GAO Probing Federal IT Security Programs - Interview with GAO's information security expert Gregory WilshusenGregory Wilshusen Words Influence U.S. IT Security Policy
Wilshusen is one of the most influential people in Washington when it comes to government information security. His reports help shape government policy and legislation to secure federal data and systems and a key lawmaker has asked him and his staff to seek out best practices in the private sector in government to properly secure federal government IT.
ERIC CHABROW: What is GAO's role in helping Congress identify new ways to measure IT security?
GREGORY WILSHUSEN: One of the things I think has been proven over the years is the old adage: "What gets measured gets done." We have been requested by Sen. Tom Carper (chairman of the Subcommittee on Federal Financial Management, Government Information, Federal Services and International Security) to look at the characteristics and attributes of performance measures and to look at how leading organizations, and these would be non-federal government organizations, develop and use metrics to guide and monitor their security activity. After we do that, we are looking at the federal government and the 24 CFO Act agencies and how they are using the metrics; what metrics they are using, how they develop it and then how they use those metrics for reporting to Congress on the effectiveness of their information security programs.
We have commented on the metrics that OMB (Office of Management and Budget) has identified for agencies to comply with FISMA, as well as the effectiveness of their security programs, and what we have found is that agencies, or the metrics they have been developing, primarily those that relate to whether or not an agency has performed a particular control activity, but not necessarily how well or how effective. And, so we kind of had this dichotomy of measures where agencies are reporting that their increasingly performing all of these control activities but the IGs (inspector generals), GAO and others consistently identify consistent and serious weaknesses in their computer controls.
One of the things we are looking at with those metrics that are currently being used, which have been defined by OMB is should they be changed, how effective are they at reporting on the effectiveness of security controls.
CHABROW: You said the GAO expects to issue its metric report in June. What other work is the GAO conducting for Congress this session regarding information security?.
WILSHUSEN: Chairman (Joseph) Lieberman, ranking member (Susan) Collins and Sen. Carper (of the Senate Committee on Homeland Security and Governmental Affairs) asked us to look at three of the initiatives that the federal government had started to help improve security. These include the Federal Desktop Core Configuration. I guess it was NSA (National Security Agency), Air Force and I think DISA (Defense Information Systems Agency) initially came up with a minimum set of security configurations for Windows systems, particularly the XP and Vista versions of Windows. That has now been adopted for government-wide use and so it is a mandatory thing, and it is a minimum security configuration for these Windows systems.
One of the great benefits of that reportedly and purportedly, I should say, and this is one of the things that we will be looking at as part of our review, which we are just starting now is that the security is already configured into the packages before they are presented and provided to the agency.
These operating systems come already in a relatively secure configuration and one of the things that we have identified in our audits through the years, and many of the vulnerabilities are in fact caused because agencies don't implement and configure their operating systems very securely. So this has the potential, if effectively implemented and fully implemented across the federal government, to really cut down on the number of security vulnerabilities on federal systems. It has already been reported that at least when Air Force did that that they achieved a number of savings related to reduction and the time it takes to install patches and some other activities and all that. So that is one initiative that we will be looking at.
The other two include the Trusted Internet Connection Initiative. This is the one where the government is trying to reduce the number of internet points of presence from an estimated thousand, I don't know if anybody has ever come up with the right number yet but apparently it is between maybe 2,000 or 4,000 Internet connections, down to less than 100 or so. By reducing the Internet points of presence, that reduces the number of attack venues if you will, that intruders could potentially exploit and it should help the federal government to better protect those points of presence in those connection points on the Internet.
CHABROW: GOA also is examining Einstein. Please tell me about that initiative.
WILSHUSEN: The Einstein Initiative is a network monitoring capability that is run out of the U.S.-Cert in which it will install equipment and software to monitor network traffic from I guess between the internet and agencies networks and then monitor that and look for anomalous activity and collect a lot of information on that type of traffic.
For each of those three initiatives, we are to identify the goals and objectives of the initiatives, the extent to which it has been implemented at the agencies or to access the plans for implementation at those agencies, and then to identify any lessons learned or challenges and the benefits associated with their implementation.
CHABROW: That's Gregory Wilshusen, director of information security issues for the GAO. For GovInfoSecurity.com, I'm Eric Chabrow.