Government agencies must update their policies so they can continue to leverage the flexibility of buying off-the-shelf products while still meeting stringent security requirements.
Like business, the federal government is digitally transforming, participating in open-source communities, crowdsourcing and deploying a wide array of digital solutions to increase efficiencies and save costs. Also like business, government's risk increases as its digital footprint expands through connected devices. And the government's massive size coupled with myriad procurement and security regulations can lead to unexpected complications as it works through digital transformation.
The Department of Defense inspector general, for example, found significant IT vulnerabilities in the department’s purchases of off-the-shelf peripherals with known cybersecurity risks. These printers, cameras and scanners, with their Wi-Fi connectivity and hard drives, have become hubs for document workflow management and have opened DOD to unnecessary risk.
Although the traditional acquisition process for big-ticket items is very rigorous, this IT equipment was bought with government purchase cards, which can be used for items costing less than $10,000. When the same data that is so rigorously protected on DOD’s servers and computers is, for example, sent to a vulnerable printer, all of that protection disappears. I can think of numerous ways that data could have been at risk -- those files could have been left on the third-party devices’ hard drives and exfiltrated via Wi-Fi, or simply lifted by anyone who walked by with a thumb drive. Further, vulnerable devices may include malware or malicious code that could infect government networks and compromise missions.
Government inspectors found that Army and Air Force purchase cards were used to buy $32.8 million of off-the-shelf office equipment with known cyber vulnerabilities in fiscal year 2018 alone. That is a tremendous exposure to risk, as all it takes is for one file to have been left unprotected amid a mountain of IT equipment.
Federal agencies have already taken some wise steps to safeguard IT security. For instance, all employees must use a governmentwide PIV card for network authentication, yet that is only a starting point. DOD must update its policies so it can continue to leverage the flexibility of buying off-the-shelf products -- but only select printers and peripherals that have been designed with more stringent security features, such as the absence of device hard drives to prevent sensitive data from being stolen from devices.
Given the value of the data the government protects, not to mention the taxpayer dollars invested, it is incumbent upon the federal government to fully understand the risks posed by digital transformation and address these challenges aggressively. One encouraging sign is that chief risk officers are becoming more common in the federal government at an agency level, just as they are in the private sector. Given the size and complexity of government, steps like this are necessary to eliminate vulnerabilities, IT and otherwise, along the public sector’s journey to digital transformation.
NEXT STORY: ID validation on the fly for emergency response