Inadequate Cybersecurity: The Need to Effectively Secure Federal Information Systems
Anupriya Krishna[1]
In October 2006, the Bureau of Industry and Security, a part of the U.S. Department of Commerce, replaced hundreds of computers and restricted employees from using the Internet for several weeks because of a “debilitating attack” on its computer systems.[2] The bureau was the target of a “rootkit” software program that allowed attackers to hide their presence and gain access to the bureau’s computers.[3] There are numerous cyber incidents like this every year that target the information systems of the federal government.
Cyber-attacks against federal agencies are increasing at an alarming rate. In 2006, federal agencies reported 5,503 cyber incidents.[4] In 2009, the number of cyber incidents reported by federal agencies increased to 30,000; this number increased to 41,776 in 2010.[5] In fact, many more cyber incidents may have occurred that were not reported because agencies have differing internal reporting policies.[6] While some of the increase can be attributed to improvements in detection, the large number of cyber incidents still raises questions about the effectiveness of the government’s cybersecurity. This article briefly examines how federal agencies secure information systems unrelated to national security and offers recommendations for improving cybersecurity.
Securing Federal Information Systems
Every federal agency is required to secure its non-national security related information systems in accordance with the Federal Information Security Management Act of 2002 (FISMA).[7] FISMA requires each federal agency to implement an information security program that utilizes a risk based approach in selecting and employing security controls suited for its mission.[8] In implementing the program, each agency must take steps to determine how susceptible its systems are to abuse, determine what type of harm could result from various abuses, and implement the necessary safeguards to respond to the abuse.[9] After an agency implements an information security program, FISMA requires the agency to independently evaluate the program each year to determine its effectiveness.[10] The program that each agency implements and maintains must be consistent with the technological requirements published by the National Institute of Standards and Technology.[11]
FISMA takes affirmative steps to address cybersecurity but implementation of the act has been disappointing. In October 2011, the U.S. Government Accountability Office reported that twenty-four federal agencies had still failed to completely implement their information security programs.[12] The report concluded that sensitive information and information systems at the twenty-four federal agencies remain at risk because information security controls were weak.[13] These weaknesses only increase the likelihood that an agency will be unable to fend off cyber-attacks. For example, in July 2009, unknown hackers were able to shut down the websites of the U.S. Department of Transportation, the U.S. Department of the Treasury, and the Federal Trade Commission as part of a larger plot that targeted many government agencies.[14] Yet the White House and the Pentagon were able to fend off the same attack on their websites.[15] This suggests that cybersecurity is not implemented evenly across all federal agencies.
Making Cybersecurity A Priority
With cyber incidents increasing each year, federal agencies cannot afford to overlook the importance of effective cybersecurity. To improve cybersecurity, all federal agencies must first and foremost comply with FISMA and fully implement information security programs. Presently, accountability is lacking; major agencies that have not fully complied with FISMA see few repercussions with the exception of receiving dismal grades in the annual FISMA review prepared by the Office of Management and Budget (OMB).[16] OMB does have certain oversight authority; it can impose sanctions on non-compliant agencies, such as reducing an agency’s information technology budget.[17] However, OMB does not use sanctions because of the high number of federal agencies that would be subject to such sanctions.[18] FISMA was passed ten years ago--the time has come for OMB to impose sanctions to coerce agencies to fully implement information security programs.
For effective cybersecurity, federal agencies must take measures beyond simply complying with FISMA. Many federal agencies operate under the assumption that if their information systems are FISMA compliant they are secure; this assumption is flawed.[19] In Cobell v. Norton, the plaintiffs, who were beneficiaries of a trust managed and administered by the U.S. Department of the Interior, alleged that the department breached a fiduciary duty because it failed to safeguard sensitive electronic data from unauthorized access.[20] The department provided security certifications for certain information systems showing FISMA compliance; despite this, a private contractor’s assessment for the district court found that there were still numerous security vulnerabilities.[21] In 2005, the district court granted a preliminary injunction requiring the department to disconnect all systems with access to Indian Trust data from the Internet.[22] Even though the injunction was vacated on appeal the following year, this case illustrates that a FISMA compliant system does not necessarily equal a secure system.
One possible approach for improving cybersecurity is to make security a priority in procurement. The Federal Acquisition Regulations, which govern the federal government’s procurement process, state that individuals “involved in procurement should ‘exercise personal initiative and sound business judgment’” in making purchasing decisions.[23] In exercising initiative, procurement teams can assume a strategy or policy that “is in the best interests of the government” as long as it does not conflict with existing law.[24] Thus, each agency is left to itself to determine what technology to purchase so long as it is in compliance with FISMA and the standards published by the National Institute of Standards and Technology.[25] Currently, many agencies do not seriously consider security when making information technology purchases, with the exception of agencies performing national security related work.[26] As a routine procurement practice, agencies should specify detailed security requirements when negotiating contracts with vendors. Specific security language should be included in contracts, such as requirements that the product be configured securely or that the product be free from certain programming errors.[27] By making changes to internal procurement practices, federal agencies can easily strengthen their cybersecurity.
Federal agencies have an enormous amount of leverage as consumers. The federal government spent almost $71 billion on information technology during the 2009 fiscal year.[28] The federal government alone consumes about “forty-two percent of all software and computing services.”[29] With this big of a market share, the government can set market trends as a consumer. Consider how the U.S. Air Force was able to strengthen the security of its systems by using its procurement power as leverage. The Air Force wanted to deploy a standard configuration for over 500,000 computers that could block most cyber-attacks.[30] The Air Force could have done this itself after purchasing the computers, but each computer would have to be configured one-by-one; this certainly would not have been cost-effective.[31] Instead, the Air Force was able to get Microsoft to install secure configurations on all the computers it was purchasing by dangling a huge contract.[32] Although Microsoft had refused to customize products for other customers, it agreed to configure the computers for the Air Force because it did not want to lose a six year software contract worth about $500 million.[33] Just like the Air Force, every federal agency should use its procurement power as leverage to get vendors to deliver more secure products, rather than buying the standard products vendors sell at retail.[34] This is one of the most cost-effective approaches that federal agencies can adopt to strengthen their cybersecurity.
Conclusion
Federal agencies, specifically those that handle non-national security related information, must take more action to secure their information systems. To improve cybersecurity, federal agencies must first fully implement their information security programs and maintain FISMA compliance. Additionally, the federal government must become a savvy consumer. Federal agencies should change internal procurement practices so that security is one of the priority considerations when purchasing technology. Each agency should use its enormous procurement power as leverage to demand more secure products. With cyber incidents increasing each year, it is essential that all federal agencies make cybersecurity a priority.
6
[1] Legal Fellow, Criminal Justice Section, American Bar Association; LL.M., 2012, The George Washington University Law School; J.D., 2007, Cleveland-Marshall College of Law, Cleveland State University; B.A., 2004, The Ohio State University.
[2] Alan Sipress, Computer System Under Attack; Commerce Department Targeted; Hackers Traced To China, Wash. Post, Oct. 6, 2006, at A21.
[3] Id.
[4] U.S. Gov’t Accountability Office, GAO-12-137, Information Security: Weaknesses Continue Amid New Federal Efforts to Implement Requirements (Oct. 2011), at 4, available at http://www.gao.gov/assets/590/585570.pdf.
[5] Elizabeth Montalbano, Federal Cyber Attacks Rose 39% in 2010, InformationWeek, Mar. 23, 2011, http://www.informationweek.com/news/government/security/229400156. The number of cyber incidents is based on those reported to the United States Computer Emergency Readiness Team (US-CERT), which is part of the U.S. Department of Homeland Security. Id.
[6] U.S. Eyes N. Korea for ‘Massive’ Cyber Attacks, MSNBC, July, 9, 2009, http://www.msnbc.msn.com/id/31789294/ns/technology_and_science-security/t/us-eyes-n-korea-massive-cyber-attacks/.
[7] Federal Information Security Management Act of 2002, 44 U.S.C. §§ 3541-3549 (2010). FISMA was passed as part of Title III of the E-Government Act of 2002. See E-Government Act of 2002, 44 U.S.C. §§ 3501-3549 (2010).
[8] 44 U.S.C. § 3543(a) (2010).
[9] Robert Silvers, Note, Rethinking FISMA and Federal Information Security Policy, 81 N.Y.U. L. Rev. 1844, 1848 (2006).
[10] 44 U.S.C. § 3545(a)(1) (2010).
[11] Id. at § 3544(a)(1)(B)(i). The National Institute of Standards and Technology develops security standards and guidelines for information systems, such as minimum operational and technical security controls. National Institute of Standards and Technology, FISMA: Detailed Overview, http://csrc.nist.gov/groups/SMA/fisma/overview.html (last visited Aug. 6, 2012).
[12] U.S. Gov’t Accountability Office, GAO-12-137, supra note 4, at 9.
[13] Id. at 33. The twenty-four agencies include the U.S. Department of Homeland Security, U.S. Department of Justice, U.S. Department of State, U.S. Department of Transportation, and U.S. Department of the Treasury. Id. at 2.
[14] U.S. Eyes N. Korea for ‘Massive’ Cyber Attacks, supra note 6.
[15] Id.
[16] Silvers, supra note 9, at 1849.
[17] 44 U.S.C. § 3543(a)(4) (2010).
[18] Silvers, supra note 9, at 1868-1869. Reducing an agency’s information technology budget is viewed by some as counter-productive because FISMA is an “unfunded mandate,” which means federal agencies must comply with FISMA using their pre-existing budgets. Id. at 1859.
[19] See Daniel M. White, Note, The Federal Information Security Management Act of 2002: A Potemkin Village, 79 Fordham L. Rev. 369, 377-384 (2010). This article argues that FISMA fails to strengthen information security because security is viewed as a technological problem, instead of an economic problem.
[20] Cobell v. Norton, 394 F. Supp. 2d 164, 165 (D.C. 2005), vacated, 455 F.3d 301 (D.C. Cir. 2006).
[21] Id. at 167.
[22] Id. at 165.
[23] Steven Kelman, Article, Remaking Federal Procurement, 31 Pub. Cont. L.J. 581, 584 (2002). Procurement at some federal agencies, like the Department of Defense, is governed by specific supplements in the Federal Acquisition Regulations. Id. at 583.
[24] Id.
[25] 44 U.S.C. § 3544 (2010). See also National Institute of Standards and Technology, Frequently Asked Questions, http://csrc.nist.gov/groups/SMA/fisma/faqs.html (last visited Aug. 6, 2012).
[26] Robert W. Hahn & Anne Layne-Farrar, Article, The Law and Economics of Software Security, 30 Harv. J.L. & Pub. Pol’y 283, 346-347 (2006). The Department of Defense mandates that “all new software be submitted to the National Security Agency for security testing.” Id.
[27] Cyber Security: Developing a National Strategy: Hearing Before the S. Comm. on Homeland Sec. & Gov’t Affairs, 111th Cong. 4-28 (2009) (statement of Alan Paller, Director of Research, SANS Institute) [hereinafter “Cyber Security Hearing”].
[28] U.S. Gov’t Accountability Office, GAO-10-2, Information Technology: Agencies Need to Improve the Implementation and Use of Earned Value Techniques to Help Manage Major System Acquisitions (Oct 2009), at 2, available at http://www.gao.gov/assets/300/296575.pdf.
[29] Hahn & Layne-Farrar, supra note 26, at 346.
[30] Cyber Security Hearing, supra note 27.
[31] Id.
[32] Id.
[33] Id.
[34] Id.