US LEARNING FROM VA's DEBACLE http://federaltimes.com/index.php?S=1879431

Learning from VA’s debacle
Five ways managers can better guard personal data
By AIMEE CURL and STEPHEN LOSEY
June 19, 2006

Recent revelations of lost or stolen information from Veterans Affairs and other departments have prompted Congress and the public to direct a sizzling spotlight on how well managers are securing sensitive data they possess. And the losses have reminded managers just how vulnerable their systems are.

“Is this a wake-up call? I hope so,” said Bruce Brody, who served as chief information security officer at Veterans Affairs from 2001 to 2004. “Unfortunately these kinds of events happen every few years, but unless there’s a significant change in culture, it won’t be an isolated incident.”

For years lawmakers have given the government a near-failing grade for how it protects personal information. Brody, now the vice president for information security at INPUT, a Reston, Va.-based market research firm, agrees with that assessment.

“What will it take?” he wondered. “The first step in fixing any problem is knowing you have a problem.”

Many experts say the security breach at VA — by far the biggest yet involving people’s Social Security numbers and other personal data — should finally convince government managers there’s a problem that requires their attention.

Dozens of federal managers and experts offer solutions, most of which fall into one of five categories.

1. Make security a priority
In many ways, the emphasis on information security is a product of each agency’s culture.

House lawmakers last week noted with frustration that VA has yet to act on a report issued by its inspector general in 2004 that included 16 ways to improve information security. Testifying before a different House panel, VA Secretary James Nicholson said steps to improve the way the department manages its IT infrastructure were well under way before the breach.

But Bruce Schneier, founder of Counterpane Internet Security Inc., said the problem in both the public and private sectors is that “nobody cares.”

“The problem is that the stolen data can cost a lot of people a lot of money, but it doesn’t cost the VA anything,” he said.

Many observers say that a critical step to changing agencies’ information security cultures is to give chief information officers and chief privacy officers more clout and authority.

“Senior leadership must empower the chief privacy officer and the chief information officer by creating an environment where the CIO and CPO can work together,” said Dan Caprio, who recently left the chief privacy officer post at the Commerce Department to become executive vice president of the Progress and Freedom Foundation.

In many agencies, the duties of CIO and CPO are held by the same person. Caprio said regardless of the way the agency structures the position, it’s critical for it to be held at a senior level.

“If the role of the CPO becomes diminished to where it’s just a pure compliance role at a junior level, you lose the ability to have the reach and affect culture,” he said.

The placement and role of CIOs within departments varies widely from agency to agency.

Brody said CIOs often don’t have the power to set rules for the entire department, such as those aimed at better protecting the contents of an agency’s database. At the Homeland Security Department, he said, CIOs of component agencies report to their directors and not to the department CIO, Scott Charbo. Current and former Homeland Security inspectors general told Congress last April that without more authority, the department’s CIO cannot properly manage IT programs or set policy.

Brody also blamed last September’s hacking of computers at the Energy Department’s National Nuclear Security Administration on decentralization. Brody, who was Energy’s associate CIO for cybersecurity at the time, said NNSA operates semi-autonomously from Energy and wrote its own security policies separate from his directives.

“The CIO issues policy, but has no power to hold people accountable,” Brody said. “They can’t take away executive bonuses, issue reprimands, or fire people who don’t follow those rules. Their policies are paper tigers if they don’t get the rest of the agency involved.”

Agencies could fix this problem on their own, but if they resist the idea, Congress should step in, Brody said.

2. Collect less data, handle it better
Comptroller General David Walker said agencies need to change the way they gather and maintain personal information by limiting its collection, restricting access to it, requiring proper training to handle it, ensuring it is encrypted when used on mobile devices, and restricting the ability to download it.

“For example, key identifying information — such as Social Security numbers — may not be needed for many agency applications that have databases for personal information,” Walker told the House Government Reform Committee on June 8.

In addition, Walker said agencies should review how they collect, store and share personal information, and ensure that a robust security program is in place.

The Office of Management and Budget is already pressing agencies to do just this. In a May 22 memorandum, OMB directs agencies to review their information security policies and processes by fall.

“Agencies could do spot audits or simply check whether each element in the plan is being put into practice,” suggested Peter Swire, a law professor at Ohio State University, and the top privacy lawyer at OMB during the Clinton administration.

As part of this effort at Energy, Abel Lopez, the department’s Freedom of Information Act and Privacy Act officer, said he’s reviewing 61 systems of records to ensure that all of the safeguards are in place.

“We’re looking at them, whether they’re paper records, electronic records or both,” Lopez said. “Paper records are safeguarded by keeping them in a locked cabinet in secure areas. Electronic records are password protected.”

He said the review isn’t difficult, but it’s time consuming.

“We had planned to do this review anyway by 2007,” Lopez said. “It’s not difficult; we’re just trying to make sure we’re thorough.”

3. Agencies must report breaches
The Government Accountability Office’s Walker has asked Congress to pass a law requiring agencies to report incidents when sensitive data is lost or stolen. He told the Government Reform Committee that the rule should require agencies to notify affected individuals and OMB.

Currently, each department decides how and when to report breaches.

“The theory is if you have to notify, you will make some effort to make sure it doesn’t happen,” said James Lewis, director of technology and public policy at the Center for Strategic and International Studies.

Government Reform Committee Chairman Tom Davis, R-Va., said he intends to introduce a bill that would force agencies to quickly report security breaches.

Swire said it’s critical the government get the word out fast when sensitive information is compromised. It took 13 days before agency officials knew about the breach at VA and weeks before the extent of the data loss was known and revealed.

“The delay reduced trust in that agency’s response,” he said.
Jane Horvath, the Justice Department’s chief privacy officer, said she favors a governmentwide reporting requirement. However, in the absence of one, she said it’s up to individual agencies to ensure their house is in order.

Horvath said the VA incident highlights how important it is to make sure employees know the chain of command and who they should talk to in the event of a security breach.

“Clearly that didn’t happen at VA,” she said.

4. Build in system protections
An agency can have top-notch security policies and procedures, but the data is still vulnerable unless security is built into the computer system using access controls, encryption or other technologies, experts say.

“The idea that we’re going to get the whole federal work force to be 100 percent secure is a nice thought, but . . . in a lot of ways you have to get this away from individual responsibility. You have to do it in a way that the system does it for you,” said Lewis of the Center for Strategic and International Studies.

Bob Gellman, a privacy consultant and former staff member of what is now the House Government Reform Committee, said the VA breach demonstrates the need to encrypt any personal or sensitive information that finds its way to a laptop.

Many people are reluctant to do that, said Steven Bellovin, a computer science professor at Columbia University, because if they lose their password or key, that data is as good as gone.

People also don’t want to interrupt their work to encrypt and decrypt information, said Alan Paller, research director of the SANS Institute. But a solution is coming, he said: Within a year, new hard drives that automatically encrypt and decrypt data are expected to be on the market. These hard drives will encrypt data without being told, much in the same way Microsoft Word automatically saves documents every few minutes.

And once encryption becomes the standard, agencies can have a “master key” on hand to unlock data in case a user loses his password, Paller said. Agencies also could use cheap biometric technology such as $30 fingerprint readers or smart cards to provide access to encrypted files.

IT industry representatives say they have other products that could prevent the release of personal information. Doug Jacobson, director of Iowa State University’s information assurance program and founder of the IT security company Palisade Systems, said his company has developed a system that monitors data being sent outside of an organization to catch sensitive information.

Ed Hammersla, chief operating officer of Herndon, Va.-based information security company Trusted Computer Solutions, said the answer is in reverting to the concepts behind the mainframe model of computing used during the 1950s and 1960s. In those days, computer terminals had no data storage and users accessed information from the mainframe. A modern computer without a hard drive that uses high-speed connections to log on to a central database can work in a similar way, Hammersla said.

5. Raise awareness
“There’s always going to be a level of risk. The best weapons we have against that risk are to make sure people are aware of their responsibilities,” said Ingrid Kolb, chief privacy officer at the Energy Department.

In addition to reviewing information security systems and policies, Kolb said her office will hold a training conference in November and include information security as part of orientation for all new employees.

Former Hill staffer and privacy consultant Gellman said the VA incident has raised awareness.

“There’s consequences, and the consequences are very big,” he said. “People who have control over this data need to think two or three times about how they’re protecting this data, where they’re taking it, what they’re doing with it. If there’s no policy, ask for one, or make up your own.”

At Justice, Horvath said, managers are making sure everyone is educated about the department’s security and privacy policies.

The one message she’d like to impart to employees: “Awareness. . . . Make sure you’re aware of how valuable the information is if you’re taking out government information on a laptop.”

E-mail: acurl@federaltimes.com and slosey@federaltimes.com