As threats rise, feds shelter their IT

These are the times that try the souls of government security managers.The threat of cyberattacks on government systems is escalating as computers become ever more interconnected, use of the Internet increases, and attack technology becomes ever more sophisticated and readily available.'Cyberspace is the nervous system of all this infrastructure we need to worry about,' said Howard Schmidt, former vice chairman of the President's Critical Infrastructure Board.[IMGCAP(2)] The FBI's growing list of potential sources of attacks includes criminal groups, foreign intelligence services, hackers, politically motivated hacktivists, disgruntled insiders and virus writers.Even worse is the threat of swarming attacks'potentially catastrophic, simultaneous assaults on physical and network infrastructures.The number of computer security incidents reported to the CERT Coordination Center at Carnegie Mellon University for the first quarter of this year was 42,586, already more than half the number reported for all of last year.The reporting of incidents may have doubled in part because of improved detection technologies and increased systems monitoring, observers said.But there is no question that more attackers are rapping unremittingly at government firewalls.One reason is simply that it's getting easier to acquire weapons with which to break in.'A hacker can literally download tools from the Internet and point and click to start an attack,' the General Accounting Office noted in a recent report to the House Government Reform Committee.IT security is becoming a game of leapfrog, with the bad guys amassing growing numbers of more sophisticated tools, and agency officials constantly trying to stay ahead of them.Federal spending on IT security products and services will continue to rise annually by 7 percent through 2008, according to market researcher Input of Reston, Va. Input predicts that federal security spending will increase from $4.2 billion this fiscal year to nearly $6 billion within five years.But beyond more money, the Bush administration is pressing agencies to infuse security into all levels and aspects of agency business. IT security consciousness must be ubiquitous.'Agencies have to make sure [security] is in their enterprise architectures, in their business cases, and in their system administration, operations and support practices,' said Mark Forman, the Office of Management and Budget's administrator for e-government and IT.Integrating security into enterprise architectures has emerged as a major theme, with OMB pushing agencies to build architectures and use them as tools to improve efficiency and organization.'It's really key to driving the strategy and direction of security,' said Robert Dacey, director of information security issues for GAO. 'You have to have a vision of the general way in which your security is' built.[IMGCAP(3)] Enterprise architectures describe the current and future relationships of organization's IT and business functions. OMB has made these blueprints for modernization even more of an imperative by tying funding to their development.In the Federal Enterprise Architecture Program schema, there are five reference models'for performance, business, services, data and technical layers.With the focus on IT security intensifying, why no reference model for security?Bob Haycock, OMB's chief architect, said that security can't simply be another layer; it has to be built into each of the other five components.'It's not saying, 'OK, we've got to think about security and plug that in now,' ' he said. 'Security has to be embedded throughout in almost a 3-D way.'At the Homeland Security Department, for example, the 'approach is to design it in, not bolt it on afterwards,' CIO Steve Cooper said.Haycock added that OMB is creating a framework for embedding security into enterprise architectures but couldn't give an ETA for its release. 'Right now, I'm focused on getting those five reference models out,' he said.While weaving security into enterprise architectures is crucial, it's still a long-haul effort. Most agency architectures are still in early development.So agencies must not be distracted from battening down the security hatches in the short term, federal watchdogs said.DHS, which is bringing together the systems of 22 previously unconnected agencies, is a prime example.[IMGCAP(4)] 'It's important to have a unified architecture across the department,' Dacey told the House Government Reform Committee recently. 'Security is an issue, and it should be built into the architecture. But at the same time, the department faces heightened risks for their information security in general that need to be dealt with in the short term. ... You're developing a massive network and, if not properly constructed and secure, you're going to have risks.'Of immediate concern for agencies are glaring shortcomings in security program management.GAO, while citing progress on systems security, found in a recent report that all of the government's 24 major agencies had 'weaknesses in security program management, which provides the framework for ensuring that risks are understood and that effective controls are selected and properly implemented.'There were, for example, significant weaknesses in access controls'which ensure that only authorized users can read, alter or delete data'in 92 percent of the agencies reviewed.OMB, in its second report to Congress under the Government Information Security Reform Act of 2000, while also noting progress, found that more than a third of federal systems have not been assessed for risk and have no up-to-date security plans. Moreover, fewer than half of the systems have been certified and accredited, OMB said.Certification and accreditation of systems'which involve evaluations both internally by agencies and externally by private-sector organizations'is a major area of vulnerability, and one that's easily corrected, Forman said.'Agencies that are making progress generally have good configuration management and architecture procedures,' he said. 'If agencies have plans and systems are well-built using good IT management practices, systems are easy to certify. Systems not in that environment are harder to certify.'Lack of user education is another pervasive weakness, Forman said.'I think of it in terms of getting all employees trained in IT security best practices,' he said. 'It's everything from passwords to not printing sensitive information on public computers.'What are the most important things agency managers should do to improve systems security?'Agencies need to build security in the front end because it is more expensive to do after the fact,' Forman said. 'If you are maintaining your system and deploying a patch each time one comes out, it will take just a few minutes. But if you haven't been maintaining your system and must deploy several hundred patches, it will take a lot of time to do it.'Privacy is another issue that is looming ever larger as government moves toward more extensive and complex online transactions with the public'a major element of the President's Management Agenda.'I think there's a growing appreciation for privacy,' said Keith Herrington, the Transportation Security Administration's chief enterprise architect, currently detailed as acting CIO for DHS' Information Analysis and Infrastructure Protection Directorate.'There is much more of an understanding that if you're going to provide service to citizens, privacy by its very nature has to become more important because you're building in this capability to get information more efficiently,' Herrington said. 'By the same token, you're building in the capability to share information, which can be shared inappropriately. So the two have to be worked out in concert.'For many, dealing with security and privacy is an increasingly tricky issue.'It's a balancing act,' OMB's Haycock said. 'You can't have all one or all the other. That's the dilemma right now.'But for some the equation is clear: Security comes first, Schmidt said, because it protects an individual's private data. 'Without security, you have no privacy. Security is the way you reach that goal.'