Risking IT

Computer security is the biggest information management challenge facing federal agencies.

m

ost agencies evaluated in the Federal Performance Project this year received B grades for information management. The grades for the most part reflect progress toward providing managers and employees the right information where and when they need it to improve program results. The National Weather Service earned an A with above-average communication and use of information about program results. The Weather Service not only brought in information technology to improve the accuracy and timeliness of forecasts, but it used IT to strategically restructure. At the other end of the spectrum, the Bureau of Indian Affairs' D was based on an utter lack of strategic planning for information resources, failure to assess employees' information needs or to link information technology across the agency.

Most agencies graded this year are working hard on projects to improve the flow of information and its use in enhancing productivity. The U.S. Postal Service, for example, is turning to the Internet to combat dwindling mail volume by creating new electronic services. USPS also is developing an agencywide information platform knitting together a web of sorting machines, databases, servers and computers providing real-time data to supervisors to track mail and worker productivity. By tracking catalog delivery times, for example, the Postal Service will enable its mail-order customers to better match staffing and workload.

NASA is creating Web portals where staff across the agency can find and share information about project management and technology innovations. The hope is that improving access to knowledge will help combat staffing shortages in key occupations. The space agency also is using computer modeling and simulation to improve work processes, often reducing the number of employees required to accomplish difficult tasks.The State Department's Bureau of Consular Affairs has used fees for its new machine readable visas to automate the process of checking names against lists of those ineligible to enter the United States. The fees also provide for a 12-month maintenance cycle and a three-year replacement cycle for the bureau's computers.

Agencies' information needs differ widely, but all face a growing problem common across the federal government: securing sensitive information and the technology used to store and disseminate it. All agencies and all sorts of data are at risk. Often agencies are most vulnerable in the areas that seem most innocuous. Take the Army's personnel system, for example.

In late 1999, Aaron J. Eden, a disgruntled Army private, hacked into the Army Enlisted Records and Evaluation Center computer system in Indianapolis. Eden successfully deleted 38,000 personnel-related files and then covered his tracks. He used Back Orifice 2000, a program that enables hackers to remotely control computers over the Internet. Working from his home computer, Eden also installed a "sniffer" program that secretly gathered the passwords of Army computer systems administrators. He used the passwords to gain unlimited access to the Army's personnel records and roamed unchecked, deleting records and the logs that would have revealed his crime. Despite his careful execution and cleanup of his crime, Eden couldn't resist bragging about his feat in an Internet chat room. The chat files led authorities to his doorstep and, ultimately, to his hard drive.The Army was able to retrieve its files, but not without considerable trouble.

Today, no agency is immune from attack by a hacker, like Eden, who is patient, dedicated and technologically adept. And in the hands of outlaw corporations, criminal syndicates or enemy nations, techniques such as those used by Eden could bring whole departments, even cities or the nation, to their knees. Consider that 20-year-old Jason Diekman, a resident of Mission Viejo, Calif., has pleaded guilty to breaking into NASA systems at the Jet Propulsion Laboratory in Pasadena, Calif., between March 1998 and September 1999. He used those systems to infiltrate other government and university computers, including NASA systems involved in satellite control located at Stanford University. Scores of defacements of civilian agency and Defense Department Web sites in recent years emphasize the government's vulnerability.

Everyone's Problem

Federal officials are beginning to realize that all agencies, not just those in the national security arena, face information security challenges. "You can't say that if you don't have sensitive data you don't need to be protected," says Alan Paller, director of research for the Systems Administration, Networking and Security (SANS) Institute of Bethesda, Md.

While many agencies don't have much classified data, all of them hold sensitive personal data in the form of employee or citizen records.An agency's information security needs depend on the role data and equipment play in achieving its mission. For some agencies, data confidentiality is key. Loss or alteration of their data has national security or privacy implications. For the Central Intelligence Agency, secrecy is key. If the CIA's computer security were compromised, intelligence leaks could cost agents their lives. The Health Care Financing Administration must guard the confidentiality of records containing citizens' personal medical data. Other agencies are most concerned about keeping their networks operational. Still others, like the National Weather Service and the Commerce Department's Economics and Statistics Administration must provide accurate data to the public, so protecting the integrity of information is their prime concern.

Agencies also must protect themselves in order to safeguard others. The multitude of connections among federal organizations, other government entities, the private sector and citizens offer hackers many open doors. Agencies must take pains not to be made unwitting accomplices in computer crimes. Investigators discovered that federal computers were used in February 2000 to launch denial-of-service attacks at Internet firms Yahoo, eBay, E-Trade, CNN.com and Amazon.com. Hackers flooded these Web sites with so much data they were slowed to a standstill or taken out of commission. The attackers "enslaved"computers, by loading remotely controlled software on vulnerable systems at multiple sites and used a master computer to direct the attacks of the "slaves." The FBI found that computers at the Agriculture and Defense departments were used as "slaves" in those attacks.

"I don't think that even the best security programs can stop the best hackers," says Sallie McDonald, the new assistant commissioner for information assurance and critical infrastructure protection at the General Service Administration's Federal Technology Service. "It's a continuous battle. These days, the fact that an agency would know when it has been compromised is an indication of a good program. It's really bad when you don't."

Protecting information is complicated by the proliferation of computers connected to the Internet. Because open access is the raison d'etre of the Internet, limiting access has proved difficult. Back doors into individual computers and computer networks are everywhere. "People don't have the time to put in software patches or to be sure firewalls have been tested or that there are no vulnerabilities," McDonald says. "Sometimes we're so busy taking care of all the fires that are burning that we overlook security. Up until now, it hasn't been given a high priority."

Good security requires discipline and vigilance. Just keeping software protection up to date can eat up much of a system administrator's time. Software requires constant patching to eliminate the openings that hackers constantly are discovering. Patches must be downloaded from vendors and loaded onto agency networks and computers to repair errant code. Patching software often means taking a computer system off line, thereby disrupting agency operations.

Getting Data Out

Of this year's Federal Performance Project agencies, NASA, the National Weather Service and the U.S. Postal Service rely most heavily on information technology and thus face the largest security challenges.

Across government, program managers tend to ignore security. "There tends to be a lack of effective communication between the technical people who design, implement and manage systems and the less technical or program managers who really rely on those systems," says Jean Boltz, assistant director for information security issues at the General Accounting Office.

At the Weather Service, officials worry less about keeping people away from their data than about keeping the forecast information they distribute up-to-date and accurate and systems up and running. "For the Weather Service, availability is our highest priority, followed by integrity and finally confidentiality," says Conrad Lovley, the Weather Service's information technology security officer. But that doesn't mean Weather Service officials are lackadaisical about security. NWS employs computer security officers at each of its 16 forecasting centers, six regional headquarters offices and at its national headquarters.

Information security personnel also are attached to the Weather Service's two major programs, the Advanced Weather Information Processing System (AWIPS) and Next Generation Weather Radar (NEXRAD). It is rare for an agency's programmatic IT systems to have dedicated security people. The security officers attached to AWIPS and NEXRAD provide on-the-spot know-how and continuous system monitoring. The Weather Service also benefits by having access to the full-time incident response and monitoring team of its parent agency, the National Oceanographic and Atmospheric Administration. NOAA notifies the Weather Service of network irregularities or attacks.

The Weather Service runs two distinct computer systems: an operational network for forecasting data systems and an administrative network for finance, human resources and other service systems. The agency focuses most of its security resources on the operational network because that's where its core mission is carried out. NWS has decreased its risk by not connecting its operational network to the Internet. But even taking that step may not be enough to protect a network, as the Defense Department has discovered. Last May's ILOVEYOU virus infected at least four classified Defense networks that were not Internet-accessible.

Electronic Government

Agencies such as the Postal Service, which want to communicate online with their customers, don't have the luxury of disconnecting networks from the Internet to protect them. Many new Postal Service programs involve the Web and e-commerce. Hybrid messaging, for example, allows postal customers to create messages online and have them delivered on paper to recipients' homes or offices. The Postal Service also is offering an e-messaging service designed to be a more secure form of e-mail. Postal executives say they operate a corporate program that thoroughly considers the information security needs of every new initiative. "The Internet is the way a great number of our customers want to get information and do business with us," says Stephen Kearney, Postal Service senior vice president for corporate and business development. "Because of this we have very rigorous security processes and review anything new involving the Internet."

"Security is always a factor we have to manage," adds Rick Weirich, vice president for information technology. "We make sure we get a risk assessment done for new systems. We then put together a plan for managing risk. For Postal, this just comes with putting up a new system. We have been busy upgrading our security infrastructure to enable us to stay up with the trends in the hacking industry." The Postal Service takes what Weirich terms a "tiered approach" to security, with layers of firewalls designed to divide its networks into guarded segments. A central operations center monitors postal computer networks for intrusions and responds to them. In the event a system is breached, the center can investigate the damage caused and track the intruder's activity. When dividing up precious security resources, Postal Service IT officials consider the sensitivity of systems and data. "We look to see whether a system is sensitive or not, whether it performs a business critical function," Weirich says.

Weirich speaks with the discipline of someone well-acquainted with the day-to-day needs of a security program. "The complexity of this issue only increases with time," he says. "This is because we are all using lots more technology than we ever used to." Like other information security managers, Weirich sorts risks by the type and duties of the systems he oversees. For example, in the basic office environment, the single largest threat is viruses, he says. He talks about "tightening up whole environments," that is, protecting networks by keeping up with software patches and revisions. The work is exacting and never-ending, Weirich says. "Because you are trying to prevent something from happening, you're never going to be 100 percent sure how you are actually doing."

"We've had folks come and peck at us," Weirich says, referring to hackers probing his agency for vulnerabilities. "One was able to get in and modify text on a Web page." No serious damage has been done thus far.

Digital Fortification

In his continuous efforts to "tighten up the whole environment," Weirich is unusual. Far more common are information security managers who fail to actively monitor and continuously maintain their software. Don Walker, chief executive officer of Veritect, a Reston, Va. information security company with many government clients, says security managers must take four steps to fortify their programs:

  • Evaluate which information and systems are vital to the agency's mission. "You can't protect everything," Walker says.
  • Identify likely foes who might try to gain access to critical information or systems.
  • Identify system vulnerabilities. Vulnerabilities come in two flavors: software holes and unprotected connection points to the Internet.
  • Balance risk and expense by identifying affordable solutions. Agencies that seek to buy technology solutions for every possible problem will never have enough funding. For instance, high-powered servers that can contend with huge data onslaughts can keep computer systems humming even during denial-of-service attacks. But buying such expensive equipment may not be warranted at agencies with relatively low Web traffic.

"You must go through this four-step process continuously," Walker says. "Agencies . . . must install best-of-breed software and engage in an active defense."

"It all starts with a security assessment," says Richard Stiennon, research director for network security at the Gartner Group, a Stamford, Conn., market research firm. He recommends that agencies engage experts to discover their security weaknesses and recommend countermeasures. Too often, Stiennon says, agencies that do perform assessments ignore or forget the resulting recommendations. "Generally, a security assessment will point out an out-of-date security policy," he says. "Some organizations have fairly extensive security policies, but in many cases they are 15 years old and predate the Internet."

Continuous security assessment also should reveal the degree to which an agency's own employees pose a threat, Stiennon says. "The federal government employs a huge workforce that is educated in how to use computer equipment. They also know where the data is." For these reasons he cautions agencies: "The classic, highest area of vulnerability is in disgruntled workers." Strict password controls and the use of systems that require employees to possess digital certificates to verify their identities can mitigate the security risk posed by employees.

Stiennon also suggests that security assessments include scenario planning. "You make a list of all the possible damage that could be done to your network and systems. Then you look at the repercussions," Stiennon says. "This must include high-level executives because they are the ones responsible for ensuring the agency's job gets done." Top managers can highlight the importance of computer security and provide the resources necessary to solve problems uncovered by a security assessment.

Measuring Performance

Now that more agencies are beginning to understand the controls needed to protect information, they are looking for ways to measure the effectiveness of their security programs. It's a frustrating quest. "There aren't any good security metrics as of yet," says Stiennon. NASA is one of the few organizations attempting to measure IT security program performance.

"We think measuring is important in this area," says David Nelson, NASA's deputy chief information officer for IT security. "NASA grounds its security program in what it is trying to accomplish," he says. "IT security risks are assessed, understood and mitigated to the point that residual risks are considered acceptable by management." Among NASA's goals are:

  • To train the agency's entire workforce-civil service and contractor, technical and non-technical-to understand the importance of information security. NASA is beating its goal of having 90 percent of workers receive such training.
  • To keep software protection up to date. When searching for security holes, NASA expects to find one security weakness in every four computers scanned. Recent scans are picking up fewer than that.
  • To remain vigilant and deal with security threats as they occur. Nelson admits it's tough to develop performance measures for this goal. Currently, NASA monitors the ratio of successful hacker incursions to attempts.

The Chief Information Officers Council, a cross-agency group of federal information technology executives, has created a framework agencies can use to grade their own security programs. The framework also helps agencies ensure their security programs comply with federal information security policies.

While overseeing agencies' defenses and probing for weaknesses, IT security experts also are looking to the future. NASA's Nelson says that today, agencies are doing little more than scrambling to respond to the hack of the day and furiously downloading software patches whenever a new hole is discovered. "Looking ahead, I am somewhat pessimistic," he adds. "Our approaches to IT security are ad hoc and reactive."