Info security chiefs weigh new approaches to looming threats

Many users of federal systems still are not grappling with the security implications of their actions.

What federal agencies don't know about protecting their data and computer systems could really hurt them, senior federal information security professionals said on Thursday.

Comment on this article in The Forum."It's like the days prior to Pearl Harbor and 9/11," said Daniel Galik, chief information security officer at the Health and Human Services Department, at a breakfast seminar sponsored by Government Executive. "We have some very serious challenges. The attacker is several steps ahead of us across the board."

Bruce McConnell, former chief of information and technology policy at the Office of Management and Budget who currently runs a consulting firm (and contributes to the Tech Insider blog at Nextgov), called the situation an "invisible crisis." Agencies, he said, have long been operating in an "inherently insecure environment," and "the sheriff has not shown up yet."

"There's so much we don't know" about threats to federal systems, added Marian Cody, CISO at the Environmental Protection Agency. Cody added that at one point, her agency's systems were taken offline for a week after an audit showed vulnerabilities. It took more than a year, she said, to completely restore the systems.

Galik said the 2002 Federal Information Security Management Act, under which agencies are issued grades based on their level of compliance with security directives, "set a good foundation," but is "very labor-intensive on the administrative side." He argued for the creation of a governmentwide operational security report card, detailing information on incidents across agencies to give an overall security picture.

Cody defended the FISMA process, saying, "we've got that part down pat. I don't want to see it changed." Her office, she said, has forged a strong working relationship with the agency's inspector general, giving officials in the IG's office open access to EPA's security information system so they can work cooperatively with managers to assess threats and identify vulnerabilities.

But, Cody said, "I'm not a proponent of sending operational security reports to OMB."

Both Cody and Galik expressed concern over user behavior that jeopardizes security. When it comes to weighing the threat inherent in actions such as clicking on links in e-mail messages, "many users are not wrestling with it at all," Galik said.

Cody said many EPA employees assume that when they access the agency's network, their actions are private. "That's completely shocking to me," she said.