FCC vs. GAO: Haste = waste, or he who hesitates is lost?
The Federal Communications Commission was dinged in a recent audit for cutting corners while upgrading network security in response to a breach.
The Government Accountability Office said that the security of the commission’s Enhanced Secured Network was compromised because the FCC did not implement appropriate security controls and follow proper procedures in project development and deployment.
But FCC countered that the ESN was an emergency response, “designed to avoid an increase in security risks posed by delays in implementation,” and that even with cutting corners, “the FCC’s network is stronger, better, and more secure than it was before the commission started these upgrade efforts.”
The case is a good example of the conflict between the requirements of auditors who evaluate regulatory compliance and the demands on frontline administrators who must deal with real-world threats while keeping systems running. The conflict is an old one and has implications for IT security. Auditors evaluate how something is done rather than what is accomplished. They focus on process and documentation. Process and documentation are important because they help ensure repeatability of results and keep everyone on the same page while doing a job. Results often are hard to quantify and measure, so adherence to process can the best way to tell if requirements have been met.
But the guys on the front lines spend a lot of time putting out fires and patching things, with little time for paperwork. Duct tape isn’t pretty, but admins do what they have to do to keep things running. Maybe they can go back and fix it properly later — after putting out the next fire. Auditors hate this. Administrators aren’t crazy about it either and would gladly change things if they had the budget, time and resources they need.
The FCC situation began with the 2011 discovery of a breach during an upgrade of the commission’s security and monitoring systems. The ESN project was the response and it was brought in under budget and on schedule. But GAO found that impact assessments had not been done to ensure that the proper security controls were being used and that the system had not been formally reauthorized for operation as required by the Federal Information Security Management Act.
FCC acknowledged these lapses but said they were necessary at the time and that it had gone back to cover these bases after ESN was up and running.
Both sides have their points. The key to the dispute lies in a single word in GAO’s conclusion: “As a result of these and other deficiencies, FCC faces an unnecessary risk that individuals could gain unauthorized access to its sensitive systems and information.” The key word is “unnecessary.”
Did FCC create an unnecessary risk? Or did the commission accept a necessary amount of risk to get a necessary fix in place as quickly as possible?
It is impossible to say without knowing the details of the breach and the fixes, which haven’t been released. But it would be wrong to conclude that a risk is unnecessary just because it could be prevented under ideal conditions. Most people go to work each day and do the best they can with the conditions at hand, which seldom are ideal.
Posted by William Jackson on Feb 11, 2013 at 8:13 AM