Dacey: Agencies need smarter, stronger security management
- By Richard W. Walker
- Jun 13, 2003
Robert R. Dacey
Robert F. Dacey is the General Accounting Office's director of information security. He's been working on IT security for GAO since 1991. Before that, Dacey worked for the accounting firm Deloitte & Touche LLP. He has a degree from George Mason University Law School. Associate editor Richard W. Walker interviewed Dacey in his office in Washington.GCN: What is the role of GAO, as the investigative arm of Congress, in assuring information security in the government?
DACEY: GAO reviews information security, both for major agencies and governmentwide, in response to specific congressional requests and to fulfill various statutory requirements, such as reviewing information security as a critical part of financial statement audits.
In 2002, the Congress enacted the Federal Information Security Management Act'commonly referred to as FISMA'to permanently authorize an overall framework for managing information security at federal agencies, including annual review, independent evaluation, and reporting requirements.
FISMA also requires GAO to periodically evaluate and report to the Congress on federal information security and implementation of the act.GCN: What do you think are the biggest threats right to information systems?
DACEY: There are a number of sources of external threats, including terrorists, criminals and hackers. One of the reasons that level of threat is likely increasing is that hacker tools are more readily available. They're relatively easy to use and can be used to both scan for vulnerabilities and exploit them. A few years ago, such tools were really reserved for very computer-savvy individuals.
While you do ultimately have to be concerned about the nature of the cyberthreat'whether it's really an attack upon our country as opposed to an attack by a hacker'it's building that security regardless of the source of attack that's important.
That's a little different than the model traditionally used on the physical threat side, where you're worried about who's doing what. Here you're saying, 'There's a whole multitude of people that could attack; I need to protect my system against common ways that systems are attacked.'
At the same time, there is a significant threat from insiders. That's been identified in a number of studies as a significant area of concern, particularly since insiders likely are already authorized users on the systems at some level and have a significant amount of knowledge about those systems and how they operate.GCN: What are the specific risks involving insiders?
DACEY: Insider risks could include everything from theft or misuse of assets to disclosure of sensitive information and disruption of processing capabilities. [Internal risks] also include poor configuration of systems, which is really a management issue. It's as much a management issue as a technical issue.GCN: What are the biggest challenges agencies face in meeting cyberthreats?
DACEY: One of the unique challenges in cybersecurity is that attacks can be launched from virtually anywhere in the world and be disguised to make it very difficult, if not impossible, to identify the sources of the attacks.
So in response to that, it's important that agencies develop effective information security to prevent, detect and respond to those types of attacks, particularly in areas where there are known vulnerabilities or configuration errors that could be exploited by commonly known techniques.
Another involves critical infrastructure protection. The Office of Management and Budget now requires major agencies to identify their critical infrastructures, which are a subset of their information systems, and further identify their interdependencies on other government and private-sector infrastructures, such as power and telecommunications.
They then must come up with a plan to remediate any vulnerabilities in those systems.GCN: How well are agencies implementing security requirements?
DACEY: It's clear that agencies are making progress in improving information security, both from our reviews and from the Government Information Security Reform Act reports that OMB has received for the past two years.
At the same time, those reports highlight the areas that agencies need to improve their information security.
GISRA requires annual reporting to OMB by agency management and the inspectors general.
We've identified implementation of GISRA as a significant step in improving information security in the federal government.
The second-year GISRA reports indicate general progress across the various categories of performance measures that are reported to OMB.GCN: What are the primary areas where agencies are weak on information security?
DACEY: Our most recent analyses of audit reports and evaluations indicate that there are significant weaknesses in all of the 24 major agencies we reviewed. The most prevalent relates to security program management, which is embodied in FISMA. Agencies should have in place programs to manage their information security across the organization.
We've also identified weaknesses in a variety of areas besides security program management, including access controls, software development and service continuity.GCN: How crucial is upper management's role in this process?
DACEY: A security management program has to have effective management support. It's important because one of the keys to successful information security is not to rely solely on the information security team to do everything. They really have more of the responsibility to coordinate information security.GCN: What are the major elements of good security program management?
DACEY: There are several. One is ensuring that you've got a core information security management unit, a central group that coordinates information security across the organization.
It's also important that you have policies and procedures for assessing your security risks. You also need to implement a program to routinely test the effectiveness of your security systems and promote user awareness about their responsibilities for information security.GCN: What are the most important steps agency managers should take to improve systems security?
DACEY: I would discuss that in terms of short term and long term. Long term, they need to continue work at implementing FISMA, including developing systematic processes for managing security. FISMA has an annual reporting requirement, which serves as a tool for oversight by OMB and Congress. But agencies also need to have regular reporting processes to help managers monitor security and make adjustments on a day-to-day basis.
In the short term, there are a number of actions that agencies can take, including making sure that patches are up-to-date on their systems and scanning their systems for vulnerabilities. Increasing security awareness overall is another.GCN: OMB has mandated that agencies build IT security into their enterprise architectures. To what extent is that critical, insofar as most agencies are still in the early stages of building them?
DACEY: Security architecture is an important component of enterprise architecture in that agencies need to lay out and describe the nature of security architecture they want to have in their target environment. They should also have a transition plan on getting from their current structure to that target environment.
In the meantime, until these plans are developed and the transition plans are implemented, agencies need to work on improving information security today and complying with FISMA.
It's important for agencies to continue to keep up efforts to improve security as the enterprise architecture is rolled out.GCN: To what extent is technology the answer to security hurdles? Are there any silver bullets?
DACEY: Technology is certainly part of the answer. I don't think there is any particular technology that's a silver bullet. I think more likely it will require a combination of technologies and human resources to have effective information security.
We have many tools today that are very helpful in implementing information security, but it takes the interaction of people to make sure that they're working and that systems are secure. So you really need both.
There are a couple of recent efforts that are intended to strengthen the ability of technologies to improve information security. One is the passage of the Cyber Security Research and Development Act, which provides funding to promote R&D on cybersecurity.
The other is the formation as part of the Homeland Security Department of the Directorate of Science and Technology, whose responsibilities include both assessing current technologies and their applicability to cybersecurity.GCN: Is finding a balance between security and privacy a larger issue now as we move toward transformational electronic government?
DACEY: Agencies should develop appropriate privacy policies and procedures consistent with applicable laws. That's an important aspect and certainly one that's in the current public eye.
Security is the key tool for enforcing those privacy policies. So there is a relationship between security and privacy, but it's more to the effect of being able to enforce the privacy policies you have in place.GCN: As agencies outsource more IT services to contractors, what are the implications for security?
DACEY: OMB has identified [security in outsourced services] as one of a common weakness governmentwide, and we've also reported similar concerns.
The important thing about outsourcing is to make sure that there are provisions and processes for ongoing oversight of security related to that outsourcing. You need to make sure there is a common agreement on the level of security that's expected to be provided.
You also need to consider as appropriate the need for security clearances of some of the [contractor] staff who work on the systems and handle the data.GCN: The Federal Acquisition Regulatory Council is developing contract language to incorporate into future government services contracts. How much of an impact will that have?
DACEY: I think that's an important effort, but again it gets back to the challenge that agencies have to put in place appropriate processes to manage and oversee outsourced operations from a security standpoint.GCN: What do you see ahead on the security front? How can agencies prepare for the unexpected?
DACEY: It's hard to predict what the future will hold in terms of challenges, but I think there are a lot of steps that agencies can take to better prepare themselves for eventualities that we can't perceive today.
No. 1 is to provide appropriately layered security, where if one layer fails you have other layers to protect your systems below that.
The second area is looking at improving intrusion detection, either in terms of actual implementation or further R&D into that area, so that you can identify unusual activities taking place in your system and respond to them.
The third area that needs to be addressed is continuity planning. That's important because if everything else fails and there is a successful attack that does affect the performance of your systems, that you have a process in place to recover in a timely way.
It's also important to test those plans on a regular basis to ensure that they are effective and can be implemented in an emergency.
You'll never know exactly what the threats will be tomorrow, but there are things that can be done to help minimize or mitigate the impact.