Top IT cops say lack of authority, resources undermine security

To understand what it's like to be a federal chief information security officer, consider Larry Ruffin. As CISO at the Interior Department, his job could be described as having little to do with being a chief and not much more about security.

Although he regards Interior's current information security as "far from inadequate," Ruffin and Chief Information Officer Michael Howell don't have a way to check that the department's network security is configured correctly or to monitor suspicious activity on a daily basis. Ruffin also has no authority and few resources to check on the security of employees' equipment, such as laptops, workstations and servers, or to monitor specific applications. He has to rely on verbal and written promises from Interior's bureau managers that they are complying with security policies. To a limited extent, Ruffin says, he conducts on-site checks of systems, which in the end offer little insight into the state of IT security departmentwide.

"How do you take control, when you don't [have authority over] the funds or maintain clear authority to make decisions? That stymies processes," Ruffin says. "We don't get clear approvals and don't feel empowered to make decisions that might have budgetary impacts. Those decisions can get made, but rarely."

Ruffin isn't alone. His experience is common to CISOs across government. Security budgets are paper thin, and CISOs rarely have the authority to enforce security policies down deep into individual department offices. Their job is one of frustration; they're aware of what's required to protect agency networks, but unable to get the job done. It's no wonder that more security analysts are warning of serious security breaches, if they have not occurred already.

It wasn't supposed to be that way. In 2002, Congress passed the Federal Information Security Management Act, placing accountability for federal IT security squarely on CISOs. If Americans' personal information or sensitive data were exposed or a government network shut down, it would be on the CISO's head. In 2006, less than two months after a laptop containing the Social Security numbers of 26.5 million veterans was stolen from an analyst's home, the Veterans Affairs Department CISO resigned. A frustrated Pedro Cadenas, head of security at VA at the time, told Government Executive, "if these agencies want to hire security people, they need to let them do their job."

The CISO job today is more of a policy- and compliance-reporting position than one that tests and monitors networks. And the job has limited power to oversee a department's systems. As a result, says Mike Jacobs, former information assurance director at the National Security Agency and now an independent consultant, the federal government is at its "weakest state ever" in terms of homeland security. "I'm struck with how little power and capability to influence the CISOs have," he says. "Most are left to cajole those who own the IT funds to do what needs to be done from a security standpoint. Few, if any, have direct responsibility."

Few management researchers question the need for an executive dedicated to overseeing an agency's information security. Exposure of sensitive data on government networks has the potential to do more damage than a physical attack on those systems.

The number and sophistication of cyberattacks is increasing and more agencies are becoming aware of just how poorly they have tracked IT assets. In June 2007, a network intrusion at the Pentagon resulted in the theft of an "amazing amount" of data, Dennis Clem, CIO of the Office of the Secretary of Defense, said during a speech in March. In February, a laptop that contained more than seven years' worth of personal health data -- including names, medical diagnoses and details of heart scans for more than 3,000 patients -- was stolen from the National Institutes of Health.

The Bush administration and Congress have tried to tighten security by issuing mandates and passing laws -- the responsibility for which falls on the CISO. There's FISMA, which requires CISOs to certify and accredit systems and to provide security training. Homeland Security Presidential Directive 12 requires agencies to issue all employees and contractors new high-tech identification cards to access federal buildings and computer networks. The information system security line of business initiative identifies security risks and encourages a common suite of solutions to improve processes and training. The Federal Desktop Core Configuration mandate requires CISOs to make sure computers use a standard set of security settings, while the Trusted Internet Connections initiative requires them to reduce the number of Internet connections into federal networks from more than 1,000 to 50 or less.

There's more, making the to-do list long and overwhelming. "From a priority perspective, there's so much on the plate," says Dan Galik, CISO of the Health and Human Services Department, which he joined in April after holding the same position at the Internal Revenue Service. "The key is deciding which in the stack of initiatives deserves more attention."

And then there's the problem that few CISOs know -- which systems their agencies operate and which applications and data are on those systems. Successfully securing systems can happen only if CISOs maintain an awareness of the overall IT environment, says Howard Schmidt, president and CEO of R&H Security Consulting and former special cybersecurity adviser to the White House. They need to identify assets, he says, and then pinpoint vulnerabilities.

"Once you know what you've got, you need to know risks and develop a concrete executable plan to reduce or eradicate those if possible," Schmidt says. "That can't happen next fiscal year; it has to happen right now. None of the security issues that agencies face appear overnight. New ones roll up constantly, so CISOs need the ability to take corrective actions immediately."

Unfortunately, CISOs don't have a comprehensive view of their IT infrastructure and cannot put quick incident response plans into action. While at the IRS, Galik often would be asked by the commissioner: How are we on security today? It was a difficult question for him to answer because Galik had to rely on standard security software tools that spit out logs of data, listing various weaknesses across the network. He says the reams of data were not in a form that helped him find trouble spots.

"What does that really tell me? How bad off am I? Are there things we need to stop now and fix immediately?" Galik asks. "For once I'd like to say, 'Well, across our entire operating divisions, we have one particular problem here and one weakness there,' and then have a program in place that shows collectively that we recognize the problem and have an approach to solve it."

For the most part, the amount of funds agencies have to protect computer systems from cyberattacks is minuscule compared with the need, CISOs say. The Comprehensive National Cybersecurity Initiative, a directive signed by Bush in January to develop a way to protect networks nationwide from cyberattacks, reportedly will lay aside $30 billion over seven years, but it's unlikely that the funds will help CISOs streamline the process for securing federal networks.

"CISOs are struggling with precious limited resources," says Bruce Brody, vice president of information assurance at government IT contractor CACI and a former CISO at the Veterans Affairs and Energy departments. "If you want to be compliant with all the mandates and regulations and laws and requirements, you can do that. But that takes you down a path toward compliance for the sake of compliance, not overall improved security."

For now, CISOs must compete for funds with other federal programs. These chiefs are at a disadvantage because security programs often don't promise cost savings and have little return on investment. Interior's Ruffin submitted this year a proposal to centralize the department's wide security functions to provide a comprehensive view of network activities. He estimated the cost to be about $50 million to buy needed IT products and integration services, plus another $25 million annually for management and support. Ruffin proposed that his staff would have to grow tenfold, from the current 15 employees, who focus primarily on network monitoring. The proposal didn't get far.

"No one disputed that this needs to be done," Ruffin says. "But when they look at associated dollar cost, the answer is 'No way; we don't have the funds. Let's make the federated approach work effectively.' But how do you do that when you don't have the authority to oversee the staff and budgets? Until something hits the fan, the resources are not there for information security."

CISOs need to know some specific details about their IT infrastructure "if they have any prayer of securing systems and networks," Brody says. They have to know how far the agency's networks extend and what kind of systems it operates. They also need to know every device attached to the network, their configurations, the people using them, and the applications and information they're accessing when they use those devices to get on the network.

The problem is, no CISO has that kind of awareness of the IT infrastructure, Brody says.

Why not? In theory, the CISO position, as outlined in FISMA, was to be powerful, second only to the CIO in terms of driving IT initiatives. But in reality, the position has little authority because each office within an agency claims ownership over its IT systems and data, making it hard for the CISO to require security standards and policies. For large agencies, information security typically is divided among bureaus, with different managers who oversee IT and security. Without direct authority to administer those systems, CISOs have a hard time identifying how to improve security. Nobody wants to relinquish control over processes or funding, and nothing in FISMA forces them to do so.

"The fiefdoms are strongly entrenched and have been doing business a certain way for years," Brody says. "FISMA was helpful in that it provided attention and focus on the problem, but it did nothing for governance. We now have a situation where the federal CISO is struggling with compliance that has very little to do with actual security and with no clout to hold individuals accountable for not following the appropriate security protocol. The answer is improve the law."

Rep. Jim Langevin, D-R.I., introduced a bill in May that could be a slight improvement, but for only one agency. The 2008 Homeland Security Network Defense and Accountability Act would tighten computer security practices by requiring DHS to test its defenses against cyberattacks and to set stricter qualifications for cybersecurity positions. It provides the CIO with the authority to approve and oversee all systems, as well as all the policies, procedures and funding related to the management of information and IT infrastructure. If passed, the authority seemingly would trickle down to the CISO for issues concerning information security.

The bill also would require the Homeland Security CIO to hire an incident response team to conduct vulnerability tests on a regular basis for all connections to the Internet and any external network and to provide continuous, real-time detection, investigation, response and containment of computer incidents.

But much more needs to be done, Schmidt says. "There should be an elevation of the position providing CISOs more authority and more ability to enforce the policies rather just acting as recommending bodies," he says. "This can't be a political issue -- it's a national security issue, a public safety issue, an economic viability issue. No matter how you look at this, information security has to apply across the entire government enterprise. If you can't manage it, you can't secure it."