Security holes: Not enough money or not spending wisely?

Agency systems are wide open. Cyber attacks are growing more sophisticated. Is it a problem of not enough money or not spending wisely?

From a security perspective, almost every top analyst inside and outside government agrees: Federal computer networks are a mess. They're wide open to attack and no one knows how much sensitive information has been lost.

Comment on this article in The Forum.But what will it take to secure the government's networks properly? How much money will it cost, and is it politically feasible? President Bush launched the secret Comprehensive Cybersecurity Initiative last year to build government's defenses. Some analysts peg the program's cost at $30 billion or more.

But according to managers and industry consultants, the government's security problems are not the result of a lack of money (although more certainly would improve the situation); instead, they're linked to not wisely spending the money the government has budgeted for IS.

"There's no question that there needs to be more money," says Fred Cate, senior policy adviser at the Centre for In-formation Policy Leadership with the law firm Hunton & Williams LLP. "Unfortunately, that's the answer to almost all problems in government. The key is there needs to be more sustained and less episodic investment. Strategies have to be fluid and flexible. That means good policies."

Agencies need flexibility and agility to decide how to spend their IT security budgets. For the most part, they now spend a large portion on complying with laws and regulations that end up not tightening or eliminating the vulnerabilities of government systems.

"If I were to refocus the money, it would be less on score cards and compliance, and more on education and awareness and a strategy for [vulnerability] detection, prevention and quarantine," says John Hunt, principal of public services with the consulting firm PricewaterhouseCoopers. "What are the risks to our mission and our confidential information, and how do we mitigate those risks? It goes back to people, processes and technology: educate users and ensure they have the tools they need, put technology in place to avoid and detect issues, and ensure processes - manual or automated - have good security controls in place at all times."

Not a money problem

The reason government systems are so open to attack and abuse by federal employees is not one of money, say federal information security managers and government security analysts. The money is there. For fiscal 2008, federal agencies allocated more than $6.6 billion to information security, rep-resenting 10 percent of the $68.3 billion that government spent on information technology, according to the Office of Management and Budget. President Bush proposed keeping information security spending at 10 percent of his $71 billion IT budget request for fiscal 2009.

That percentage is in line with the amount private sector companies spend. The IT in-dustry spends an average of 10 percent of its budget on securing networks, while the health care and financial services industries, the latter of which security professionals consider the sector that leads all others in best security practices, spend even less - 7 percent, according to IT research firm Gartner Inc.

That matches what most federal agencies spend on security, an average of slightly more than 7 percent of their IT budgets. But a few agencies spend much more. The Transportation and Interior departments, Nuclear Regulatory Commission, and U.S. Agency for International Development spent between 14 percent and 26 percent of their IT budgets on security in fiscal 2008.

Still, agencies always find themselves in need of more funds. "The amount doesn't ever suffice," says Tonya Manning, Labor Department's chief information security officer.

Labor received $38 million for IT security in fiscal 2008, more than 7 percent of its $514 million IT budget. Under Bush's fiscal 2009 budget, the department would receive $40 million for security, the same proportion. Most of the funds go toward certifying that systems have met security standards, but Manning hopes to use some of the budget to buy network monitoring tools, which will keep an eye out for unauthorized users - such as hackers or Labor employees who don't have the proper permission - trying to snoop around in files and databases. "A lack of resources is a challenge," she says. "New requirements continue to mount, but our budget remains flat."

The FISMA drain

The 2002 Federal Information Security Management Act requires agencies to identify and inventory IT systems, determine the sensitivity of the information stored on those systems, find holes that allow hackers access, and deploy security controls.

Agencies spend much of their IT budgets complying with the law, leaving little to fund more strategic security practices. Some have tried to develop plans to deploy technologies and processes to improve security beyond what FISMA requires, but for the most part, their efforts have been blunted.

That's what happened to Lawrence Ruffin, chief information security officer at Interior. While developing his budget for fiscal 2009, he drew up a plan to centralize the department's IT security processes and oversight so he could dictate standards and processes that would tighten security. Ruffin then would have a departmentwide view of Interior's entire security posture.

To deploy his plan, Ruffin estimated it would cost about $50 million for IT products and integration services, plus another $25 million annually for management and support. He also said he would need a tenfold increase in staff - from 15 employees, who focused primarily on network monitoring, to 150 workers. But Interior Secretary Dirk Kempthorne rejected Ruffin's proposal, despite consensus among department executives that the plan would go a long way in locking down department systems and improving efficiency.

In the end, Interior requested a security budget of $182 million for fiscal 2009, up just 2 percent from $178 million in fiscal 2008.

The extra resources needed "to do strategic planning and execution are not available," Ruffin says. "Ultimately, Congress approves budgets to enable business mission delivery and functions. I understand that. Still, there needs to be a balance. All funds can't be spent on IT security, but we need to at least show we're conscious of risk and working to address it."

Reordering priorities

If security budgets cannot be increased, then agencies will have to shift their spending priorities, security analysts say.

FISMA limits agencies' ability to customize information security strategies that address their network weaknesses. For example, while the law in theory provides agencies the ability to prioritize IT security efforts to best serve their missions, the government score cards used to grade how well they are complying with FISMA don't take individual preferences into consideration. Agencies end up being graded on how well they have secured networks on a system-by-system basis.

That's what happened at the Veterans Affairs Department, says Bruce Brody, who was CISO at VA and then the Energy Department from 2001 to 2006.

While at VA, one of Brody's main priorities was to secure the department's infrastructure and improve telecommunication networks. He reduced VA's Internet gateways from 200 to four, but the department still earned an F on its FISMA score card because auditors measured the department's efforts in certifying and accrediting each system and did not take a comprehensive view of how secure the IT infrastructure was, Brody says.

"I do not believe that FISMA grades are any indication of security," says Brody, now vice president of information assurance at government IT contractor CACI International Inc. "FISMA served its purpose by increasing visibility of the problem. But now it needs to evolve or get out of the way."

While FISMA allows "some flexibility," Labor's Manning says, "At the end of the day federal agencies are measured. While there's a policy that allows us to make these decisions, if we're not reporting 100 percent [completed], or a definite yes to compliance, marks on score cards will take a hit."

What's needed, security managers say, is a strategy that mirrors the private sector's. Corporations typically develop information security plans that reflect the priorities of the business.

Strategies in the IT industry, for example, are powered largely by the public's perception: If a tech company suffers a security breach, customers might question its ability to secure their systems. In the health care industry, the importance of having accurate patient records drives security spending to protect the records' veracity. And security spending at financial services firms is predicated on the need to safeguard customers' money and identities.

Companies, especially those in the financial services industry, tend to approach security spending based on managing the greatest risks - a strategy that is then backed up by regulations, says John W. Carlson, senior vice president for regulatory affairs at BITS, a financial service industry consortium based in Washington. By contrast, the federal government usually approaches security by putting regulation before risk management.

"Policies are as extensive, but not as prescribed as FISMA," Carlson says. "It's more flexible and risk-based, with senior management approval of plans and multiple security controls over access, authentication and encryption. The requirements flow down from the overarching priorities of business."

The differences are illustrated by the 1999 Gramm-Leach-Bliley Act, also known as the Financial Services Modernization Act, which requires federal banking regulators to develop standards for how banks protect their customers' personal information, giving regulators the power to enforce the standards if financial institutions do not deploy information security programs that adequately protect data.

The Treasury Department issued a document titled "Interagency Guidelines Establishing Standards to Safeguard Customer Information" to help the industry understand how to comply with the federal law. In the guidance, financial institutions are encouraged to appoint senior managers to oversee the security processes, to be accountable for protecting the information and continually assess the risks that could compromise data.

The difference between the Gramm-Bliley approach for the financial industry and the government's FISMA is that banks determine how they develop information security strategies to best address security risks, with secondary oversight by financial regulatory agencies. If the same approach were to be applied to government, then securing an agency's systems would be dictated by the agency's mission, with FISMA supporting those strategies.

"There needs to first be strategic objectives that address agency risk and support the mission," PWC's Hunt says. "Then, with that in place, agencies can ask, 'What can FISMA do for us?' Right now agencies have this compliance element called FISMA, and they build their security strategy around that. The priority becomes, 'Get this off my plate.' "