F Is for Feds

Maybe it’s an unlikely scenario for you and your company, but it’s a situation facing top IT security officials in our federal government today. Every year, security “report cards” are issued to the media by lawmakers on Capitol Hill whose job it is to provide oversight for the departments of Justice, Transportation and Treasury, among others. The annual security tally sheets are the subject of public hearingssome of them televisedand the world is informed of how cabinet-level agencies are doing in terms of securing the systems that touch the entire nation.

And if the report cards are any indication, the public sector is doing rather poorly, thank you, when it comes to security. Last November the entire federal government received an overall failing gradeagain. It’s been that way since 1996 when Congress’s watchdog auditing agency, the General Accounting Office, began calculating the grades. In the most recent report card, 14 of the 24 agencies tracked by GAO scored an F, and only two earned a middle-of-the-road C. The Social Security Administration ranked highest in terms of its overall efforts to fortify its systems but only managed to pull a B-minus

So federal security officials are now detailing comprehensive strategies to tighten security measures across their organizations. Collectively, their plans to improve security seem to mirror the private sector’smany are preparing to hire CSOs and stepping up the use of external audits.

What sets the plight of government IT security executives apart from the private sector, however, is their dependence on the notoriously long and circuitous federal purchasing and budgeting processes that is bureaucracy.The State of the FedsNotwithstanding the abysmal marks, there is little evidence that the federal government is really doing worse than the private sector. The GAO cites an April 2002 report conducted by the Computer Security Institute and the FBI’s San Francisco Computer Intrusion Squad. Although the majority of federal agencies polled had detected security breaches, the report found the same was true of major corporations also included in the review. The study mentions news reports of hacks at NASA and of military networks. Yet major companies also suffered serious break-ins during the same time frame.

However, Gartner Research Director for Internet Security John Pescatore cautions, “[Security measures] really are a lot worse in government, and federal CIOs should learn from the private sector.” He characterizes much of the federal government’s approach to security as less than robust. This, he says, reflects a half-hearted attempt to harness the Internet because many agency leaders are steeped in legacy systems and business processes. Ultimately, such an underutilization of the Internet leads to a more relaxed approach to security, since an executive who undervalues the Web is likely to show similar attitudes toward security, Pescatore says.

“The bottom line is that these agencies are not doing much with the Web,” he says. The market pressure that a Cisco or an Intel feels, for example, does not come to bear on a federal agency. “Let’s face it. If the Cisco site goes down, the company loses money hand over fist,” he says. “But if a government site goes down, nobody really notices.”

Not so, say others. While federal security executives will acknowledge that the government may never get to the level of security known in the finance industry, for example, they say that government isn’t any worse than corporate America when it comes to security weaknesses. “I don’t think security is worse in federal agencies,” says Federal Aviation Administration CIO Dan Mehan. “I think the problems we have at the FAA are absolutely as prevalent in the private sector.”

“Government security may get more press,” agrees KeyCorp CISO Jim Wade, a former IT security official at the Federal Reserve and Department of Energy who now spends time with federal security leaders as part of his role on a Commerce Department security oversight committee.Good, Bad or IndifferentThough Mehan, Wade and others make a case that their security problems are shared by private companies, the public sector is far different when it comes to accountability. While corporations have shareholders and customers to answer to, federal agencies are subject to more public scrutiny by the legislative branch and even by special interest groups dedicated to watching federal officials’ every move, especially when it comes to safeguarding government resources financed by taxpayer dollars.

Consider the difficulties facing the Department of Justice’s CIO and acting senior IT security official, Vance Hitch. He signed on last spring to address internal IT security matters across more than 30 DoJ suborganizations, and he’s still trying to bring up DoJ’s failing security grade. Hitch answers ultimately to Attorney General John Ashcroft. “When I came in, there was a tremendous focus on the issue of security, especially since [Ashcroft] was so interested in IT security,” he recalls. Hitch knew that the demands placed on him would stretch beyond the borders of his agency. In the wake of 9/11, the DoJ as the pinnacle of law enforcement had to be doubly vigilant, and the agency’s top managers were looking to Hitch for answers.

Yet federal IT security executives feeling the heat of public, congressional and administrative forces admit that the added pressure, as uncomfortable as it is, is not all bad. “Increased oversight works to empower federal leaders to make necessary changes,” says Lisa Schlosser, the Department of Transportation’s associate CIO for IT security. “Overall, it has been a good motivator for the department, and we’ve spent more time on these issues.” In fact, the security mandates as outlined in new laws prescribing federal security provisions amount to a clear sense of what the White House and Congress expect in terms of changes, she says.

Nor does the DoJ’s Hitch resent the high level of attention now given to IT security. “I firmly believe we need to do the things required by [the new laws]. We are in no way opposed to them. In fact, we’re pushing for them. Because of the importance that is being placed on these requirements, we can use the [laws] as a hammer or a wedge,” he says. That is, Hitch and others can use pressure from the White House and Congress to get agency managers in charge of major business processes to make necessary security changes. These requirements also come in handy at budget time, when the agency is justified in asking Congress how it is to pay for the improvements lawmakers want to see.

In terms of specific weaknesses, a November 2002 GAO report (titled “Computer Security: Progress Made, But Critical Federal Operations and Assets Remain at Risk”) detailed federal soft spots in six broad categories:

1. Security program management
2. Access controls
3. Software development and change controls
4. Segregation of duties
5. Operating systems
6. Service continuity

The practical security risks associated with these areas include, among other things, problems with tracking prisoners and possible breaks in IRS systems to “obtain personal taxpayer information and use it to commit financial crimes in taxpayers’ names,” according to the report. Along with the continuous pressures that the GAO and Capitol Hill have exerted during recent years, agencies must now also endure increased vigilance from the White House, especially as internal IT security has become tightly aligned with antiterrorism and homeland security efforts.

Recently renewed legislation plasters agency IT security reviews into the highly visible Executive Branch Management Scorecard. President Bush and his staff in August 2001 came up with the idea of using their own scorecards to show how agencies were doing in their efforts to improve targeted programs. While the scorecards are available to the public, Bush has promised to routinely deliver them to the Office of Management and Budget, which has authority in devising Bush’s spending plans for each agency. (For a look at a sample scorecard, see www.whitehouse.gov/omb/memoranda/m02-02scorecard.pdf.) The scorecards are supposed to help strengthen accountability and provide a means to track each major agency’s progress in areas such as financial management, use of the Internet and now IT security.

Involving the White House in federal security matters started in earnest with a law called the Government Information Security Reform Act of 2000 (GISRA), which was passed as a trial move to test the benefits of increased oversight. However, a new law called The E-Government Act of 2002 was signed in December and included agency IT security provisions originally drafted as the Federal Information Security Management Act (FISMA) of 2002. When this law passed, GISRA’s stepped-up executive branch oversight became permanent, meaning that federal security executives must get used to stringent accountability measures from both branches of government. For its part, OMB is now charged with setting policies, standards and guidelines for every agency’s information security.

But along with making more demands on agency security, the laws seek to provide federal security executives with the tools that they need to evaluate their own efforts to address security weaknesses. For instance, the Commerce Department’s National Institute of Standards and Technology (NIST) issued “Security Self-Assessment Guides,” a framework methodology now used by agencies. The idea was to devise a barometer that agencies could use to gauge the results of new initiatives, though some sources say the self-assessments can be a double-edged sword. For example, OMB reported the results of the first set of agency self-assessments for 2001, and the White House used agency self-assessments against officials, knocking them for not getting a handle on a series of common security weaknesses. Among other things, OMB cited a general lack of senior management attention to security, limited training of internal and external personnel and the absence of strong security measures to protect services provided by contractors.Feel the HeatOfficial reports, however, don’t tell the whole story. Even those critical of government security efforts find fault with the grading criteria, which hinge on self-evaluation instead of external audits. This practice is likely an incentive for some less-than-objective behaviors on the part of agency officials asked to evaluate themselves. “Government security managers tend to overstate security problems to justify increased funding,” says Gartner’s Pescatore.

Keeping political decision-makers’ attention on internal IT security has become a goal of federal executives such as FAA’s Mehan, especially as internal IT security challenges go head-to-headin the budget and elsewherewith other dramatic national risks. “With threats like nuclear, biological and chemical warfare, we realize that we’ve got to work hard to keep an emphasis on IT security,” he says. But the fact remains that protecting the computer systems that support the nation’s airways is as important as guarding against outbreaks of smallpox.

Still, a test of the government’s attention span for agency IT security may well happen in the coming months as the administration moves to assemble the Department of Homeland Security, a massive organizational feat that will stitch together the missions of 22 agencies. Though the administrative chaos resulting from this move may be a temporary distraction from efforts to improve internal security, the forging of the Department of Homeland Security is also a chance for the government to put its mark on the security industry, some sources say.

“Senior staff will set the direction in choosing internal safeguards and will, therefore, influence decisions across critical infrastructures,” notes KeyCorp’s Wade. “Government will have to lead by example. We’re seeing that happening more and more.”

But will it be enough? For change to take place, agencies will first need healthy IT security budgets. According to government sources, those budgets are just now beginning to materialize. The DoJ’s budget, which includes tech spending across all DoJ agencies such as the FBI and Drug Enforcement Agency, got a healthy bounce in last fiscal year’s budget, and the agency is hoping for another spike, Hitch says. Specifically, DoJ’s security spending went from 3.8 percent of the agency’s total, which is about $2 billion, in fiscal year 2001 to 5.1 percent in fiscal year 2002. “I was shocked it was initially that far below average,” says Hitch of the budget figures he walked into when he first took his post.

Hitch claims he still needs another boost to be able to do things like increase his IT security staff from eight to 20 or so individuals. Now strapped for talent, DoJ supplements its internal efforts with contractors, an approach mirrored by other agencies. For instance, the U.S. Agency for International Development has five of its 60 internal IT employees dedicated full time to security but has access to about 220 contracted staff, according to John Streufert, USAID’s information systems security officer, a newly created position reporting to the agency’s CIO. “Other staff members are working on projects that are primarily targeted at IT security benefits, such as virtual private networks and encrypted dial-in from home,” he says.

The Department of Transportation historically spends about 2 percent of its IT budget on security, which trails the average of 5 percent to 8 percent across private industry, notes Schlosser. “We are definitely looking to increase that,” she says. DoT’s FAA has a security budget that hangs at about 3 percent of its roughly $2 billion overall budget, a figure officials there say they are hoping to boost in the coming year as well.Tighten the Purse StringsThat the federal government lags behind the private sector in security spending as a percentage may be only one financial factor contributing to any security shortcomings. Another is likely the manner in which the government has gone about paying for its security efforts, according to Gartner’s Pescatore. “The whole idea in government is to sprinkle security in at the end,” he says.

That after-the-fact approach to security is an outgrowth of the rigid budgeting process, Pescatore says. For instance, the federal budget that governs spending at all agencies breaks down funding into two major categories: ongoing and supplemental expenses. Congress and the Bush administration have approached IT security by setting aside “separate pots” of supplemental monies, says Pescatore.

Few security professionals would argue that federal budgeting and procurement processes have left their mark on the individual agency’s attempts to reform security practices. And KeyCorp’s Wade agrees that lumping security resources into extra, supplemental funding kept separate from basic funding for mission-critical operations contributes to the government’s problems. “If IT security funding isn’t part of the baseline, then it’s not tied to compliance requirements. It becomesand I almost hate to say thisoptional or discretionary,” he says. In other words, because IT security is not hooked into the funding for the agency’s central business processes, which are subject to set requirements, the fate of this funding is not guaranteed.

In addition, some cite the technology industry’s initial tendency to view security as not important enough. “In a lot of respects, part of the basis for our problems is the fact that products in the past have not been built with security in them,” says FAA’s Mehan.

However, now that federal decision-makers and the technology industry seem strongly focused on security, agencies are speeding toward the use of beefed-up firewalls and network security auditing solutions, according to Pescatore. At Transportation and Justice, areas of technology that are of particular interest include analytical tools to allow officials to do a better job of gatekeeping. Intrusion detection is another area showing signs of increased federal interest. And DoT is turning to MIT’s Lincoln Laboratory for mathematical and sniffing tools that would process the mounds of data gleaned from intrusion-detection activities, officials say.

Justice officials have looked to maximize volume buying power by centralizing the purchase of intrusion-detection tools. Hitch’s staff has put in place contracting vehicles for IDS technology for all DoJ organizations to use in an effort to impose uniformity and make the technology easier to adopt.

“It’s funny,” Pescatore says, “just as the private sector is discovering that intrusion detection doesn’t always do what it’s supposed to do, federal officials are leaping into intrusion detection in a big way.”

But, like private companies, use of biometrics and smart cards is also increasing in the federal arena. In fact, DoT’s Schlosser cites smart cards as a technology where federal buying practices could prove a help rather than a hindrance. Specifically, DoT will consider using the General Services Administration’s existing smart card contract, to fulfill requirements. Because GSA has already jumped through all the contracting hoops, Schlosser and others at DoT could simply place orders for the technology and speed up adoption immensely. The DoT has also combined forces with the FAA to forge an enterprise license for vulnerability scanning tools.

Yet despite the value of private contractor involvement in these areas and others such as security auditing, DoJ’s Hitch preaches the value of internal accountability and warns government officials not to outspend their security challenges. “For best practices and broad-based experience, you can’t delegate responsibility,” he says. “Security is a never-ending problem. It is a hole you never get out of, since life in IT security means that new things and new risks always arise.”

Indeed, lawmakers may soon realize that federal IT security is not pass/fail, and that progress toward new security goals arguably is measured by shades of gray and by the details that make up each effort to revamp business processes or adopt new technology. Until then, there’s always next semester to bring the grades up.