The Government Fails Again to Protect Sensitive Information
While most people were watching the debate over the NSA’s “metadata” collection program, a potentially more serious event occurred. Under the rules of metadata, personal information, including the contents of phone calls, is inaccessible; only the general outlines of phone numbers and duration are available. That, one might say, is bad enough – and U.S. courts, backed by Congress, agreed.
But the personal information of approximately four million Federal employees was compromised in April as a result of someone hacking into the database of the Office of Personnel Management (OPM). It was the second major hack of U.S. government networks in the past few months. Russia is believed to be behind a breach of State Department e-mail, and China is thought to be behind this one. A third breach, at the IRS, was caused by weak authentication that resulted in unauthorized people accessing the system and stealing taxpayers’ records; but again, personal information was compromised.
In an extremely odd response to 4 million stolen records, agency heads expressed satisfaction that they had at least discovered the breach after the fact. This is the equivalent of then-Attorney General Janet Napolitano telling ABC News after “Underwear Bomber” Farouk Mutallab had been prevented by passengers from setting off his bomb, “Once the incident occurred, the system worked.”
That is not good enough. The U.S. government has again failed to protect sensitive personal information.
Whether it is health records, tax returns, social security numbers, or personnel files, the government simply does not have a strategy to deal with mega-theft from its own databases. Why not?
The U.S. government, like most of its counterparts around the world, distinguishes between classified and unclassified information.
When it comes to classified information, there are strict protocols about who has access to the information and how the information is protected. Encryption is a major resource in that protection. While it doesn’t prevent files from being stolen, and there is no protection if intruders destroy files, encrypted data is generally thought to be secure because the intruders cannot see what is inside the stolen files. On the whole, the government is thought to have pretty good encryption tools.
So far, so good, but the government also thinks in terms of boxes. There is a “classified” box and there is an “all the rest” box. In that second box is all the personal information the government holds on millions of Americans. It is that -- which NSA does NOT get --which Chinese hackers took.
A great deal of sensitive information is not classified. Sometimes it is called Sensitive But Unclassified (SBU), and sometimes it is called Law Enforcement Sensitive (LES), which covers criminal investigations. Other times it is marked For Government Use Only (FOUO). And in still other cases, unclassified information is called Controlled Unclassified Information (CUI), a designation put in place by the George W. Bush administration. But no matter what it is called, it does not have the protections applied to classified information, either for access or for visibility.
Today more than 90% of data in the hands of government agencies falls into the category of unclassified information. That includes just about every category of government files, even including information on weapons. Even worse, neither NSA nor anyone else appears to actually have the mission of protecting unclassified information.
Rather than exercising heavy classification -- which in most cases would be inappropriate -- the protection of file encryption could be used to safeguard most data. Using encryption implies a management scheme that does the following:
- Encrypts data
- Determines allowed access
- Protects the storage environment
Encrypting data is easy. Setting up a scheme to regulate who has access is rather more difficult because it involves -- or should involve -- some form of compartmentalization that limits access on a “need to know” basis. When you have an effective and monitored access control system based on “need to know,” the risk of insider threat or compromise of access and authentication is reduced, and if there is a breach the damage can be contained.
OPM did not encrypt data or have any access control system of any value in place to protect the full data set from compromise.
Finally the storage environment needs to be safeguarded. This is important because when encrypted data is legitimately accessed it must be decrypted and displayed on computers or mobile devices. At that point, the information is vulnerable to compromise. A well-designed storage environment takes steps to control the display of information and keeps a tight audit over the exposure of data within the system. It is clear by the number of compromising incidents that the IRS, the Social Security Administration, the Department of Homeland Security, OPM, and, most likely, DOD, do not have protected storage or fraud detection capabilities. Credit card companies now look for unusual behavior to detect potential fraud. What is it that they know that that government doesn’t about using these techniques to head off data breaches? There is still credit card fraud, but one would expect the government to be no less good than VISA or AmEx, and maybe better.
Since the 1987 passage of the first Computer Security Act, the U.S. government has been charged with improving information security. Yet the results are abysmal simply because the government has looked the other way when it comes to protecting SBU information. In a step forward this week, the White House announced that web site connections are required to to be encrypted by the end of 2016 using the secure connection capability built into web browsers. This will provide some protection against over-the-air interception, it does nothing to protect the data stored by government agencies – which remains completely at risk.
If the American people are going to trust their government – a very tall order these days – the government has an obligation to protect the privacy of citizen information with which it is entrusted, even as the debate continues about what and how much information the government should have.
Stephen D. Bryen is President of SDB Partners, and Shoshana Bryen is Senior Director of The Jewish Policy Center.