COMMENTARY

Data security: Why the usual solutions fall short

Shon Harris is a security consultant, founder of Logical Security and a former engineer at the Air Force’s information warfare unit.

With the current buzz around the WikiLeaks disclosures, the U.S. public seems amazed by the type and amount of sensitive information that is available to people who should not have access to it. Security professionals are not.

Traditional data security technologies are running to catch up with the explosion in data dissemination methods. Although data might be secured within a database, people need to use it to carry out operational tasks, which usually means putting the data into Word, Excel, presentation software, e-mail or some other format.

The data can be saved to a thumb drive, DVD, personal laptop or less secure workstation. Or it can be sent to a user’s home computer, disseminated via e-mail to a distribution list or printed. The original database security then becomes useless as that data is passed around in insecure formats via controlled and uncontrolled networks.

Most agencies have policies and standards that outline how sensitive data should be protected, but they are usually ignored and hardly ever enforced. But agencies' systems have passed security audits and met their compliance requirements, you might say, so aren’t they secure? Not even close.

In many cases, an agency can pass a Federal Information Security Management Act audit if it has people who can write great security policies and documentation. But that has no real bearing on what type of security controls are in place. Every agency has a firewall, but the real question is whether it is configured properly for that specific environment and the threats that agency faces. And that takes testing, not policy checklists.

Instead of releasing funds to agencies that simply pass audits and compliance tests, the Office of Management and Budget should evaluate statistics on incidents and successful compromises. If an agency experiences an unacceptable amount of system or personnel compromises, it should fail its security audit, regardless of the other factors. OMB funding should be based on actual security, not just policy compliance.

Another challenge that government agencies face is identifying and retaining employees who have the necessary level of security knowledge and skills. The lack of trained security professionals is a huge gap in our national defense, which is why it is a line item in the Cybersecurity Act of 2010.

To work as a security professional in government, you need a clearance, which is expensive and time-consuming. And people can make much more money in the private sector. Rather than just issuing training mandates to agencies, the government should provide the necessary funding to hire and retain skilled employees.

Security professionals are not surprised by the WikiLeaks issues that the U.S. government is facing because the same type of information is leaked constantly, just not in the same headline-making way. Criminals and countries steal military and government secrets all the time. But they don’t want their activities known, so they work hard to stay under the radar.

WikiLeaks shines a bright light on the technological, policy, awareness, education and enforcement issues that must be properly dealt with if the nation is serious about protecting its classified information.

About the Author

Shon Harris is a security consultant, founder of the company Logical Security and a former engineer in the Air Force’s Information Warfare unit.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.