Just about any Q&A with a federal security administrator is bound to have a tremendous number of strange acronyms and confusing allusions. This session at CSOonline.com with Dennis Heretick, chief information security officer with the Department of Justice, is no different. However, two important points come across in the piece.
The first is that the federal government needs to find a way to securely communicate across organizational lines. The Justice Department must be able to safely traffic information to and from the CIA, the FBI, and other parts of the government. This makes things difficult for a couple of reasons: There could be a great difference in the security sophistication of the two departments. This would make it difficult for the more secure organization to trust the other with sensitive information. Even if the two are about equal, the use of different technology can make secure communications difficult.
The other point is perhaps more significant. Despite all the acronyms and high-falutin concepts, Heretick says the most common attacks are well known to IT security folks. The following paragraph suggests that if governmental security forces just used the technology that already is in place against problems that are known, there would be far fewer scary headlines about the inability of the government to protect digital data. Said Heretick:
[The biggest problems are] basic things we already know to protect ourselves against. So that prioritization that I talked about is critical, and prioritizing the controls and implementing those things are basic weaknesses. The criminals and others who attack our systems are not doing that, for the most part using high-tech methods. They're using the basics. So what would keep me up at night is not to have done due diligence in doing the basic protections.
The situation doesn't only extend to the government, of course. Indeed, industry, academia and other sectors also seem to be failing the security test. Ars Technica says that 159,105,898 people have been impacted by data leaks since 2005. The piece provides five examples (two from academia, one from state government and two from industry) and links to the terrific Privacy Rights Clearinghouse site. The heart of the site -- but by no means the only valuable information offered -- is a chronology of data breaches. It makes for interesting and frightening reading.
Indeed, it's still dangerous out there. In June, Telework Exchange and Utimaco sponsored a study of federal PCs and laptops. The results are reported in this Network World story. The survey found that 13 percent of employees do not have encryption on machines they recently were issued. Even after the Department of Veterans Affairs fiasco, only 48 of respondents got training from their agencies, and encryption and other security measures were updated on only 47 percent of machines. Sixteen percent said their agencies did nothing after the theft.
The results from the field also are mixed. There are, of course, a mountain of scary headlines. The good (or at least inconclusive) news is that the link between data leakages and actual theft is not definitive. Last month, the Government Accountability Office looked at the 24 largest data breaches between January 2000 and June 2005. Only three led to proven fraud. Most reports on the GAO study pointed out that those breaches may have led to fraud that could not readily be proven.
Clearly, the lack of a smoking gun in terms of data leaks resulting in huge losses is no reason for security forces to be anything short of hyper-vigilant. Indeed, the uncertainty is another reason -- if one was needed at all -- to redouble efforts since it suggests that the good guys may still have a fighting chance.