Sunday, October 19, 2008

Weaknesses in Government Systems

According to this report (via), the IRS deployed two major software systems, its Customer Account Data Engine (CADE), and its Account Management Services (AMS) system, despite the existence of "known security vulnerabilities relating to the protection of sensitive data, system access, monitoring of system access, and disaster recovery." Obviously, this is a problem. Indeed, given some of the vulnerabilities noted in the Computer World article summarizing the report (e.g., failure to encrypt data either in storage or transit), the IRS systems wouldn't even pass the private sector PCI Data Security Standard, let alone government imposed standards such as those in HIPAA.

The interesting part of the report though, is not that the IRS deployed systems with flaws. Frankly, while that part may be depressing, similar mistakes take place in both the public and private spheres frequently enough that the existence of one more flawed system doesn't really raise my attention. What interests me about the report is that it shows the limits on what you can do with regulation. The IRS has specific guidelines and requirement for handling data that, in theory, should have prevented the deployment of systems with known vulnerabilities. Moreover, as the report noted the IRS had implemented development policies which "require security and privacy safeguards to be planned for and designed in the early phases of a system’s development life" - something that many private sector businesses would benefit from doing. The problem was that the IRS' cybersecurity organization knew about the vulnerabilities and accepted them anyway - in other words, it decided to save money by skimping on security for taxpayer information. With that kind of culture (which I find a bit surprising in government) it's not likely that an organization will have good security, regardless of how heavily regulated it is.

So how do you create a security conscious culture? The easy answer is feedback. Make sure that there are rewards for doing things right, penalties for doing things wrong, and that the rewards and penalties (as well as what counts as right and wrong) are well known. Unfortunately, that easy answer is only easy in theory. In practice it's really hard to implement, and involves things like keeping open lines of communication, making sure decision makers pay attention to security even though it doesn't contribute directly to the bottom line, and educating people about what resources are available in an organization to provide decision support on security issues. While it seems that there is a slow change underway from a culture where consumer data is treated only as something to be valued, to a culture where it's viewed as something to be protected, that change is very slow indeed. Before the change is complete, I think there will be many more reports revealing that large entities (both public and private) have undervalued securing consumer data.


John Taylor said...

Good article William! Like you I am curious as to the decision, (and I beloeve it was a conscious decision), to not include the necessary secuirty features of its new juggernaut of a program. As with all government programming projects this was outsourced to a private contractor for development. I wonder if the decision was made simply for cost cutting reasons or if the contractor dragged its' heels on the "hard bits" and due to deadline considerations the IRS caved? Whatever the reasons it is a classic demonstration of the leaky boat of regulation and enforcement. With something like this in placce at a government agency will the feds be able to persue cases against private database leaks citing the laws?

William Morriss said...

While incidents like this might make the federal government look hypocritical when it goes after private companies for security flaws, I doubt they will have much effect on enforcement. For example, when the Federal Government went after Choicepoint, they did it based on the FTC act's prohibition on deceptive and unfair trade practices. Regardless of whether the federal government can keep its house in order, a deceptive practice is still a deceptive practice (though, of course, the specific defenses available would depend on the charges brought and the facts of a particular situation).