Agencies need to focus their cybersecurity strategies less on networks and systems, and more on the data itself so that agencies can share information more easily, said industry and government representatives at a security conference on Thursday.
Comment on this article in The Forum.Traditionally, the focus of information security policy has remained on the perimeter of networks. Homeland Security Presidential Directive 12, for example, requires a biometrically-enabled identification card to access the network, and the Trusted Internet Connection program requires agencies to reduce the number of Internet connections into networks. The program also requires agencies to monitor Internet traffic. Security at the data level, however, is minimal, including at best encryption software.
Data security becomes more important as agencies collaborate more online and leverage Web 2.0 functionality.
"There's a dynamic tension [between] information sharing and IT security," said Vance Hitch, deputy assistant attorney general and chief information officer at the Justice Department during a panel discussion. "The safest way to [operate] IT systems is to make them locked down and unusable. But we know that's unacceptable."
The Defense Department leads other agencies in its transition from a network-centric to a content-centric approach to information security. The Army's LandWarNet, for example, is a network portal of information that supports warfighters, policymakers and support personnel. By nature, the information needs to be accessed by individuals from a number of different agencies -- including those from Defense and the intelligence community.
Securing sensitive information while enabling collaboration is a challenge, said Col. Michael Jones, director of information assurance and compliance in the Army's Network Enterprise Technology Command. The function of the office is to leverage the information grid to support military operations.
"LandWarNet is the glue providing information to the Army," Jones said. "[But] until we can get to tagging information, we're going to have a challenge in sharing."
Metadata tagging attaches the appropriate access restrictions to data, so that only authorized individuals can view or edit them. It's just one element of a comprehensive identity management strategy that many agencies have yet to implement.
"We're living in a digital glut," with data volumes growing at a rate of 50 to 60 percent per year, said John Thompson, chief executive officer at security software vendor Symantec. "The more progressive organizations, public or private, will say 'I can't keep doing what I'm doing. I have to take a different view of how to manage this information explosion.' We're reacting like the carpenter with the hammer -- laying encryption on everything. That's not the answer."
Instead, agencies should take a policy approach to data security, Thompson said, implementing data classification or tagging to regulate access, data de-duplication to eliminate multiple copies of the same information on systems, e-discovery to provide visibility and management of digital records, and backup and recovery to ensure availability.
"All of those are a part of a more holistic view of information protection," that takes into consideration the need for government to collaborate, Thompson said. "In the 21st century, [we can't] segregate the protection of information from the running of government day in and day out."