Earlier this year the GAO reported that the number of security incidents for Federal Agencies involving Personally Identifiable Information (PII) increased 2.5x between 2009 and 2013. This year, with the rising tide of highly visible data breaches in retail, health care and other areas I’m expecting the picture to further deteriorate.
Why is it this is the case? Three key reasons appear:
- Lack of real penalties
- Inertia in IT Security investments
- Standards that drive only minimum behavior
When a data breach occurs at a commercial entity, disclosures are a mandatory requirement in 47 of 50 US States. Although terms vary, universally these require notification of the breach to those affected, and many set penalties and required remediation standards. The cost of these measures varies, but is typically estimated at between $20 and $200 per record compromised. There is no such requirement for Federal agencies. In fact the report found that
- Only the one agency (the IRS) consistently calculated the amount of personal data at risk in each incident (If it worries you that the IRS lost data, you aren’t alone – they have all my tax data too)
- Only two agencies recorded how many individuals were affected
- No agencies offered remediation in the form of credit monitoring or other services
- And agencies appeared not to have a process to learn from the incidents, with several not even able to meet
With this lack of a real penalties in place for organizations to protect citizen data, it is hard to be surprised when it is lost in the current onslaught of attacks. See an earlier blog from Bob Bigman referencing the fact that we are already at CyberWar.
Next is a fact of life in IT environments. A critical IT mantra is “if it ain’t broke, don’t fix it”. We now have an entire generation of IT security and infrastructure staff who’ve spent their careers protecting critical data by using network perimeter and endpoint security tools - Firewalls, Anti-virus, Network segmentation, network monitoring, and so on. Go to any IT security event, and you’ll learn today’s attacks, especially the kinds of attacks directed at government entities, are adept at penetrating these defenses assaults on internet servers and applications, social media phishing schemes, man-in-the-middle attacks and more. But it appears many of our Federal agencies, they have yet to match investments in IT security against this reality. Maybe that’s because of the Federal procurement and funding process (I once worked for a startup that worked on a single Federal bid for over 2.5 years before winning the award, and then spent more time before it could fully deploy because other vendors “contested” the award), perhaps their sheer size is the problem, with too many overlapping stakeholders, or perhaps it is just hard for those who’ve been doing things one way, to shift focus and make a change without a “compelling event”, and without real penalties, there hasn’t been one for their agency. With this true even for existing government IT implementations, think about how much worse it can get as agencies apply their aging security regimes against cloud and big data environments. It isn’t a pretty picture.
Last – current standards – such as the US Cybersecurity Framework, only “encourage” the right behavior – leaving it up to agencies to set their own minimum standards and implementations. They also set standards (COBIT, NIST 800-53, CCS, ISO/IEC) that are too broad, and missing too many critical elements. These standards are good “high level” guidelines to the cybersecurity things that need to be done, but short on the specificity about how to do the required protection, and the process that is necessary to offset the rapid evolution of cyberthreats – so that protections quickly track to new attacks, or even proactively get ahead of them.
So what’s the solution? The fact is, that taking a data-centric security model, and applying it across the board to sensitive data in both existing IT environments, and areas such as cloud and big data can actually save our Federal agencies money. Proper protection placed directly around where data-at-rest is stored limits who, when, where and how data is accessed, and then can make sure that accounts that should have access aren’t compromised. Rather than maintaining the status quo, organizations should change focus to add data-centric security to the mix (encryption, access controls and data access monitoring/analysis).
With these safeguards in place, agencies can take full advantage of the cost-effectiveness, agility and new functionality available from these tools. The result? At the very least, the agencies will hopefully make better use of taxpayer dollars, but it’s also possible that Federal agencies could really surprise us with a level of service we’ve not seen from them before.
Not to mention that this cadence of escalating data losses would be drastically curtailed.