Open Government Could Lead to Data Leaks

Experts say standards are needed to avoid exposure of sensitive information.

Without new data classification and other governmentwide standards, the Obama administration's push to make information more accessible could lead to the inadvertent exposure of sensitive data, according to security experts.

The warning comes in the wake of last month's accidental posting of a document on the U.S. Government Printing Office (GPO) Web site that listed all U.S. civilian nuclear sites along with descriptions of their assets and activities.

The 267-page document was part of a federal government report being prepared for the United Nations' International Atomic Energy Agency (IAEA).

The document had been categorized as "sensitive but unclassified" -- or SBU -- a government designation that usually includes at least some controls over disclosure. A large number of government documents fall under the SBU category.

Meanwhile, President Barack Obama is looking to fulfill a campaign pledge by pushing federal agencies to make government data more easily accessible to the public.

Earlier this month, federal CIO Vivek Kundra announced plans to quickly make more than 100,000 data sources available to the public on the government's Web site.

"The federal government is trying to push out more data, but they need to make sure ... that [sensitive] data isn't pushed out to places where it shouldn't be," said John Pescatore, an analyst at Gartner Inc. "There still is such a thing as 'need to know.' "

"Openness is a wonderful thing, so long as you have checks and balances to see that it doesn't become too open," said Ken Silva, chief technology officer at VeriSign Inc. and a former executive technical director at the U.S. National Security Agency.

When data previously available from a few hundred government sources suddenly starts becoming available via thousands of Web sites -- including widely used social networks like Facebook and MySpace -- there need to be controls in place to protect against inadvertent leaks, Silva added.

Karen Evans, formerly de facto CIO of the federal government as administrator of the Office of Electronic Government and Information Technology at the Office of Management and Budget, suggested that the sensitive data on U.S. nuclear sites was probably posted because the GPO had a different process for handling SBU documents than the IAEA.

Evans noted that there is little consistency in the way the various federal agencies handle SBU data. Each has its own process for defining, labeling and protecting such information, she said.

In fact, there are some 107 unique markings and more than 130 different handling processes and procedures for SBU information among U.S. government agencies, Evans added.

Such differences are likely to cause more unexpected problems as agencies move to share more information among themselves and with the public.

A 90-day review of rules for classifying, declassifying and maintaining national security information at federal agencies could help mitigate some of the problems, though analysts said it's unclear whether the review will cover SBU issues.

The review was ordered by President Barack Obama late last month.

According to analysts, Obama's push for government agencies to make their data accessible through Web 2.0 tools like mainstream social networks makes accidental exposure of sensitive data even more likely.

Pescatore noted that government agencies with a presence on social networking sites run a higher risk of their data being compromised than those that don't participate in social networks. Therefore, every agency should deploy filtering tools that can block malicious executables coming in from Web sites, he said.

To guard against Web 2.0 leaks, Gartner recommends that government sites use "brand monitoring services to continually monitor social networking sites to see what information shows up," Pescatore said.

Data leak prevention tools should also be used to monitor outbound traffic to detect whether personally identifiable information and other sensitive data is accidentally going out, he added.

Copyright © 2009 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon