Agency security is a people problem, not a technology problem
The Environmental Protection Agency got a black eye recently when it had to shut down much of its Web site at the urging of Rep. Thomas J. Bliley (R-Va.), the House Commerce Committee chairman, because of security holes.
A General Accounting Office report found 'serious and pervasive problems that essentially rendered EPA's agencywide information security program ineffective,' in the words of David L. McClure, GAO associate director for governmentwide and Defense information systems.
EPA had to put on hold its ambitious plans for collecting and disseminating information online. But similar shortcomings are rife throughout government. An assessment of the Defense Message System in the Defense Department's 1999 annual report, for example, said DMS could be penetrated with only moderate effort.Job descriptions
In both cases, the weaknesses were people problems, not technology problems. DOD fell short in software installation and configuration. EPA never corrected known vulnerabilities. 'Security program planning and management is fundamentally weak,' McClure concluded.
The problem is two-tiered, and it starts at the top. Alan Paller, director of research at the SANS Institute of Bethesda, Md., recently coached an audience of government information professionals on how to make a business case for security.
Despite years of warnings, 'senior management is not very interested in security,' Paller said. 'We find lip service is the most common reaction.'
The second tier of the problem is a lack of qualified security personnel. Because of the fundamentally unsecure nature of common operating systems and hardware platforms, implementing and maintaining security is labor-intensive.
Jim Hansen, formerly an agent with the Air Force's Office of Special Investigations and now a principal consultant at Trident Data Systems of Oakton, Va., said the labor shortage is the bigger threat.
'I think the government is way ahead of the commercial sector in recognizing risk,' he said. But of the 40 or more people who worked with him three years ago in OSI's computer crime investigation division, he said, only about eight still work in government. Companies such as his have drawn away government and retired military employees.
The Clinton administration has proposed giving financial aid to technology students who agree to work for the government after graduation. It's a good idea, but it will take years to produce results, and the revolving door to the commercial world won't stop as long as government pay scales don't match those in the private sector.
Bliley made the business case for securing networks and systems when he effectively shut down EPA's site. Now it is up to top management to put a higher priority on security or watch the promise of electronic government die.