Cyber-Security Should Not Take A Back Seat

The federal government spends approximately $80 billion annually on information technology (IT) systems.  An April 2, 2014 Government Accountability Office (GAO) report found that the number of data breaches increased by 143 percent from 10,481 reported incidents in 2009 to 25,566 incidents in 2013.  The federal government must take immediate action to protect vulnerable systems and remediate risk. 

Nearly 70 percent of the funds spent annually on IT is used for maintenance on older legacy systems, which are more vulnerable to cyber-threats and data breaches.  For example, such systems are used by the Office of Personnel Management (OPM).  The first large security breach at OPM occurred in early 2015, when the agency discovered that the personnel data of 4.2 million current and former federal employees had been stolen.  In June 2015, OPM found a second and far more damaging incursion, which placed the sensitive personal identifying information (PII) of an additional 21.5 million individuals at risk.

Unfortunately, newer systems are also at risk from cyber-security threats.  On September 21, 2015, the U.S. Department of Health and Human Services Office of Inspector General (OIG) released a report on the security of the Multidimensional Insurance Data Analytics System (MIDAS) from August 2014 to December 2014.  The MIDAS system is used as a central repository for Obamacare insurance-related data for reporting and providing performance metrics to HHS. 

According to the OIG report, the MIDAS system, which was developed in 2011 and contains sensitive information, including Social Security numbers, addresses, and other PII, had inadequate security controls, leaving those who used the healthcare.gov website to purchase health insurance from the federal exchange at risk.  The audit found that the Centers for Medicare & Medicaid Services (CMS) had not disabled unnecessary generic accounts; had not encrypted user sessions; had not performed vulnerability assessments; and, used a shared read-only account to access the database containing PII.  In addition, the OIG found 22 high, 62 medium, and 51 low vulnerabilities during its scan of the MIDAS system.

The OIG further noted in the report that CMS claimed that the vulnerabilities have been remediated.  However, the report highlights the need for the federal government to increase its cyber-security posture over the information it is responsible for maintaining and protecting. 

On September 29, 2015, GAO issued the results of an audit, which found persistent security weaknesses in information technology (IT) protections at 24 federal agencies.  These weaknesses, if left unaddressed, continue to place critical information and IT systems at risk, and can impair agencies’ efforts to fully implement information security programs.  GAO has in the past made hundreds of recommendations to these agencies to address these deficiencies, yet many of the recommendations remain unaddressed or unimplemented.

On September 22, 2015, the House Oversight and Government Reform Subcommittee on Information Technology held a field hearing in San Antonio, Texas, to review the federal government’s implementation of cloud computing.  Among the topics discussed during the hearing was the security of federal systems when moving to cloud environments.  As noted by Department of Homeland Security Office of Cybersecurity & Communications Federal Network Resilience Division Director Mark Kneidinger, “A key element to successful implementation of cloud computing is a security program that addresses the specific characteristics of cloud computing and provides the level of security commensurate with specific needs to protect government information.”

Other witnesses highlighted how cloud services can offer improvements to IT security as well as provide cost savings to their customers.  Amazon Web Services Director of Solutions Architecture and Chief Architect Mark Ryland made several recommendations to strengthen the federal government’s IT posture, including further implementation of the Federal Information Technology Acquisition Reform Act (FITARA), especially greater adoption of cloud services in federal agencies; strengthening the role of agency chief information officers (CIO); and, improvements to the FedRAMP cloud security certification process. 

VMware Product Line Manager Alan Boissy reminded committee members of the importance of maintaining vigilance over cyber-security, including in a cloud computing environment.  He pointed out that the recent federal cyber-attacks occurred either in legacy systems or at on-premise data centers as opposed to the cloud.  These cyber-attacks include the OPM breach, as well as other cyber-attacks at the U.S. Postal Service and State Department.  He further noted that these breaches demonstrated “gaps and failures in governance, policy/procedure and employee training, rather than technical deficiencies in the platform and architecture of the applications.”

FITARA provides agencies with an enterprise-wide approach to IT acquisitions and investments by placing the CIOs in direct oversight of IT contracts, funding, optimization of data centers and IT staff hiring decisions.  In addition, the law encourages increased use of cloud computing services as a means to reduce overall costs; the reduction of duplicative IT spending; and, improved transparency through the increased use of tools like the IT Dashboard and the Office of Management and Budget’s PortfolioStat to monitor IT projects and spending.

Implementation of FITARA by federal agencies will help streamline procurement and reduce wasteful spending, but it does not solve the IT security issues facing the federal government.  Instead, increased implementation of GAO recommendations, as well as ensuring security compliance across the federal government, are key components to protecting the data entrusted to agencies’ care.  Moving systems currently being maintained in a legacy environment to cloud computing services would integrate security measures into these programs, while at the same time reducing costs. 

The federal government is responsible for a large amount of data within its IT infrastructure, including the PII of hundreds of millions of Americans, as well as information relating to defense, national security, the electrical grid, and other national resources.  Cyber-security should not take a back seat to other requirements when agencies purchase or build new information technology systems.  Instead, it should be among the first and highest level of requirements for any system under federal purview.