Feds face challenge of balancing data access and security

Government agencies wrestle with security issues as they work to share info more broadly

The U.S. government's reputation for protecting data has been hurt by a parade of bad headlines about spies, stolen laptops and, most recently, some Department of State contract workers snooping into passport files.

But the inability of intelligence agencies to share data that might have helped them detect the events that led up to the 9/11 terrorist attacks may have been the government's biggest information failure ever. And balancing data accessibility and security has become a big challenge for federal agencies in the post-9/11 era.

Charles Allen, assistant secretary of the Office of Intelligence and Analysis within the Department of Homeland Security, said last September that making vital information more readily available to authorized users is "at the heart of efforts to prevent another 9/11," according to the transcript of a meeting held that month by a data privacy and integrity advisory committee at the DHS.

But improving data-sharing remains a work in progress at many agencies. For instance, the Department of Defense wants to create an enterprisewide view of data with the flexibility to put information into the hands of an "unanticipated user," said Lloyd Thrower, director of strategic planning and transformation in the DOD CIO's office.

By "unanticipated user," he means a person or department not originally expected to need a certain piece of data — an Army unit that wants to use a satellite photo taken by the Air Force, for example. To make information available broadly but securely, the DOD needs to ensure that data is tagged appropriately and that user authorization criteria are attached to it, Thrower said. Credentials encoded in ID cards then can determine whether users are allowed to access information.

But the unauthorized access into the passport records of presidential candidates Hillary Clinton, John McCain and Barack Obama illustrates what can go wrong. The State Department uses a monitoring system that alerts administrators whenever flagged passport files are accessed, but that sort of after-the-fact security system won't work with highly sensitive defense and intelligence data that could be a matter of life or death.

Making data broadly visible "doesn't mean that everybody is going to get a hold of it," Thrower said. "It just means that anybody can determine that there is this type of information in existence." He added that individual units within the DOD will still be able to "maintain exactly the same control" in determining what level of access is proper for their data as they have all along.

Nonetheless, like private-sector businesses trying to guard their systems against possible rogue insiders, the DOD and other federal agencies face a major cultural issue: can users be trusted to do the right thing?

Lucian Russell, a consultant at Expert Reasoning & Decisions LLC, said that agencies are typically inclined to limit data access in order to "reduce the risk to zero. It's sort of like the mentality of the Cold War."

But even that may not be fail-safe. The passport-files breach was a case of misplaced trust in workers, not a technology failure. And take the case of that Air Force satellite photo. "How do I make sure that a person requesting it isn't being held by gunpoint out in the field?" Russell said. "These are the kinds of questions that come up."

Matt Newman, who teaches enterprise architecture and other IT-related classes at the National Defense University, said that opening up data and making it more transparent is a huge change for government agencies, because access to information traditionally has been equated with power. But the opposite is true for the government as a whole, Newman added. "If you share the information, you can be more powerful," he said.

Copyright © 2008 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon