For government IT professionals, few issues hit closer to home than IT security.
Public agencies and government programs deal in some of society's most sensitive information -- military and police data, court records, and health and property information, to name a few. A glance at recent news headlines shows the fallout that hits public officials, IT professionals and citizens when this data is left unprotected.
Given the stakes, it's not surprising that CIOs rank IT security among their top priorities. Members of the National Association of State Chief Information Officers (NASCIO) put information security at the top of their to-do lists for 2007 and at No. 2 for 2008.
The response was similar from nearly 500 state and local Government Technology subscribers who responded to a reader poll in late 2007. Respondents ranked information security as their top priority this year, placing it above other hot-button issues such as homeland security, work force retention and IT consolidation.
Clearly security has your attention. But is attention translating into action? That's a question we attempted to answer in January with the Government Technology IT security survey. The results present somewhat of a mixed bag.
First the good news: Nearly 60 percent of your organizations have established a chief information security officer (CISO) or similar position -- a figure that compares favorably with the private sector. Those CISOs also seem to be positioned for success, with appropriate access to both the CIO and agency upper management.
Furthermore almost 80 percent of your organizations now have a formal security policy, and most of you said recent high-profile security events raised awareness of cyber-security but didn't discourage new technology deployments.
And now the bad: Survey results indicate a fair amount of complacency among respondents, as well as a troubling lack of knowledge about both the volume and nature of cyber-attacks against their organizations. In addition, security awareness may be up, but security funding generally is not. Finally security training -- perhaps one of the most effective weapons against information security breaches -- remains an afterthought for many respondents.
Feeling Too Good?
More than 75 percent of respondents rated their cyber-security preparedness as good or fair -- a realistic estimate for organizations coping with rapidly changing security threats. But another 18 percent described their security preparedness as excellent, an assessment that could indicate dangerous overconfidence.
"To be among the 18 percent that said 'excellent' is delusional, and it also reflects a complacency that you can't afford in that space," said Paul W. Taylor, chief strategy officer of the Center for Digital Government. "There's much more realism in the "fair" and "poor" rankings and the bare majority that said 'good.' I think that's a reasonable position to take -- one that reflects that agencies are doing as well as possible under the circumstances. But they're not making any claims that they've got the situation in hand.
"I think security's function is always to believe that they don't have it in hand," he continued. "There always are revolving threats, both internal and external."
Survey results also show that state and local governments are getting serious about putting someone in charge of their information security efforts. The number of state and local agencies creating a CISO or similar position compares well with the general industry trend. CIO magazine's 2007 global information security survey -- which polled 7,200 respondents in various industries worldwide -- also found that 60 percent of organizations had created CISO or chief security officer positions.
Furthermore government CISOs seem to be in the right place organizationally to make an impact. Taylor said the survey indicates a dual reporting relationship that gives CISOs access to both the CIO and agency management. Thirty-five percent of respondents said their CISO reports to the CIO or top IT executive,
a reflection of the need for information security to be tightly ingrained in an organization's overall technology structure. And nearly 50 percent said the CISO reports to an agency head or deputy director, indicating that many security officers can quickly escalate security problems to the very top of the organization.
"You have 35 percent reporting to the CIO, which is a healthy development," Taylor said. "But these results also suggest that the security officer can talk to their boss's boss if they need to without being accused of insubordination."
On the other hand, the survey exposed a troubling lack of knowledge about the nature and frequency of cyber-security attacks against government organizations. More than 40 percent of respondents said they didn't know if the volume of attacks against their organizations had changed over the past two years. And almost 50 percent didn't know if the sophistication level of these attacks changed over the same period.
Dan Lohrmann, Michigan's CISO, called this lack of awareness a negative trend. "From my point of view, attacks are absolutely becoming more sophisticated," he said. "And that's the view of most security experts -- just about anybody who is speaking on security anywhere in the world will tell you that."
But the trend isn't confined to state and local government. CIO magazine found similar results in its global security survey, where 40 percent of respondents didn't know how many attacks had hit their organizations, and 45 percent couldn't identify the types of attacks hitting them.
"It doesn't bode well that after years of buying and installing systems and processes to improve security, close to half of the respondents didn't have a clue as to what was going on in their own enterprises," the CIO magazine article stated. The magazine attributed some of the problem to a concentration on technology -- firewalls, intrusion detection, etc. -- instead of risk analysis and intelligence gathering.
Will Pelgrin, director of the New York State Office of Cyber Security and Critical Infrastructure Coordination (CSCIC), said results from the Government Technology survey indicate a wide disparity in security sophistication among respondents. Organizations such as the CSCIC office are working to improve knowledge of security issues among government workers by issuing regular alerts on security threats, holding training exercises and other activities.
"One thing we have tried to do here in New York is provide situational awareness. There's so much noise out there, there's so much happening, that the average user may not know every single time there was a virus -- but we distribute our advisories as widely as possible," Pelgrin said. "Our advisories go to all the ISOs in the state, they go to all the CIOs in the state, and they go to a good portion of the agency commissioners -- as well as the private sector and other states across the country."
Pelgrin also makes growing use of graphics and visualization tools to make security threats more understandable to a general audience. For instance, his office is producing a graph showing the security vulnerabilities of various computer operating systems. It's also tracking cyber-security events geographically and mapping them to Google Earth to produce 3-D representations of the volume, sources and targets of cyber-attacks.
"The intent is more than just eye candy," he said. "The reason I've been so active in putting a graphical face to this is so we can show what we're doing. Then CISOs and ISOs have data to go back to their commissioners and budget people and say, 'This is what we're handling on a day-to-day basis.'"
On a broader level, Pelgrin's office coordinates the Multi-State Information Sharing and Analysis Center, a voluntary organization that gathers information about security threats and shares it among state and local governments nationwide. All 50
states currently participate in the center's activities.
Government Technology readers departed sharply from conventional security wisdom in their perception of the source of cyber-attacks. Respondents overwhelmingly (72 percent) identified external hackers as their biggest security threat. Just 20 percent of respondents said internal staff posed the biggest threat, and 8 percent chose internal contractors.
Those responses come at a time when growing attention is focused on internal security breaches. A 2007 NASCIO issue brief urged state CIOs to take action against insider security threats, contending that internal threats can be just as serious as external attacks, if not more so.
Our survey numbers contrasted dramatically with those of CIO magazine's global security survey. Nearly 70 percent of CIO survey respondents ranked employees and former employees as their biggest security worry, versus 41 percent for hackers.
Lohrmann, who estimates the number of internal and external threats as about even, said some of the discrepancy may be due to the blurring line between internal and external attacks. He pointed to increasingly common attacks that entice users to click on an e-mailed link and enter personal information. Known as "phishing," the technique often asks users to enter their passwords and other critical data on bogus online banking and auction sites.
"You have a link sent to you, so that's an external attack," said Lohrmann. "But if you've done training and dealt with your policy issues, then your employees don't click on that link. So is this an internal or an external issue?"
Pelgrin added that internal threats encompass a wide range of activities -- many of them beyond the normal definition of cyber-crime. "I think we do ourselves a disservice if we're looking only at the criminal aspect," he said. "There's a human aspect to everything we do that can potentially have a vulnerability, a risk and a threat associated with it."
For instance, employees connecting to work systems via poorly protected home computers can bypass security measures and expose organizational networks to security threats. In addition, high-capacity external storage devices, such as MP3 players and USB flash drives, can readily transfer malicious software to government computers.
No Money, No Training
Given the importance of security awareness in the public-sector work force, the amount of training reported in the survey results is disappointing, Lohrmann said.
"At best, only 50 percent appear to be participating in security training," he said. "So if you're a front-line person, my concern would be, are you aware of potential attacks? Are you aware that doing something like visiting a social networking Web site might be a risk?"
Forty-five percent of respondents said their staffs participate in cyber-security training. More than 35 percent said employees aren't in a security training program, and another 19 percent didn't know.
Lack of security training may be tied to stagnant security funding. About 30 percent of respondents expected their security funding to remain the same over the next several years. Almost 11 percent expect funding to drop, and 25 percent didn't know. In a separate question, only 17 percent of respondents said news of recent security breaches had triggered more support for security funding among upper management.
And scraping together extra dollars for security won't get any easier in the foreseeable future. Taylor predicted security funding will take a hit as the weakening U.S. economy takes its toll on public-sector budgets. "There may or may not be a general recession out there, but there is a revenue recession," he said. "IT always has had a tough time competing with cops and kids when funding gets tight. Now security is going to have a hard time competing against IT, cops and kids. Absent some sort of high-profile incident, getting legislative and budget focus on security is
going to be difficult."
Sometimes even the survey's good news was bad news. Although 80 percent of respondents said their organizations have formal security policies and 60 percent have hired CISOs, the remaining agencies could be the soft underbelly of increasingly networked government operations.
"Public agencies don't operate alone in an environment," Taylor said. "If you subscribe to the weakest-link theory, then agencies without security plans and without a point person for security are going to negatively impact that environment."
According to the survey, respondents currently have little awareness of security problems at the public agencies or third-party organizations with which they exchange data. More than half of respondents said they didn't know if any of their main data trading partners had experienced a security breach or loss of sensitive data.
Plugging security holes isn't easy. Some states and localities have attempted to build stronger security measures into their enterprise technology services, which can bring all agencies up to a minimum standard, but also drives up prices for critical services.
"If you roll that cost into your service rates, then all of a sudden customers start screaming," Taylor said. "It also becomes a proportion test. Some customers will be paying a disproportionate amount of the cost of security for things they don't use, just to protect the whole sandbox from a few bad actors."
Collaboration, Pelgrin said, is vital to addressing these security shortcomings. Sharing of data and expertise between agencies raises overall security awareness, and cooperative purchasing arrangements can cut the cost of deploying IT security measures.
As evidence, he pointed to a federal government contract for hardware and software encryption products. The blanket purchase agreement -- created by the U.S. Department of Homeland Security, Department of Defense, Office of Management and Budget, and General Services Administration -- is open to state and local governments, and should provide them with lower prices on tools for protecting sensitive data.
New York state CSCIC office worked with the federal agencies to ensure the contract met the needs of state and local agencies, Pelgrin said. The agreement gives even the smallest agencies access to good prices on a collection of expertly chosen security tools.
Pelgrin said the agreement may convince agencies that would otherwise sit on their hands to purchase and implement badly needed protection. "There are people who want to buy and that's great, and they would probably go down this road no matter what," he said. "But the point that I really wanted to address is how do we get people who really weren't going to go into this arena right now, but really should?"
It's a Journey ...
Ultimately the mixed results of this year's survey may simply reflect the nature of information security. Government Technology readers clearly are making progress on security issues, but the job is never truly finished. And for astute public officials, it seems the more visibility and understanding they have of security issues, the more there is to worry about.
"No matter how good you are, the bad guys are changing every single day," Pelgrin said. "We're never done. We're absolutely never done. As long as it's profitable out there, as long as we are human and make mistakes, somebody is going to try to take advantage of it."