Agencies need to put the "I" into security
Connecting state and local government leaders
Today's systems, policies and procedures were developed to lock information down, not to share it securely. Interoperable credentials could be the key.
National security increasingly depends on the ability of agencies at the federal, state and local level to cooperate across organizational and jurisdictional lines.
“This cooperation, in turn, demands the timely and effective sharing of intelligence and information about threats to our nation with those who need it, from the president to the police officer on the street,” says the president’s National Strategy for Information Sharing and Safeguarding, released in December.
This requirement has been complicated by turf wars, siloed databases and a lack of interoperable technology and policies. The strategy calls for a shift to interoperable shared services (read: cloud) and integrated policies that will require system upgrades in what the strategy calls an “extremely austere budget environment.” In other words, don’t look for the needed improvements in the nation’s information sharing infrastructure to happen any time soon.
But the real headache in meeting the strategy’s goals will be establishing the common identity and access management schemes that are needed to enable secure sharing.
Today’s systems, policies and procedures were developed to lock information down, not to share it securely. The security posture has been defensive and outward-facing.
“The focus of information safeguarding efforts in the past was primarily bound to systems and networks at specific classification levels,” the strategy says. This focus will have to shift to the data itself, regardless of where or what it is, with common standards for tagging data with metadata to enable discovery across multiple databases and using common platforms for identity and access management.
It might be relatively easy to move federal, state and local intelligence to interoperable cloud platforms in standardized formats, although it will take money that is unlikely to be available any time soon. But common identity and access management schemes systems will be tough to do.
It has been more than eight years since Homeland Security Presidential Directive 12 mandated an interoperable electronic ID card that could be used across all executive branch agencies and their contractors for both physical and logical access. Standards and specifications were developed by the National Institute of Standards and Technology in record time, and millions of Personal Identity Verification Cards have been issued to government employees and contractors. But despite this progress, most agencies still lack platforms for using the cards for unified access control for both physical facilities and IT systems, and there is little if any interoperation between departments accepting each other’s cards.
The problem is both a lack of mutual trust between agencies and the legacy systems underlying access control that have not been updated to accommodate a common set of electronic credentials.
Specifications have been developed for PIV-Interoperable cards, which could be used by citizens and state and local governments and accepted by federal agencies, and this could serve as a model for the kind of interoperable environment envisioned in the president’s strategy. But PIV-I cards are not being adopted and the lack of cross-agency acceptance of PIV cards at the federal level shows the difficulty of establishing a broad-based, secure scheme for identity and access management.
Getting thousands of law enforcement, security and intelligence agencies on the same page and willing to share their most valuable assets over a single system supported by interoperable technology is likely to prove a serious hurdle to achieving the president’s vision.