How To Protect Against Data Thieves

More than 50 million personal identities were reported exposed or compromised in the last six months, mostly from theft, system breaches, and loss during transport. Most of the exposure has been at businesses and universities. But that doesn't mean that government entities haven't had similar incidents and aren't also vulnerable.

Government agencies have reported only a smattering of security breaches involving personal data perhaps because, until recently, few laws existed compelling them to go public. But problems are lurking. The Internal Revenue Service, with one of the most extensive collections of personal data, in June ordered a security review of a five-year, $20 million contract it has with ChoicePoint Inc., the data aggregator that allowed criminals to access data on 145,000 people. Earlier this year, in April, the Government Accountability Office found the IRS had 39 new information-security weaknesses, in addition to 21 previously identified and uncorrected problems. The Department of Homeland Security came under fire in July when the GAO said its systems don't meet federal information-security standards.

The problems aren't limited to federal agencies. In March, thieves broke into the Department of Motor Vehicles office in Donovan, Nev., and stole the system used to create drivers' licenses and IDs. They took a camera, printer, and hard drive containing personal information on 8,738 people, including signatures and Social Security numbers, as well as supplies to make licenses. In April, Georgia's Department of Motor Vehicles had an employee steal personal data on "hundreds of thousands" of people, according to the Privacy Rights Clearinghouse, a nonprofit consumer-advocacy group that has maintained a list of security lapses since the ChoicePoint incident was revealed in February.

While the public sector hasn't had a major headline-grabbing attack, that's no guarantee of the future security of constituent and employee personal data. "All we need is one major breach to cause citizens to wonder about the rest of the data the government has," says Lester Nakamura, administrator of Hawaii's Information and Communication Services Division and chairman of the National Association of State CIOs' privacy committee.

"We're all subjected to the same basic set of risks," says J. Clark Kelso, CIO of California. "When I read about the recent attacks, I don't put too much stock in the fact that [the state government] hasn't had a serious breach in three years. Eventually, our number will come up."Three years ago, a hacker installed software on a California server that held payroll-deduction information. No data was compromised, but the incident underscored the importance of protecting personal data. The state's Security Breach Information Act, which went into effect two years ago, requires government agencies and businesses that maintain personal data to notify people if the security of their information is compromised. As of mid-June, legislation about notification of security breaches had been introduced in at least 35 other states, according to the National Conference of State Legislatures. Seventeen of them have passed legislation, and seven of those laws apply specifically to state agencies. Forty-one data-protection bills are pending in the U.S. House and Senate.

IT executives at all levels of government aren't waiting for legislation to force their hands. Many are moving to harden the security around the personal data entrusted to their organizations. Among the various tacks: enterprise architectures that incorporate security measures and strategies from inception; encryption and network-monitoring technology to close holes in existing systems; attention to particularly vulnerable areas such as wireless technology; and the deployment of extensive training and certification programs.

By weaving security into the overall IT architecture at the Department of Veterans Affairs, Pedro Cadenas Jr., associate deputy to the assistant secretary for cyber and information security, hopes to build it into every IT project. "I'm trying to get everyone thinking about security as it should be thought of, as an inherent part of a project, not an afterthought," he says. The VA, which is the second-largest federal department, with about 236,000 employees handling everything from medical claims to veterans' benefits to cemetery plots, is taking a top-down approach. If top execs sign off on IT security, it's more likely to be adopted throughout the organization, Cadenas says.

But dictated guidelines and standards on how security should be applied can be a sore spot with IT professionals who look at their development work as an art form rather than a science. "Too often, there's a misconception that if you have to read the instructions, you're not an IT professional," Cadenas says. The VA has countered this way of thinking by encouraging its tech staff to get back to the basics of configuring and managing technologies properly and to not look at security as just being made up of peripheral devices but rather as "an entire life-cycle approach," Cadenas says. "There's been a transition over the last few years. ... Privacy and security went from being a 'pain' to something that's proactively sought after. Now people are saying early on in a project, 'Let's get these security people involved.'"

The Food and Drug Administration, which handles data from pharmaceutical companies on drug trials, among other sensitive information, is taking a similar approach, making data security an integral part of enterprise-architecture governance, chief information security officer Kevin Stine says. "This integrated relationship better supports the incorporation of security considerations throughout each phase of the information-technology life cycle, rather than as an afterthought," he says.At the state level, California's Kelso has created teams of state workers from both the business and IT sides of the 75 departments in its executive branch. The teams are charged with establishing common policies and standards for using, storing, and transmitting sensitive data, such as Social Security numbers.

California already has seen increased emphasis on security in new-product deployments. A system that tracks child-support cases will have data protection built in at a "very granular level" when it's deployed next year, Kelso says. Not only will it authenticate users, but it also will verify their authority to access data on a transaction basis, he says.

Some agencies are focusing on data-storage policies to improve security. Since the recent break-in, Nevada motor vehicle offices can no longer keep data on local hard drives overnight. "At the end of the day, there is no data on any hard drive anywhere in the state," DMV director Ginny Lewis said at a Nevada Senate hearing. "Even in the event of a catastrophic failure, I would rather lose some records than go through what we have just experienced." The state also is considering requiring biometric-access technology on DMV computers.

Several agencies are adopting tools that are able to identify suspicious requests for data or traffic on networks. The Defense Information Systems Agency, which engineers, implements, and supports IT systems for the secretary of Defense and the Defense Department, is in the process of deploying DataPower Technology Inc.'s Xs40 XML Security Gateway, a set of applications that scans the content of messages for potential security risks. The defense agency is putting the gateway on its Net-Centric Enterprise Services architecture, which is a key information-sharing component of the Defense Department's Global Information Grid, a network used to share classified and unclassified information.The technology employs business logic and granular analysis to check individual messages to ensure authorized users are senders and that the content is authorized to travel from one part of the agency's network to another or to go outside the agency's internal network. If a user makes a call to a server requesting 10,000 names or Social Security numbers, the software will flag that request as suspicious."Technology has become smarter so that it can analyze the kinds of requests being made," says Eugene Kuznetsov, DataPower's founder and chief technology officer. "It's one area where the government is ahead of the private sector. Private-sector systems just look for a 'yes, you're allowed access' or a 'no, you're not.' Government is more methodical and understands the importance of fine-grained authentication."

The VA, which recently consolidated more than 200 gateways used to access its systems down to four, has done something similar. It's looking at analytical software that can scan message content and identify suspicious transmissions such as nine-digit numbers that could be Social Security numbers being sent within instant messages or E-mails.

Cadenas says he wants technology that will not only limit access to VA systems to authorized users but also will check that their computers have the correct security patches and standards. With outside contractors and remote employees regularly accessing VA systems, this additional check is needed. "We know they're a trusted user, but we don't know where that user went with that computer prior to accessing our system," Cadenas says.

Federal and state agencies also are developing stricter requirements for storing potentially sensitive information and are encouraging the use of encryption. California is preparing data policies and is considering other recommendations, including not letting Social Security numbers be stored on laptop or mobile computers, says Joanne McNabb, chief of the state's Office of Privacy Protection. "We're also refining and updating our data-classification guidelines so that sensitive data can be more easily identified," she says.

Encryption is being used to secure information on laptops and wireless devices because a significant portion of the breaches California has had are from stolen or lost laptops, McNabb says. California law requires state agencies to notify citizens whose data has been compromised if that data wasn't encrypted.The California Department of Parks and Recreation is in the middle of rolling out wireless capabilities to staff at its 70 major parks. "You have to worry about the risks associated with wireless," Kelso says. "A worst-case scenario: Someone isn't just intercepting a wireless signal but generating a false sign-on page. We've got to be aware of this and impose encryption policies and [other security] standards to prevent security breaches."

One of the greatest weapons against attacks is an informed workforce, so some agencies are undertaking extensive training programs. The Defense Department is preparing guidelines to be released in the next few months that will require all employees tasked with protecting information to attain certain minimum levels of training in security technologies related to that work or leave their jobs.

"The government has put a lot of time and money into deploying security controls only to realize they can still be compromised," says Barry Kaufman, director of training services for security-consulting and IT-training company Vigilar Inc. Agencies are sending employees to IT boot camps and instituting computer-based training to meet requirements in the Federal Information Security Management Act, a 3-year-old law that requires agencies to put information-security programs in place and meet certain security standards, and in the Health Insurance Portability and Accountability Act of 1996, which sets privacy and security standards for government and health-care organizations that handle personal health-related information. But these programs have failed to produce the number of trained IT staff originally intended, Kaufman says.

The VA also has taken extra steps with training. It has created a cybersecurity university, a combination of tech boot camp and computer-based classes. It also hosts an annual conference for information-security officials within the department.

The VA's general IT users are given information on best practices and commonsense approaches to keeping data safe. Information security officers and other IT staff get courses on policies, procedures, federal requirements, and specific security technologies. But the agency has found increased overlap between the two groups. "The general-user population has really stepped up and gone above and beyond required training," Cadenas says.It's this sort of proactive approach to education and training, along with the deployment of targeted tools and a big-picture focus on data security as part of the overall IT strategy, that's needed to give government agencies any hope of staying ahead of data thieves and protecting themselves from embarrassing mishaps. These steps also will make it easier to cope with new requirements that will inevitably come from Congress and state legislatures when they return this fall to debate various data-protection and security-breach-notification proposals.

Continue to the sidebar:
Closing Up The Messaging Gap