Security: Challenges and Opportunity Await Agencies

IT Security Buyer's Guide
Security: Challenges and Opportunity Await Agencies

By Teri Robinson

Federal agencies face pressure – from the White House and internal agency managers to users and even the general public – to make security a priority. And they have. But sometimes – conflicting mandates, the Obama administration’s pledge to make government more transparent, upticks in mobile users and social networking, changes to FISMA reporting requirements, greater agency collaboration, high profile breaches and improprieties, such as the SEC porn debacle and the shift to cloud computing have complicated that mission.

Some agencies, of course, have accommodated those factors more easily. Others have fallen prey to common missteps, such as investing haphazardly in promising technology to fill gaps, ending up with a hodge-podge of technology that can complicate the work processes and overburden users, increasing the likelihood that they will find ways to disable or work around security mechanisms. The most successful agencies turn the challenges of topnotch security into an opportunity to assess their IT resources, business practices and security needs, then work the results into a solid security strategy.

The Drivers
A number of issues and initiatives have prompted federal agencies to take stock of their resources and scramble to provide additional security measures.

Greater transparency. When Barack Obama took office, he pledged that government would become more transparent. Agencies continue to struggle with how to protect information and ensure privacy but make government’s workings more visible to the public. In January, 300 “high-value” data sets on Data.gov marked the first deliveries that agencies made toward the Administration’s Open Government Directive. Going forward, they will have to address individual privacy concerns and authentication.

More nimble, responsive government. Another promise from the current administration was that government would become more responsive-to citizens, other facets of government and third party partners and collaborators. The expected result: a nimble government that operates much like a business, treating citizens like valued customers and resolving issues efficiently and expeditiously. At the Digital Government Institute’s Government Customer Service Conference, David McClure, Associate Administrator for GSA’s Office of Citizen Services and Communications, noted that “We’re paying a great deal of attention to citizner engagement customer service.” Indeed, GSA estimates that 41 percent of people in this country communicate with government online. But this level of responsiveness requires a smooth flow of information between agencies, citizens and other parties, and support for mobile and social networking technologies, which can make a government organization more vulnerable to breaches.

Mobility. Federal agencies are under mandate to offer teleworking options to their employees. And in 2008, nearly 103,000 employees were teleoworking, many up to three days a week. The benefits of teleworking are well documented – it’s a cheaper alternative to providing office space for workers. It offers workers, and therefore agencies, greater flexibility, which in theory should lead to productivity gains and provide support for an agency’s Continuity of Operations Plan (COOP). In addition, teleworking is a greener solution, greatly reducing the gas consumption and fluorocarbons for employees who commute by car. And the telework option, as well as the implementation of mobile technology to field agents and other agency personnel, help agencies to become more nimble and responsive per the Obama administration’s mandate. Workers can respond and take action no matter where they are. But increased mobility equals increased security concerns – from protecting data on mobile devices to the transmission of information securely across mobile networks.

Changes to FISMA reporting requirements. While FISMA requirements have boosted security, the compliance reporting required is cumbersome, time-consuming and costly, costing about $1,400 per page. Under new guidelines, though, agencies will report on their security efforts and submit updates every month through CyberScope, a Web-based portal that will be overseen by the Department of Homeland Security. The new automated process will eliminate burdensome paperwork but it will allow an agency to present a nearly real-time view of its security status. But agencies must be vigilant and apply the appropriate tools to continuously monitor their IT and security resources.

High profile breaches, attacks and improprieties. Government has increasingly found itself under attack by malevolent forces or compromised by mismanagement and employee foibles. Missing laptops from the Commerce and State departments, the VA and other government organizations underscore a need for better security as do viral attacks and a preponderance of malware. Attacks on networks have become more organized, sophisticated, insidious and widespread. The Deloitte 2010 CSO Cybersecurity Watch Survey found that most organizations aren’t aware of the type of attacks that compromise government and enterprise networks. And many, the report said, overestimate the abilities of the security solutions they use to guard against attacks. In the wake of the 2009 attack on Google, allegedly by the Chinese government, then director of national intelligence Denis Blair told the Senate Select Intelligence Committee that government networks lose sensitive data daily as result of similar attacks.

Social networking. The SEC’s recent tangle with employees accessing porn sites from work, showed that even government agencies aren’t immune to employees using IT resources on “company” time to engage in inappropriate and in some cases illegal activities. The scandal also raised the question of how to secure data and resources with social network gaining prominence. Facebook, YouTube, Twitter, MySpace and serve to create a more responsive, nimble and transparent government. They can be used to promote government initiatives and disseminate information. While some called for more stringent measures and a ban on social networking altogether, more reasonable voices have said that government would be better served to come up with policies and strategies that accommodated social networking but mitigated risk and vulnerability.

Cloud Computing. Government clearly has its head in the clouds. And it’s no wonder that the move toward cloud computing has gained steam. With budgets tightening, the ability to share resources, pay only for what is used, and deploy applications and updates easier while minimizing disruptions and facilitating updates has mass appeal. Of course, cloud computing comes with a host of security concerns, which have caused many agencies to delay adoption.

Collaboration. Increasingly, government agencies must work together, exchanging information to do everything from coordinating responses to national disasters and tracking terrorist operations to administering benefits and uncovering securities crimes. At the Government Customer Service Conference, GSA’s McClure called on agency IT professional to collaborate and to strive “to integrate information channels” in an effort to better the “citizen experience.” But while the easy flow of information among agencies and outside parties facilitates transparency and makes for more responsive government, it opens up a host of security concerns regarding access, identity management and data protection.

Taking Action
Understandably, many agencies are overwhelmed by current demands for improved and comprehensive security, as they scramble to meet mandates and fill gaps in their own security plans. But a number of initiatives, including FISMA reform, are creating opportunities for government groups to move forward with tighter security. As OMB announced FISMA reform, NASA quickly announced its own move to continuous monitoring and online reporting of compliance.

And as the National Defense Authorization Act moved through Congress, where it was approved by the House of Representatives, changes to FISMA and the creation of an Office of Cyberspace in the White House promise to bring security under a more comprehensive umbrella.

“These provisions will establish strong, centralized oversight to protect our nation’s critical information infrastructure and update our comprehensive policy for operating in cyberspace,” said Rep. James Langevin, D.-R.I., one of the sponsors of the amendment to the Act that includes Office of Cyberspace initiative.

In addition, the second iteration of the Comprehensive National Cybersecurity Initiative (CNCI2) announced this spring has promised to ease the burdens of cost and limited resources that agencies are grappling with. Among its initiatives isprovide a way to manage the federal enterprise network as a single network enterprise with trusted Internet connections; deploy an intrusion detection system of sensors across the Federal enterprise; pursue deployment of intrusion prevention systems across the Federal branch enterprise; and coordinate and redirect research and development (R&D) efforts.

And at a recent Input conference, GSA’s McClure hinted that all agencies might eventually be privy to military-grade secured computing. He called for the creation of “a forge.gov” that would offer some services “would be available to federal agencies for free. It would provide no-cost development and code repository support for open-source applications.”