The limits (and myths) of security

You can only cry wolf so many times. It was bound to take a breach of the magnitude of the one that recently hit the Office of Personnel Management to send shockwaves through the government and spur action and urgency. That data loss led to a series of efforts to plug the most egregious holes as quickly as possible, beginning with the 30-day "cybersecurity sprint."

But like the hurry-up offense in the final two minutes of a football game, that scramble to play catch-up can overshadow larger questions about the blocking and tackling throughout the game -- or, in this case, the practice of security fundamentals at government agencies. So we need to step back and ask: Why do we continue to live with such undue risk in the first place? And will this latest flurry of activity lead to a concerted improvement in preparedness and behavior over the long haul, or should we expect more of the same?

As a former chief information security officer at two federal agencies, I applaud initiatives for shoring up security, which is wildly uneven across the government. The latest tools and expertise, like those offered by the Department of Homeland Security's Continuous Diagnostics and Mitigation (CDM) program, will bolster agency efforts. But even so, there can be no illusion that everything can be protected. There's neither a silver bullet nor enough resources to secure any and all processes agencies choose to automate.

That reality has created an environment in which there is too much acceptance of risk when operating information systems that aren't adequately protected. That is where risk management comes into play because it can help agencies assess and recognize what can and cannot be protected, prioritize security efforts, and make decisions about not leaving the crown jewels exposed beyond the limits of protection.

Given the recent series of extraordinary breaches, the following five points for securing government information systems bear revisiting:

1. Absolute security is a myth. Security nirvana is not reached by going through a checklist of remediation activities, complying with statutory requirements and addressing inspector general findings. That approach is limited and dangerous because it marginalizes real risk management, which says security efforts must be in tune with assessed risk and must be a priority. True risk management involves recognizing what's at stake when systems operate with vulnerabilities. When there's excessive risk, the appropriate officials should exercise their power to take systems off-line until they obtain the resources to secure them.
2. Security is dynamic. Once security measures are put in place, that doesn't mean they stay in place. Simply put, change can compromise security. And change can include adding users to a system, turning on new functionalities and gathering more sensitive data, or it can involve changes to the threat landscape itself. Beyond simply remediating vulnerabilities, cybersecurity officials must continually reassess risk as conditions change. Applying and maintaining effective continuous monitoring capabilities, like those provided by the CDM program, are foundational to that success.
3. There are limits to security. Before any system goes into operation, officials must know what security controls can and cannot protect and understand the worst-case scenarios. Officials charged with making sound risk-based decisions require the latitude and fortitude to weigh operating a system against the impact of a potential data loss -- and they must be able to suspend systems in the face of undue risk. Greater accountability would encourage a harder look at risk and discourage the operation of systems with major weaknesses or numerous minor vulnerabilities.
4. Risk-based alternatives are worth considering. It's a foregone conclusion that IT is needed to automate many processes, but the move to e-government and more open systems might have resulted in overly expansive and permissive access for employees, contractors and the public. The principles of "least privilege" and "need to know" apply, based on the sensitivity of the data, the user populations and the system design. Appropriate access can range from "remote anywhere" to restricted, closed-room access available only to those with security clearances, as the Defense Department does for its classified systems. Mechanisms for protecting highly sensitive information -- like the information that was exposed in the recent breaches -- include segregating data, limiting its access, cutting off risky connections and using multifactor authentication. Until an agency can fully implement personal identity verification, for example, it might rely on alternatives such as authentication tokens and issue them to privileged users first.
5. Everyone needs good security advice. There's a reason why FISMA requires agencies to have a CISO. Given what's at stake, security goes to the heart of every agency mission and deserves attention at the highest executive level. CISOs' training and expertise make them indispensable guides for helping agency leaders define the limits of what's possible in security terms, outlining worst-case scenarios, offering alternatives and articulating what acceptance of risk means. Agency CISOs and their staffs can take advantage of ongoing training and assistance from industry subject-matter experts as needed to stay ahead of the curve.

The government does not have an easy task; cybersecurity is both a sprint and a marathon. Reducing current risks posthaste by cutting the number of privileged-user accounts and expanding multifactor authentication is an essential starting point. So too is practicing effective risk management.

Security officials and agency executives will need to work together to continually monitor and assess risk in light of a dynamic threat landscape and changing IT environment. They should start by fixing the most crucial problems first and limiting the risk and unnecessary exposure of critical information.