Terry Halvorsen is preparing for the inevitable — what he refers to as a “ripple in the force.” The chief information officer for the Defense Department is steeling himself for the fear and discontent that will come from the department’s planned new policy on passwords.
“We have to kill passwords. Just kill ’em,” Halvorsen said, speaking last month at the Defensive Cyber Operations Symposium, sponsored by the Armed Forces Communications and Electronics Association. “For too long we’ve been too easy with the waivers,” he said, referring to allowing organizations to continue operating systems with password-only protections in place. “So, we’re putting in some new waiver authority that will go through [NSA and U.S Cyber Command] and then to me for a review of the resource impacts. That will be the waiver chain.”
In the wake of the data breach at the Office of Personnel Management, which may have compromised personnel and security clearance information on as many as 18 million federal workers, senior federal IT officials have launched new efforts to review the use of passwords, two-factor authentication mechanisms and encryption — particularly encrypting data at rest. But the lack of progress in these areas over the last several years has been astonishing and can be attributed to a range of challenges, from outdated infrastructure, cultural biases and interagency distrust, and lack of technical expertise to make encryption work to the age-old problem of dwindling budgets.
“We’re asking people to store too much data. And this is where I have a problem with the security field,” Halvorsen said. “We’re going to write [policies that say] ‘if you’re going to keep passwords you can’t put them anywhere.’ Well, that’s stupid. There are some good places to put your passwords. If you have a completely encrypted data-at-rest Blackberry, why not? We have to get a little smarter on the policy here. Get to two factor, whether it’s a PIN, biometrics or a token — we’ve got to get rid of passwords.”
“To say that we can’t encrypt data at rest is bogus. The problem is ignorance and arrogance.”
– Richard Marshall, a former associate general counsel at the National Security Agency
The OPM breach, which may go down as one of the worst data compromises in government history, led U.S. CIO Tony Scott to order a 30-day cybersecurity sprint, during which agencies must tighten policies for privileged users, patch critical vulnerabilities and deploy multifactor authentication, such as personal identity verification cards.
But one thing that isn’t part of Scott’s 30-day sprint is encryption. FedScoop talked to many experts who believe encrypting data at rest is not only critical to protecting the wealth of information the government stores but is also technologically possible even with the government’s outdate IT infrastructure.
Encryption will play a fundamental role in the future, said Richard McKinney, CIO at the Transportation Department. There is no reason government should not be encrypting data at rest, McKinney said in an exclusive interview with FedScoop. “I think our approach to this is rapidly maturing. To break into a server that stores encrypted data is to have nothing. I think the tools to remedy this are right at our fingertips. We just need to act.”
A security services director at a major government IT services provider, who spoke to FedScoop on background, said there is no reason he is aware of that would prevent more government agencies from encrypting data at rest. He added that encrypting data at rest would be part of any new cloud solution his company would recommend to the government, especially for sensitive information.
Richard Marshall, a former associate general counsel at the National Security Agency and the former director of global cybersecurity management at the Department of Homeland Security, said there are often cultural roadblocks at agencies that kill the encryption discussion.
“There was tremendous reluctance at senior government levels, which is staffed by political appointees, and they are afraid of NSA,” Marshall said. “They’re more concerned about the NSA listening to their communications than the Chinese and the Russians. When pressed against the wall to encrypt data, there’s this institutional fear of military-grade encryption. It’s viewed as too difficult to manage, when you put it on a cloud the data is too difficult to retrieve, and it becomes difficult to share that information with other third parities.”
“It’s astounding to me that more private and government entities don’t use encryption,” he said. Even when it comes to the government’s legacy system install base, “it is not too difficult,” according to Marshall, who is on the board of a company that develops micro-encryption that is used widely throughout the financial sector. “To say that we can’t encrypt data at rest is bogus. The problem is ignorance and arrogance.”
Howard Schmidt, the former chief cybersecurity adviser to presidents Barack Obama and George W. Bush, said he regularly asks IT managers if their critical data is encrypted. “And I get the standard look, ‘Oh, what’s encryption?’ Or somebody says, ‘No, encryption is too difficult, we don’t have the CPU cycles, we don’t have the bandwidth.’ And it goes on and on and on,” Schmidt said. “But I know all of that is bunk. If you want to do risk management make sure you have data that is encrypted.”
Convincing Tony Scott
Tony Scott is certainly not a government bureaucrat. The U.S. CIO has been on the job less than six months. But he remains skeptical of the government’s ability to leverage encryption anytime soon for data at rest — particularly in the many legacy and mainframe environments that still exist in federal data centers and agencies.
“The easy thing to do is say, ‘well, if we just encrypt the data, all our problems would be solved.’ And it turns out, in reality, that’s not the case,” Scott said, in an exclusive interview with FedScoop last month at the Brocade Federal Forum in Washington, D.C. “Anyone with access to the application or system administrator privileges, that data gets unencrypted for that user and it doesn’t really help you much. The other sort of unspoken problem is that in the federal government, there was a trend for a long time to take operating systems and customize them very, very heavily to the point where you couldn’t take patches or upgrades, and couldn’t take advantage of some of the newer modern technologies. In essence, you were frozen in time wherever you were, and then that locked you out of being able to do a lot of things.”
Because of past decisions, particularly in the mainframe environment, the government is often “locked in place with an operating system or disk technology or other kinds of things that either make it impossible or make it hard to actually encrypt the information,” Scott said. “The better answer for us long term is instead of pouring money down old sinkholes, is to take that money and invest it in new modern architecture.”