Security of federal information systems, protecting PII remains ‘high risk issue’
In recent years, the Government Accountability Office (GAO) has issued literally dozens of audit reports to Congress and appropriate federal agencies, and made nearly 2,500 recommendations to these federal agencies to improve their implementation of information security and access security controls. These recommendations have identified actions for agencies to take to not only protect their information databases and systems, but “to fully implement their information security programs and better protect the privacy of personally identifiable information (PII) contained in these systems,” which includes a wealth of personal biometric information.
GAO said in a recent government “High Risk” summary that “critical actions” are needed to address four major cybersecurity challenges,” and that federal “agencies need to consistently implement policies and procedures for responding to breaches of PII” by improving federal efforts to protect privacy and sensitive data, and appropriately limit the collection and use of personal information and ensure that it is obtained with appropriate knowledge or consent.”
In addition, GAO said the government also “needs to better oversee the protection of PII contained in electronic health information and health insurance marketplaces. Needed efforts include the following: The Department of Health and Human Services [HHS] needs to enhance its oversight and guidance related to the actions to protect privacy implemented by entities that maintain electronic health information, and HHS’s Centers for Medicare & Medicaid Services needs to ensure that Healthcare.gov and state health insurance marketplaces have effective controls in place to safeguard electronic health information.”
GAO stressed, “Congress should consider amending privacy laws to more fully protect the PII collected, used, and maintained by the federal government” across the enterprise.
“Many of these systems contain vast amounts of personally identifiable information,” and other types of personal information that can be linked to an individual, such as medical or educational information, while powerful search technology and data analytics software have made it easy to correlate information about individuals across large and numerous databases, “thus making it imperative to protect the confidentiality, integrity, and availability of this information and effectively respond to data breaches and security incidents, when they occur,” Gene L. Dodaro, Comptroller General of the United States, recently told the House Committee on Oversight and Government Reform Subcommittee on Government Operations and Information Technology. Underscoring the importance of this issue, we continue to designate information security as a government-wide high-risk area in our most recent biennial report to Congress—a designation we have made in each report since 1997.”
GAO first designated information security as a government-wide high-risk area in 1997. This was expanded to include protecting cyber critical infrastructure in 2003, and protecting the privacy of personally identifiable information in 2015.
While advancements in technology, such as new search technology and data analytics software for searching and collecting PII have made it easier for individuals and organizations to correlate data and track it across huge and copious databases, and that “ubiquitous Internet and cellular connectivity facilitates the tracking of individuals by allowing easy access to information pinpointing their location,” GAO warned “these advances—combined with the increasing sophistication of hackers and others with malicious intent, and the extent to which both federal agencies and private companies collect sensitive information about individuals—have increased the risk of PII being exposed and compromised.”
There’s no more doubting that “ubiquitous Internet connectivity and devices, such as smartphones and fitness trackers, have facilitated sophisticated tracking of individuals and their activities,” GAO said. It was only recently that GAO determined critical actions are needed to ensure the security of emerging technologies like IoT, which are making the networks they’re connected to more vulnerable.
“However,” GAO accentuated, “many agencies continue to have weaknesses in implementing … controls, in part because many of [its] recommendations have not been implemented,” pointing out that it’s made “over 3,000 recommendations to agencies since 2010 aimed at addressing cybersecurity shortcomings,” but that, “As of July 2018, about 1,000 still needed to be implemented.”
There were more than 35,000 total information Federal Information Security Incidents by Threat Vector Category in Fiscal Year 2017.
Disturbingly, 22 percent were due to “improper usage,” which is defined as, “Any incident resulting from violation of an organization’s acceptable usage policies by an authorized user that is not reported as part of another threat vector category,” and “loss or outright theft of a computing device or media used by an organization containing PII accounted for 12 percent of the information security breaches. Thirty-one percent of breaches were attributed to “an attack method that does not fit into any other type or is unidentified,” which is “even more disconcerting,” as one senior federal cybersecurity official told Biometric Update on background.
“Government databases that contain information that could be used to identify individuals must be protected from both inappropriate access (i.e., data breaches) and inappropriate use (i.e., for purposes not originally specified when the information was collected),” GAO stated, reiterating that, “The Office of Personnel Management has seen firsthand what can happen when such databases are compromised,” referring to the June 2015 intrusion that compromised personnel records – including biometrics — of about 4.2 million current and former federal employees. “Then, the next month, the agency reported that a separate, but related, incident had compromised files [also containing sensitive biometric PII] related to background investigations for an estimated 21.5 million individuals” seeking security clearances, from which valuable PII and biometrics could be used by hostile foreign intelligence services.
Indeed. Dodaro testified this breach “compromised … the files related to background investigations for” these 21.5 million individuals, adding, “foreign nations—where adversaries may possess sophisticated levels of expertise and significant resources to pursue their objectives—pose increasing risks. Rapid developments in new technologies, such as artificial intelligence and the Internet of Things, makes the threat landscape even more complex and can also potentially introduce security, privacy, and safety issues that were previously unknown.”
Consequently GAO has repeatedly stressed, “Safeguarding federal computer systems and the systems that support critical infrastructures—referred to as cyber critical infrastructure protection—is a continuing concern. The security of federal cyber assets has been on GAO’s High Risk list since 1997,” GAO pointed out,” noting that, “The area has since been expanded to include the protection of critical cyber infrastructure and the privacy of personally identifiable information that is collected, maintained, and shared by both federal and nonfederal entities. PII is any information that can be used to distinguish or trace an individual’s identity, such as name, date and place of birth, Social Security number, or other types of personal information that can be linked to an individual, such as medical, educational, financial, employment information” – and biometrics.
“Risks to cyber assets can originate from unintentional and intentional threats,” which include “insider threats from disaffected or careless employees and business partners and escalating and emerging threats from around the globe,” GAO emphasized, saying, “The steady advance in the sophistication of attack technology, and the emergence of new and more destructive attacks also pose risks. The ineffective protection of cyber assets can facilitate security incidents and cyberattacks that disrupt critical operations; lead to inappropriate access to and disclosure, modification, or destruction of sensitive information; and threaten national security, economic well-being, and public health and safety.”
Meanwhile, GAO further reported that none of the 24 agencies it audited “have policies that fully addressed the role of their Chief Information Officers (CIO) consistent with federal laws and guidance. In addition, the majority of the agencies did not fully address the role of their CIOs for any of the six key areas that GAO identified … Including ten that have only partially implemented information security.”
The 24 selected CIOs acknowledged in their responses to GAO’s survey that they were not always very effective in implementing the six information technology (IT) management areas.
“Until agencies fully address the role of CIOs in their policies, agencies will be limited in addressing longstanding IT management challenges,” GAO forewarned, emphasizing that, “Shortcomings in agencies’ policies are partially attributable to two weaknesses in the Office of Management and Budget’s (OMB) guidance. First, the guidance does not comprehensively address all CIO responsibilities, such as those relating to assessing the extent to which personnel meet IT management knowledge and skill requirements and ensuring that personnel are held accountable for complying with the information security program. Correspondingly, the majority of the agencies’ policies did not fully address nearly all of the responsibilities not included in OMB guidance.”
Second, GAO said OMB’s guidance “does not ensure that CIOs have a significant role in IT planning, programming, and budgeting decisions; and execution decisions and the management, governance, and oversight processes related to IT. In the absence of comprehensive guidance, CIOs will not be positioned to effectively acquire, maintain, and secure their IT systems.”
In GAO’s survey, the 24 agencies identified a … lack of consistent leadership in the CIO position. “They continue to face longstanding challenges in doing so. Congress established the CIO position to serve as an agency focal point for IT to address these challenges.”
All this as federal agencies plan to spend another $96 billion on IT in Fiscal Year 2018.
GAO found that, “Although OMB has issued guidance aimed at addressing the three factors that were identified by at least half of the CIOs as major challenges, the guidance does not fully address those challenges. In particular, with respect to the challenges relating to IT personnel, OMB’s guidance does not address key CIO responsibilities, as previously noted. Further, regarding the financial resources challenge, OMB recently required agencies to provide data on CIO authority over IT spending; however, OMB’s guidance does not provide a complete definition of the authority. In the absence of this guidance from OMB, agencies have created varying definitions of CIO authority. Until OMB updates its guidance to include a complete definition of the authority that CIOs are to have over IT spending, it will be difficult for OMB to identify any deficiencies in this area and help agencies to make any needed improvements.”
Fourteen agencies agreed with GAO’s recommendations. Five had no comments.
“OMB partially agreed with GAO’s recommendation to issue guidance for responsibilities that are not included in existing OMB guidance,” but, GAO stated, OMB “continues to believe that this recommendation is warranted, as discussed in the report … Moreover, after GAO provided the draft report to OMB for comment, the President signed an executive order that, among other things, clarified the role that CIOs are to have in the management, governance, and oversight processes related to IT. The executive order is responsive to GAO’s related recommendation.”
GAO assured Congress it “will continue to monitor agencies’ implementation of the executive order.”