Government IT Leaders Wrestle With Security Risks

Charles McClam, deputy CIO at the Department of Agriculture, said that mission-critical applications in his organization are housed in data centers around the country, and the employees responsible for keeping them secure are considered exempted personnel, meaning that they would continue to work even in the event of a government shutdown.

"At this juncture I don't see anything that's going to be problematic [with] enterprise security," McClam said here at a government IT conference.

Naeem Musa, CISO at the Federal Energy Regulation Commission, said that his agency contracts much of its security and monitoring activities out to vendors in the private sector, which would be unaffected by a shutdown.

[Related: Federal Government's Big Data Efforts Lagging]

Congress has until the end of the month to approve legislation to keep the government running, though its ability to do so in that time frame is in serious doubt. As of this afternoon, the Senate appeared poised to pass a temporary spending bill, stripping out language to defund President Obama's health care reform bill that had been included in a measure passed by the House. But Republican leaders have signaled that they are unlikely to accept any bill the Senate passes without making their own changes, which could run out the clock on the month-end deadline, the Washington Post reported.

Federal Big Data Initiatives Bring Big Security Challenges

But even if federal IT managers don't see a great threat to their systems' security from a potential government shutdown, they still have plenty to keep them up at night. At Thursday's conference, officials described the security challenges that accompany big data initiatives, even as the government is trying to make more of its data sets publicly available rather than keeping them locked inside the federal firewall.

[Related: 'Big Security' a Natural, Necessary Extension of Big Data]

"Securing the data, even if it's public, it's open, you still have to protect the integrity of that data, make sure the data has not been changed and whatever you serve out there is accurate to the public," Musa said.

If anything, the drive toward open data might create additional security challenges as agencies understand that they can no longer simply apply a one-size-fits-all policy that sets closed as the default setting for their data assets. That means that they must adopt more nuanced security policies tailored to the nature of each data set, and yet still have some overarching protections as those assets become linked.

Kevin Charest, CISO at the Department of Health and Human Services, described the "war" that pits "the desire to share, the desire to bring these data sets together, against the responsibility that's associated."

[Related: Government Networks Unprepared for Cloud, Big Data Transitions]

"One of the challenges of bringing big data sets into one place is you inherit the insecurity of all. So you create almost like a shopping place for a would-be bad actor if you're not careful," he said. "So you have to balance that desire for openness, desire for collaboration, the willingness to move in new space with rationality of securing that data."

Security Challenges Come Quickly and Government Lacks Agility

The federal government is not known for its agility in adapting to new technologies, a condition that traces to its vast size, organizational culture and the rules surrounding new procurements and system deployments, among other factors. Small wonder then that federal officials see partnerships with private-sector firms as a critical element in improving the government's cybersecurity posture.

Count among those Agriculture's McClam, who challenged the IT vendors in the room at Thursday's conference to organize a formal, recurring confab that would bring together leaders in the public and private sectors to compare notes on evolving security trends.

"Technology evolves very, very fast," McClam said. "Look at ways to come up with some kind of semiannual forum, cybersecurity forum, where you have senior leadership of the various federal agencies as well as the leadership of the industry, our industry partners, coming together so we can stay apprised and stay on top of emerging security solutions, emerging security threats."

Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com. Follow Kenneth on Twitter @kecorb. Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn.

Read more about government in CIO's Government Drilldown.

Join the CSO newsletter!

Error: Please check your email address.

Tags Government ITfederal ITManagement Topics | Governmentbusinessbig datagovernmentopen data initiativesManagement TopicsBig Data SecuritycongresssecurityCongress budget deal

More about Department of Agriculture, Fisheries and ForestryDepartment of HealthFacebookFederal GovernmentGoogleTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kenneth Corbin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place