The Feds Target Security
And that's not all. Should Young find a Palm or BlackBerry unattended on his base, he'll confiscate it, remove whatever data is on it and then crush it. Also, Web sites such as AOL, eBay and ESPN are banned,blocked, in fact,to avoid the risk of viruses generated by transactions or bandwidth being used that can interfere with critical operations. People who
leave passwords or critical data exposed are subject to eight-hour "special education" sessions on security with Young, who is,pardon the expression,militant about security.
While Young's approach may seem harsh, he makes his priorities clear: "If you're putting my network in danger, you're putting my people overseas in danger," Young says. "We are in an information-warfare scenario right now. The Air Force looks at our systems as a weapons system."
Not only are employees under his watchful eye, but outsourcing partners are carefully scrutinized as well. "We watch them very closely," Young says. "We follow them around and make sure they're not doing anything we're worried about."
Granted, the Air Force may be a rather extreme example of how government and military agencies these days have stepped up measures to develop and enforce security policies, but a growing number of agencies are starting to look more closely at security.
Like corporations and universities, the government has always considered security a key IT priority. However, many agencies lack up-to-date policies, and even those that have them often don't enforce them. Now they're stepping up their resolve. Experts say many agencies started cracking down about two years ago after Y2K issues were resolved, and denial-of-service attacks, the spread of malicious viruses and other cyberthreats demonstrated the need for the government to shore up security.
Getting Tough
The clincher, of course, was last year's terrorist attacks on the Pentagon. "Agencies are paying a lot more attention to risk and risk assessment, especially in conjunction with cybersecurity and information assurance, because security is so essential to operations," says Ray Bjorklund, an analyst at Federal Sources, McLean, Va.
Still, experts say security remains too lax inside many agencies,passwords are often posted on monitors, organizations deploy firewalls but then impose workarounds in the name of simplicity, and many policies simply are not enforced, according to Sallie McDonald, assistant commissioner for the GSA's Office of Information Assurance and Critical Infrastructure Protection.
"It is amazing that so many people don't understand how virus scanners work and that they have to be kept up-to-date," McDonald said in a keynote address at last month's third annual Information Assurance conference in Washington, D.C. "Incident-response plans are very important because you are going to have that inevitable security situation, and as an organization, you need to be prepared to act."
The Office of Management and Budget (OMB), which approves all agency expenditures, is already acting. Starting this fiscal year, which began Oct. 1, all new IT projects must show a business case, demonstrating what they are doing to secure their infrastructures, says Mark Forman, associate director of information technology and e-government at the OMB.
"We have to cross that security chasm," he says. "One of the requirements on that score is they have a security plan. If they don't, we don't fund it."
That was put forth in the Government Information Security Reform Act and is further articulated in a draft of the National Strategy To Secure Cyberspace report, released last month by the Bush administration's Critical Infrastructure Protection Board. The draft is available for public comment through Nov. 18, when it will be submitted to the president for approval.
Many agencies have already begun auditing their systems, conducting risk analyses and developing new policies and methods of enforcing them. Integrators such as EDS, KPMG, Northrop Grumman and Soza and Co. are helping agencies conduct these assessments in compliance with federal guidelines, such as the National Institute of Standards and Technology.
Nevertheless, convincing agencies to conduct risk assessments is not as easy as one would expect, says Cheryl Lieberman, a certified information-systems security professional at Plano, Texas-based EDS, noting there hasn't been a significant uptick yet.
"I don't think the agency plans are clear yet, given where we are in the budget cycle," she says.
Increasing Awareness
Even so, the number of agencies that have used integrators to conduct security-risk-mitigation projects has increased in recent years, says Frank Guglielmo, vice president of engineering at Soza, Fairfax, Va. "Risk mitigation is better today, but I wish we were doing more," he says.
Risk assessment can also help agencies determine how to best allocate their IT and security budgets, keeping expenditures in line with specific vulnerabilities and risk factors, experts say.
When the Centers for Medicare and Medicaid Services (CMS) needed to automate claims-processing with commercial insurance carriers to comply with the Health Insurance Portability and Accountability Act, keeping security costs down often conflicted with trying to meet the new demands of processing claims. CMS brought in Northrop Grumman, which developed a risk-analysis tool that could be used to assess whether carriers were meeting its security objectives. "Numerous business systems were developed without making conscious decisions for security," says John Hendry, the program manager at Northrop who worked with CMS. "We are in the throes of increasing awareness, but it's not reaching the decision-makers."
After a year-and-a-half of applying its risk-evaluation tool, Northrop and CMS say they have mitigated security risks and costs for the upcoming 2003 year.
"We just completed our budget planning and corrective actions, and we think we can reasonably claim for both these fiscal years that we've achieved a delicate balance between a sound return on investment and actually meeting our security objectives," says Max Buffington, program manager for the security and standards group at CMS.
Cost Vs. Risk
The problem, Hendry adds, is that many agencies think they don't have the funds in their IT budgets for such security tools, yet they haven't even assessed how much it will cost,or what the costs will be if they don't take corrective action.
Others simply can't look at their vulnerability objectively, says Jim Golden, chief information security officer at the U.S. Postal Service (USPS). After completing Y2K remediation work, the USPS asked Golden to oversee security. About half the USPS' security program is outsourced; the other half is managed internally, Golden says. The overall program is managed by Northrop.
When it comes to developing policies and conducting risk-assessment studies, Golden advises federal agencies to look to third parties. "You can't do it yourself," he says. "You get a false sense of security."
One way the government is looking to mitigate risk is by spreading the use of digital certificates in the coming year, allowing agencies to validate access to encrypted files. Many agencies already use digital certificates internally, but the goal is to use them among federal agencies and, ultimately, among state agencies, municipalities and businesses.
Crossing the Bridge
Such efforts have been elusive because of lack of interoperability between different PKIs. One step toward providing better security among agencies is the Federal Bridge, launched by the government last month as a PKI gateway to accept digital certificates exchanged among agencies.
The Federal Bridge is a key component of the federal government's cross-agency e-authentication initiatives because it lets one agency exchange encrypted data with another and trusts that the senders and recipients are valid certificate-holders. This breaks down a key barrier to PKI,interoperability of digital certificates among different entities.
The Federal Bridge, based on Entrust's digital certificates, is run by Mitretek Systems, the integrator brought in by GSA to develop and run the bridge. The real challenge, though, was getting agencies to share and map their policies for authenticating certificates to the bridge.
"We have achieved a major milestone now," says Eugene McDowell, a systems
analyst at the National Oceanic and Atmospheric Administration and a member of the Federal PKI Steering Committee. "We had demonstrated before that the technology worked,now people are in a position to use it. There are some real heavyweights using it."
Those heavyweights include the departments of Defense and Treasury, NASA and Agriculture National Finance. Other agencies are slated to come online over time. The Federal Bridge will be open to those outside the federal government as well; foreign government agencies and the state of Illinois also say they plan to connect to the Federal Bridge. OMB's Forman expects federal agencies to link to the Federal Bridge quickly because it will provide an easy mechanism for agencies to trust certificates from other agencies, not just their own. "Departments don't have to go out and get a new set of certificates," Forman says. "They can leverage the certificates that have already been provided."
Enabling technologies such as the Federal Bridge, combined with the need to educate staff regarding security issues and the need for practical and enforced policies, are the three pillars
needed to provide a more secure government, GSA's McDonald says. "Just like a three-legged stool, security cannot be effective if one of those pillars is missing," he says.
Systems integrators who can address those concerns are poised to do well. "I believe there is a scarcity of security expertise in the world," McDonald adds. "The logical outshoot of that is a lot of these services need to be outsourced."