Leading by Example

By Shane Harris

February 1, 2003

Here's a quiz. Which large U.S. organization has such notoriously weak information security that an intruder could hack into more than 100 of its computer systems and a congressional committee gave it an F on a recent computer security report card? Answer: The Defense Department.

Now, a follow-up question. Which organization boldly banned new networks that support wireless devices and prohibited its employees from using those devices to download software or connect to classified computers, all because wireless security is feeble and largely unproven? Again, the Defense Department.

It probably seems strange that the Pentagon could be so vulnerable to intrusion yet also take steps that might be considered drastic by corporations, whose security is considered superior to that of government agencies.

But what if the federal government, with its overall F average on that computer security report card, is really the national leader in strong security? What if the same agencies that private sector gurus ridicule as years behind in security management are on the cutting edge, leading everyone by example?

It's easy to find the oft-cited flaws: Agencies don't assess their systems' vulnerabilities and weaknesses; control of passwords is notoriously lax; agencies have failed to report their security status to administration officials.

But look deeper, particularly at the areas where security is improving. The Social Security Administration, for instance, last year received a C+ on the report card issued by the House Government Reform Subcommittee on Efficiency, and this year moved up a notch to B-.

Why? Perhaps for several reasons. In an agency that interacts with half a million people on a typical workday, the position of chief security officer at Social Security has been elevated to report directly to the chief information officer, who reports directly to the commissioner. As government bureaucracies go, that's a clear line of accountability.

The agency also uses software that records who's trying to use its systems. It determines, based on security clearances, whether someone is permitted to see data and restricts entry. Also, once a month the agency surveys the records of every computer and telephone to ensure that security policies are being followed. All of these practices fall under the umbrella of good security management, which businesses espouse but don't always practice.

For more proof that security practices are catching on, consider the government's new plan to monitor agency systems in real time for security vulnerabilities and to issue patches to fix problems before hackers exploit them. Last December, the Federal Computer Incident Response Center (FedCIRC), the government's security watchdog situated at the General Services Administration, began a project to build a Web-based program that can instantly detect a security hole, down to the level of a single computer.

The system could give the federal government an unprecedented, detailed view of the state of its security, depending on how many agencies participate in the free, voluntary program. Unlike businesses, agencies are required to report security vulnerabilities as soon as they're noticed. But the alert system would up the ante, forcing technology managers to pay more attention to their systems, lest they be caught failing to plug their holes.

Other agencies are on a security roll as well. From October to November of last year, the Army, the Coast Guard's intelligence division, and the Patent and Trademark Office awarded contracts to build secure data networks or improve security on existing networks. In each case, the information the agencies sought to protect is a tantalizing target for hackers.

Agencies' aggressiveness about security should come as no surprise. Officials have seen their colleagues and counterparts get burned-badly-and not just on report cards. In December 2001, a federal judge ordered every computer in the Interior Department with connections to its Indian trust fund data to disconnect from the Internet, after a court-appointed hacker was easily able to access and manipulate the data. The unplugging initially put 71,000 employees in 14 bureaus in an information black hole.

An expected torrent of media coverage and official criticism followed the hacking revelation, but pulling the agency offline was unprecedented. Few agencies can say they're not paranoid about a surprise inspection resulting in severe consequences or public embarrassment.

But there's been more than professional anxiety to keep the security fires roaring. The message emanating from the White House cybersecurity office has been loud and constant since the Sept. 11 attacks: It's only a matter of time before terrorists use the Internet as a weapon. No one is safe.

Richard Clarke, the head of that office and the president's cyber spokesman, has taken every opportunity to beat the drums of preparedness and prudence, parlaying his career as a terrorism expert into this new electronic realm.

But in this fight, government can't act alone. A true cyberterrorism attack, experts presume, would be launched on one of the many private networks that control so much of the vital infrastructure in the United States, such as power grids and dams. Clarke and other top officials, such as FBI Director Robert Mueller, have been critical of companies' reluctance to report incidences of hacking on their systems, which would improve cybersecurity. One of the best ways to fend off attackers is to understand the weaknesses they're exploiting. But making that information public can ruin a company's image and also invite more attacks.

Rather than slap businesses with new regulations demanding improvements, Clarke, Mueller and other government security leaders have advocated showing the private sector that government can get its house in order. Officials hope that will inspire businesses to follow.

If the private sector can't follow the government's lead, companies can bow to its pocketbook. The federal government is the largest single buyer of technology goods and services in the country. Now, Clarke and other senior officials are urging agencies to use their massive buying power to force companies to make more secure products. Businesses haven't truly rallied themselves to exert that kind of customer leverage on major software manufacturers, whose products often are riddled with holes and are as much a part of the security problem as is bad management.

The administration's official stance on private sector security is that it must be self-motivated. The government can influence companies, or encourage them, but it can't force them to change.

But the government can take a hard line internally, and with the passage of the 2002 E-Government Act, it's going to try.

The new law forces agencies to comply with new security guidelines from the Office of Management and Budget. If they don't comply, their funding can be withheld. Also, the National Institute of Standards and Technology has been given a stronger hand to set security guidelines and benchmarks on unclassified systems.

None of this is to say, of course, that businesses should develop a similarly strict regimen, or that they could for that matter. But given recent examples, the conventional wisdom that the private sector is outpacing government on security needs to be reconsidered.

If an organization perceived to be as clumsy and slow-moving as is the federal government can implement aggressive security policies, pass laws requiring compliance and appeal to the profit motive to help change a damaged system, surely businesses, with their supposedly greater flexibility, could follow suit. At the very least, they could learn a thing or two.

By Shane Harris

February 1, 2003