'Toxic' data threatens agencies
Data can get stale and make government more vulnerable to hacks. On the other hand, agencies must meet Freedom of Information Act requirements for preserving information.
Datasets have a shelf life. If kept too long, data can pose a security threat to agencies. Addressing that threat could help stave off the next Office of Personnel Management-type hack, according to military officials.
"We have to start measuring the toxicity of data over time because…the longer we retain it, the more and more threat it represents from a compromise perspective," said David Tillman the Department of Navy's cybersecurity director. He and other military officials spoke April 14 at a panel hosted by FedScoop.
Datasets created and stored before the development of advanced cybersecurity protections can potentially offer easy pathways for hackers. The advent of cheap storage encourages data hoarding and "creates a more and more toxic environment from a threat perspective for our agencies and our departments," Tillman said.
Ray Letteer, chief of the Marine Corps' cybersecurity division, agreed with Tillman – and warned of the ramifications of data hoarding.
If datasets do not have an expiration date beyond which they are treated as greater threats, "we're going have another problem like OPM did," he said. Letteer noted that some of the Corps' network inspectors have found personal information, such as résumés, stretching back decades.
OPM's dated IT systems came under scrutiny after a breach compromised the personal information of at least 22 million Americans. Failure to detect the breach earlier was not a sign of the hackers' sophistication, but rather a function of "1970s legacy systems that operate on COBOL mainframe applications that have not been updated since the Y2K bug," the Institute for Critical Infrastructure Technology opined in a July 2015 report.
Defense Department CIO Terry Halvorsen has said data should come with an expiration date because it is generally less valuable as it ages, and therefore less worth securing.
A complicating factor is federal agencies' obligations to preserve information under the Freedom of Information Act. "This is nothing new for us," said Essye Miller, the Army's director of cybersecurity. "The FOIA rules have existed for years."