Managing risk is a lot more than just locking doors and Windows
In 1996, 1997 and 1998, the General Accounting Office called the government's information security lax. Last year, GAO discovered the situation had gotten worse.
Its report, Critical Infrastructure Protection: Comprehensive Strategy Can Draw on Year 2000 Experiences,
said the nation's critical systems infrastructures 'are at increasing risk of severe disruption.'
The culprit: a lack of management procedures and controls. There are plenty of security programs, GAO said, but they are not coordinated, and they do not have comprehensive planning.
Vulnerability is not necessarily unacceptable, however. One critical element in the security process gets no more than a passing mention in GAO's assessment: determining what adequate protection means. The name of the security game is risk management.
Managing risk requires balancing the degree of risk against the cost of security. Absolute security is usually not feasible, and security improvements carry a price tag not only in the cost of technology, but also in resources to implement and maintain it and in wasted productivity. So first, an agency must decide which risks are acceptable.
More than a decade after the Defense Department's Advanced Research Projects Agency established the first computer emergency response team, and nearly 18 months after Presidential Decision Directive 63 mandated securing the nation's critical infrastructures, security conditions have not improved. GAO reported in 1996 that 10 of the 15 largest agencies had serious information security weaknesses. An audit last year concluded that more than double the that number'22'were at risk.
A once-in-a-millennium event could change that drift.''The year 2000 challenge has served as a wake-up call to many who were previously unaware of our nation's extensive dependency on computers,' GAO said.Testing, testing
Coping with the date change forced agencies to identify which systems were mission-critical and what threatened them. 'Year 2000 can be viewed as a major test of our nation's ability to protect its computer-supported critical infrastructures,' GAO said.
Fixing the government's systems has demonstrated the importance of high-level congressional and executive branch leadership. From that, all else flows. But leaders must remember that in deciding whether a system is secure, it is not enough to discover if it is vulnerable. Decisions must be made about the value of the security.
In the 1950s, realizing the North American Aerospace Defense Command was vulnerable to attack, DOD buried NORAD headquarters under a granite mountain in Colorado'the equivalent of hardening and locking down a system. It's secure, but at the cost of functionality and user-friendliness.
Hundreds of visitors line up to walk through the White House and the Capitol each day. Although the buildings are more vulnerable than NORAD, officials have decided that the value of keeping these icons of democracy accessible outweighs the risks. Information technology might not carry the same emotional weight as marble facades, but the same idea applies.