Don't blame contractors solely for poor security

Several reports this year highlighted that agencies are doing a poor job with securing their contractor-managed IT systems, but one expert warns against putting the blame entirely on contractors.

For the past couple of years, several audits found that many agencies had not properly addressed IT security issues required by the Federal Information Security Management Act. Many agencies were also found to lack oversight of how contractors operated on their behalf. For example, a 2009 FISMA audit noted that the Agriculture Department failed to include several systems in the inventory of contractor systems.

Another IG report found that the Education Department's information systems security program had persistent vulnerabilities in areas including networks, security patch management and remote access software. For Education, a contractor had been tasked with the management of the IT systems. In 2007, Perot Systems, later acquired by Dell, won a contract to manage and provide all IT infrastructure services to the department under the Education Department Utility for Communications, Applications, and Technology Environment system. It was this program the IG found had operational, managerial, and technical security control weaknesses.

“If a contractor is building a system for you, especially if it’s a large system, it’s very hard, sometimes impossible to test it thoroughly,” said  Shari Pfleeger, director of research for the Institute for Information Infrastructure Protection at Dartmouth College. Agencies therefore often have to rely on contractors’ reputation but as far as their products go, once the shrink wrap is off, it’s often buyer beware, she said.

Almost all of the critical military data that has been lost was lost from contractor sites, not from the military itself, said Alan Paller, director of research at the SANS Institute. Part of the reason is that most data is held at contractor sites and attackers naturally target those locations, he said.

“But the fact that so much data has been taken from those sites makes it hard to trust that when [contractors] tell the government they they are going to protect information, that it’s true,” Paller said.

The essential problem is one of manpower, he said, and specialized IT professionals come few and far between.

“What you got is not very many people with technical skills to do security and instead you got a lot of soft-skilled people,” Paller said. “That creates a situation where the contractors are not doing what the agencies want them to do in terms of security.”

But Pfleeger warned against placing the entire blame on contractors.  “I don’t want to make it sound like everything is the contractor’s fault; sometimes, it has to do with differing expectations of the government agency and the contractor,” she said. “Sometimes, the people at the agency don’t even know the right questions to ask because they have underlying assumptions.”

One problem can be illustrated by the following example: An agency might ask a contractor if all the data is encrypted, and the contractor says yes. But there is a difference between data in rest and data in motion; data might be encrypted while stored in a database, but in motion and between transfer points, the data might no longer be encrypted, Pfleeger said.

“That’s when you have mismatched assumptions,” she said.