NEWS + ADVICE
Internal Security Risks Highlight the Need for Improving Federal Cyber Security Infrastructure
In the present digital age with increasing national security risks posed by unauthorized persons around the world, creating a system that adequately protects individual and national security risks should be a paramount concern of the government. As recent events have shown, the danger of security breaches is not limited to outside hackers and nations trying to infiltrate the government’s systems. Such danger is also found in the government’s failure to take serious internal security risks. Risk exposure is highlighted by the failure to implement a secure cyber security infrastructure.
Federal agencies have significant weaknesses in information security systems that threaten the confidentiality, protection, and integrity of agency operations. The magnitude of the information stored in federal government databases and information systems is significant. In addition to classified information, the government stores private information on millions of Americans. The government has a responsibility to guard and protect information it gathers and creates.
In fiscal year 2014, the GAO reported 17 of 24 major federal agencies indicated that inadequate information security controls contained either material weaknesses or significant deficiencies. Agencies with high-impact systems reported to the GAO that cyber attacks from other countries are a frequently-occurring and serious threat to their systems. These agencies also responded that e-mail attacks were the most serious and frequent attacks. GAO found 11 of the 18 agencies reported 2,267 incidents affecting their information security systems, with almost 500 of the incidents involving the installation of malicious code.
While many of these incidents do not make headlines, recently there have been several security events highlighting the vulnerability of the government’s system—particularly internal deficiencies leading to the security breaches.
The recently reported NSA hack of leaked NSA software, including hacking tools and malware and attack codes, is widely reported to be from an insider. Hacking of the NSA also brings to mind Edward Snowden, the former CIA employee and government contractor, who leaked NSA classified information on the agency’s global surveillance programs. Additionally, the massive data hack of OPM resulting in the breach of information on former and current federal employees is estimated to have impacted 4 million up to 21.5 million individuals. The severity of the breach was amplified by OPM failing to encrypt the social security numbers of records stored due in part to the agency’s antiquated systems.
Receiving a lot of attention concerning the government’s internal protection of sensitive information is the FBI’s investigation of Democratic presidential candidate Hillary Clinton’s email practices while Secretary of State. The FBI’s investigation of Clinton’s emails revealed that 110 e-mails in 52 e-mail chains contained classified information at the time they were sent or received. Additionally, around 2,000 of Clinton’s e-mails, while not classified at the time sent, were later “up-classified” to make them confidential. Clinton’s practice of sending official communications through a private server created exposure to national security risks that could have been prevented. Her handling of the private server is just one example of the continuing challenges for the Department of State and other agencies going forward to better protect sensitive information.
The government’s information system controls should be reviewed to address breach prevention, breach detection, and mitigation of consequences. Accountability on checks to government personnel accessing sensitive information, providing a framework for ensuring that security risks are understood by all government personnel, and the selection and implementation of effective security controls to create a stronger infrastructure and limit the risk exposure will allow the government to help protect individual information as well as information necessary for the safety and well-being of the country.
Caroline Leary is a senior associate at The Federal Practice Group Worldwide Service focusing in the areas of federal litigation, appellate law and security clearance.
Chris Graham is Of Counsel with The Federal Practice Group Worldwide Service. Prior to joining The Federal Practice Group he served as an Administrative Judge (AJ) at the Defense Office of Hearings & Appeals (DOHA), where he conducted in-person hearings, evaluated evidence and testimony and issued decisions on the revocation or denial of government level security clearances, including secret, top secret, and top secret/SCI, granted by the Department of Defense and 31 other agencies.
This entry was posted on Friday, September 09, 2016 6:19 pm