protect credentials."

"I'd highly recommend a federal standard for breach reporting requirements across all industries," Berger said. But he adds that he believes data security has to evolve to "a more holistic, data-centric approach to confront current threats."

Everybody from enterprises to government agencies should be asking themselves what are their most critical corporate information assets, Berger said, along with other crucial questions, including: "How is this data used, transmitted, and stored? Are access control policies in place and enforced? Have we integrated mobile computing, whether it's corporate issued-devices or BYOD, into our policies and procedures? How do we monitor use? Are my employees sufficiently aware of what constitutes acceptable use and practice from the IT security perspective?"

Copyright © 2012 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline