Note to McCain, Obama: Don't forget information security

Regardless of whether you favor Barack Obama or John McCain, you have to admit that the next president will inherit a monumental mess.

Each candidate has been scrambling to explain how he plans to right the financial ship, reign in growing health-care costs, improve education, and balance the budget. Yikes!

As if this wasn't enough, the new president and Congress also have an obligation to figure out how to proceed with a strategic plan for IT and information security.

Now I understand that economic, social, and national security issues should have precedence, but the fact is that the federal government is sort of treading water on a number of highly visible strategic initiatives regarding information security. The issue here isn't new legislation or initiatives, however. It is finishing work that has already been started.

Here are a few examples:

1. The Comprehensive National Cyber Security Initiative (CNCI). This effort grew out of presidential and Department of Homeland Security directives with the goal of standardizing security practices and appointing DHS as the overseer of critical information security infrastructure across all federal agencies. It is estimated that CNCI will ultimately cost around $18 billion to $30 billion. But for now, DHS is asking for $200 million in 2009. As of this writing, these funds have not been allocated to the project.

2. The next revision of the Federal Information Security Management Act (FISMA) of 2002. Back in 2002, FISMA was passed in order to provide a set of guidelines and requirements for federal agencies. Each agency was then graded on a FISMA report card with the results presented to Congress and the public. Several agencies (alarmingly, including DHS) received an "F", while others saw FISMA as nothing more than a series of check boxes with no teeth. To improve the efficacy and benefits of FISMA, the Senate is currently working on the FISMA Act of 2008 (S.3474). As of now, this bill remains in committee.

3. A national information privacy act. The Personal Data and Privacy Act (S.495) has been languishing in the Senate for years. In lieu of national personal-privacy legislation, 42 states have enacted their own laws leading to a messy situation for any organization doing business across the country. Some states like Nevada and Massachusetts now mandate data encryption to protect data confidentiality, but individual laws remains vague and unique.

These examples pale in comparison to the federal train wreck around Homeland Security Presidential Directive 12 (HSPD-12), a well-intended but unfunded effort to standardize identity technologies for federal workers and contractors. In my opinion, the lack of federal funding has rendered HSPD-12 a bad joke inside the Beltway.

As a private citizen, I can't help but lament the tremendous amount of wasted effort here, especially in the face of increasingly dangerous information security threats. Bills are discussed but not passed. Some legislation gets passed and is either ignored or treated as a mere check-box item. Other bills are passed and never funded.

Unfortunately, these examples are a microcosm of a broken, wasteful system. Regardless of who becomes our next president, I'll judge progress in Washington by the government's ability to pass and fund legislation, meet regulatory compliance mandates, improve information security, and strive for constant improvement. I, for one, will be watching carefully.

[ensignsj]

Yeah, I can see them taking up this issue. Maybe Joe the Plumber can hop on it.

[ferretboy88]

Its better than Joe the Democrat on welfare.

[n3td3v]

The dodgy dossier is coming out by marcus sachs & co in november, it should be entertaining, ramped up false pretencing ******** to "shock and awe" whoever reads it into thinking hackers are about to take over the world, when infact they aren't.

[securityrules]

Jon raises an important number of issues, and overall, cyber security is actually already a major and national economic security issue. If people don't understand that then, well, they don't understand what is really happening to sensitive information in government networks, the intellectual property of our companies, and financial and other valuable information of organizations and individuals. The statement above about "...thinking hackers are about to take over the world" reflects a total lack of understanding about what is really going on. Perhaps just reading a basic article in a major business publication will help educate n3td3v, at least a little bit: http://www.businessweek.com/magazine/content/08_16/b4080032218430.htm

[idmachines]

HSPD 12 is not a train wreck. The FIPS 201 specification is driving standardization around a converged credentials for logical and physical security (including state and local governmnent, first responders, airports, transportation workers, critical infrastructure, aviation outside the Fed ) , sure it was unfunded but given that fact it has made serious progress. The proof will be in the next 2-3 years. Among the other important trends FIPS 201 and HSPD 12 have fostered or accelerated include the use of digital certificates for physical access control, PKI as the standard for multi-factor authentication, server certificate validation protocol and on-line certificate status protocol provide a scalable solution to certificate validation and solving the trust issue associated with federation, PKI as a service, among others. You do your readers, industry, government and taxpayers a disservice to characterize what is one of the most important IT trends in the flip manner you did as a train wreck.

[JPLer]

Irrespective of merits of HSPD-12 itself, some details of the implementation -- particularly the unjustifiable intrusive (and expensive) background investigations -- are certainly a train wreck. The courts have found the investigative process unconstitutionally violating employees' privacy rights and enjoined it with respect to a NASA contractor (see http://hspd12jpl.org/ for more). The next president will get a chance to alter the policy government-wide. I am particularly heartened by Sen. Obama's recognition that privacy is indeed a constitutional right, and his pledge to review his predecessor's executive orders for constitutionality. Both candidates may want to look into the cost of re-investigating 7+ million federal employees and contractors at ~$500 per person direct (HR, investigations, etc.) and ~$2000 or more in indirect (lost productivity) costs.

[idmachines]

I do not understand how you can say irrespective of the merits, and then focus on the requirement for background investigations. Not all Federal employees will have to undergo new background checks, the cost for a background that are indicated seem more than I am have encountered, the productivity impacts that you describe are offset by the productivity improvement with using a single converged credential, etc.. But let's take your arguments at face value and say that the requirement for background checks need to be relevant and in balance with those in the private sector for like jobs, no argument there. I am trying to address the fact that the specification (FIPS 201) that resulted from HSPD 12 will end up being a very important and positive thing for physical, logical and device security. This specification will evolve and the security, privacy and productivity will improve as a result. Train wreck, I think not.

[JPLer]

HSPD-12 calls for a uniform form of identification and does not at all require any particular method of background investigation. NACI as a minimum requirement is a FIPS201 add-on. The purpose of HSPD-12 on its face is to make it possible to trust the badge. It somehow mushroomed into a lofty requirement to be able to trust the badge holder. NACI has an explicit goal of vetting the prospective employee to determine her "reliability". NACI has been a requirement for initial employment in federal civil service. It is a new requirement for continual employment (with 5-year reinvestigation period accepted by most agencies) and is a new requirement for contractor employees. FIPS 201 does not recognize the obvious differences -- such as the fact that contractor employees are oftentimes foreign nationals for whom NACI is meaningless. Into the fifth year of HSPD-12, agencies still cannot consistently address the foreign national issue (the Army then issuing IDs without ANY vetting: http://www.nextgov.com/nextgov/ng_20081016_9851.php ).
The costs of this unfunded mandate is hard to evaluate. Treasury IG (http://www.treas.gov/tigta/auditreports/2008reports/200820030_oa_highlights.html) came up with $421 million projected cost to implement HSPD-12 for its 150K employees, a bit higher than the numbers I estimated (but over a longer period). Productivity improvements long-term are even harder to evaluate. I would challenge anyone to identify $3K productivity gain per 5 years per person attributable to HSDP-12.

[idmachines]

The Treasury number seems over the top. Perhaps that number takes into account the fact that they decided to build their own PKI, they also went down the path of becoming a shared service provider a far different scenario than trying to credential their population, picking Treasury as an example is comparing apples to oranges. If that is the case then you need to look at this as the spend for identity management. A more realistic comparison is the cost for an credential issuance to the GSA at $224 for five years no the $3k you point at. I know this does not include the NACI and yes the issues you raise about foreign nationals is legitimate. I am trying to put the background check component aside and try to focus on the fact the getting people to use an interoperable credential is NOT a train wreck. I will not repeat my rationale in the earlier post about why FIPS 201 makes sense and why HSPD 12 makes sense. My issue with your comment is that you conflate the issues here. I appreciate the back and forth but can we please not use ginned up statistics specific to support your case. I can tell you that you save $150 per password reset, $15 per year in one time password tokens, $35 for every paper transaction eliminated based on digital signatures, $10+ for the elimination of other physical access control credentials, DoD eliminatred 46% of its un-authorized access attempts and so on. The reason OMB did this is because it will save the government money. None of this takes into account the security, or productivity benefits. The reason it is being implemented in the commercial sector is based on the same, look at aerospace and the transglobal secure collaboration program, bio-pharma with SAFE. You can look at any number of reports from Yankee Group, Datamonitor, Smart Card Alliance, etc. on the value of a converged credential. None of these organizations called the approach a train wreck, most said it was a smart investment. My point here is to make sure the conversation is balanced and to base it on objective facts.

[JPLer]

I will not disavow bias on my part, but I would challenge impartiality of an industry insider and your fellow cheerleaders at Smart Card Alliance, etc. Please consider this as a response to you "ginned up" ad hominem.

On the merits, though, NACI requirement is a part of FIPS-201. The issue of background investigations is not therefore artificially conflated with the technical merits. Please note that NACI is precisely the issue I addressed in my original message.

Treasury report is the only source I found of somewhat independent review of the costs. GSA cost only covers printing the card and maintaining its digital certificate, but not the cost of (re)investigations (new cost). If you can point me to another independent estimate of end-to-end costs, I will gladly consider it.

$150 per password reset pales in comparison with what we were told the policy would become for lost badges (no access until the new one is printed -- of-site). If you forget one at home you would have to drive back to fetch it (did I mention this is in LA?).

I do not see a reason for a cafeteria worker or a gardener or a cleaning lady to have one time password tokens or digital signatures. Similarly, I do not see a reason for an agency-interoperable badge for 90% of employees.

46% reduction in DoD intrusion rates is attributed to a single source, AFCEA SpaceComm 2007 conference (http://www.fcw.com/online/news/97480-1.html). The same article mentions 6 million probes of DoD networks a day (likely in 2006), while http://www.thenewsstar.com/apps/pbcs.dll/article?AID=/20081004/NEWS01/810040313
mentions "estimated 80 000 attacks", likely in 2007. That's a factor of over 27000 difference. Without independent verification these numbers might as well be pulled out of the air. And presumably, CAC (or PIV-II) without the NACI would work just as well.

Again, I have no particular problem with the technical standard or with the idea that such technical standard might be uniform. I have a problem with policy unnecessarily driven by technology.

[skswave]

Change takes time but is very possible if goverment and Industry can work together. The switch to HDTV would be a poster child for this. Who would have believed we could have done it.

Cyber security could use a big project that would get all of us involved. I would propose the following policy change.

"Require all federal Taxes filed electronically be signed by ID keys secured by hardware by 2014"


The technology to acoomplish this is very well understood and will be free for the Users. (smartcards, USB tokens and TPMs could be used. The TPM provides an industry standard, Industry funded initiative to put hardware security in every users hand. With over 250 million TPMs out there this is already underway.
As a result of this all users will have to get a digital ID for business with the federal goverment. This will include small business, Large business and Individuals. The infrastructure would get built to get digital ids for federal use but could easily issue other IDs for other purposes. It would also help us poor users figure out how to manage these things.
Goverment would benefit from a significant reduction in the cost to verify and process business transactions with tax payers
Goverment would potentially significantly reduce the ability to Hack the taxes.
Users would get an easier to manage method of authenticating to goverment for the request of services and completion of transactions.
Users would get a foundation for a tamper resistant Identity to do business with goverment and unlike a personal ID card a digital identity has many fewer negatives.

This is a simple concept but one that could dramatically change how we do business on the WEB and help us to secure the future of computing.

Steven Sprague
CEO
Wave Systems Corp