Government IT Leaders Wrestle With Security Risks
- 26 September, 2013 23:21
Charles McClam, deputy CIO at the Department of Agriculture, said that mission-critical applications in his organization are housed in data centers around the country, and the employees responsible for keeping them secure are considered exempted personnel, meaning that they would continue to work even in the event of a government shutdown.
"At this juncture I don't see anything that's going to be problematic [with] enterprise security," McClam said here at a government IT conference.
Naeem Musa, CISO at the Federal Energy Regulation Commission, said that his agency contracts much of its security and monitoring activities out to vendors in the private sector, which would be unaffected by a shutdown.
Congress has until the end of the month to approve legislation to keep the government running, though its ability to do so in that time frame is in serious doubt. As of this afternoon, the Senate appeared poised to pass a temporary spending bill, stripping out language to defund President Obama's health care reform bill that had been included in a measure passed by the House. But Republican leaders have signaled that they are unlikely to accept any bill the Senate passes without making their own changes, which could run out the clock on the month-end deadline, the Washington Post reported.
Federal Big Data Initiatives Bring Big Security Challenges
But even if federal IT managers don't see a great threat to their systems' security from a potential government shutdown, they still have plenty to keep them up at night. At Thursday's conference, officials described the security challenges that accompany big data initiatives, even as the government is trying to make more of its data sets publicly available rather than keeping them locked inside the federal firewall.
"Securing the data, even if it's public, it's open, you still have to protect the integrity of that data, make sure the data has not been changed and whatever you serve out there is accurate to the public," Musa said.
If anything, the drive toward open data might create additional security challenges as agencies understand that they can no longer simply apply a one-size-fits-all policy that sets closed as the default setting for their data assets. That means that they must adopt more nuanced security policies tailored to the nature of each data set, and yet still have some overarching protections as those assets become linked.
Kevin Charest, CISO at the Department of Health and Human Services, described the "war" that pits "the desire to share, the desire to bring these data sets together, against the responsibility that's associated."
"One of the challenges of bringing big data sets into one place is you inherit the insecurity of all. So you create almost like a shopping place for a would-be bad actor if you're not careful," he said. "So you have to balance that desire for openness, desire for collaboration, the willingness to move in new space with rationality of securing that data."
Security Challenges Come Quickly and Government Lacks Agility
The federal government is not known for its agility in adapting to new technologies, a condition that traces to its vast size, organizational culture and the rules surrounding new procurements and system deployments, among other factors. Small wonder then that federal officials see partnerships with private-sector firms as a critical element in improving the government's cybersecurity posture.
Count among those Agriculture's McClam, who challenged the IT vendors in the room at Thursday's conference to organize a formal, recurring confab that would bring together leaders in the public and private sectors to compare notes on evolving security trends.
"Technology evolves very, very fast," McClam said. "Look at ways to come up with some kind of semiannual forum, cybersecurity forum, where you have senior leadership of the various federal agencies as well as the leadership of the industry, our industry partners, coming together so we can stay apprised and stay on top of emerging security solutions, emerging security threats."
Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com. Follow Kenneth on Twitter @kecorb. Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn.
Read more about government in CIO's Government Drilldown.