In-brief: Plagued by cyber criminal and state actors and under scrutiny by privacy and civil rights advocates, the near future does not look bright for Federal, state and local government IT.
Plagued by cyber criminals, hampered by budget constraints and under scrutiny by privacy and civil rights advocates, Federal, state and local governments face dire challenges in the very near future for which they are ill prepared.
That, according to a panel of security and privacy experts speaking at the RSA Conference in San Francisco on Wednesday.
Government agencies at all levels are sitting atop massive collections of data, gathered by mandate or just habit. But many government agencies have only a cursory understanding of what data they are collecting and where it is stored, said Flint Waters, the Chief Information Officer for the State of Wyoming.
“A lot of what states collect they are compelled to collect,” said Waters. “It’s massive and (IT departments) are having a tough time wrapping their heads around all that they keep and why.”
Waters was speaking as part of a panel discussion, “Government in the Crossfire: Data Privacy in the Era of Growing Cyberthreats” moderated by Security Ledger. He was joined by J.R. Reagan, the Chief Information Security Officer at Deloitte and Lee Tien, a Staff Attorney at The Electronic Frontier Foundation (EFF).
Tien said that there are few rules governing data retention by governments. That is being compounded by the explosion of technology-fueled data collection at the state and local level, with technology like license plate scanning, automated toll collection, smart metering and more.
“In California, we asked ‘why are you holding so much trip data related to FasTrak,” he said referring to the California electronic toll collection system. “They said ‘just in case.'” The EFF has advocated for California and other states to institute automated data destruction policies, but such proposals have met with resistance. “What we’re seeing in California is a strong desire to keep as much data as possible,” Tien said.
All that data makes government agencies a rich target for hackers – both cyber criminals and nation-backed actors, the panel agreed. Waters said that ransomware attacks were a serious and growing problem, especially at the local level. At least three local government agencies, including law enforcement, had suffered ransomware infections in recent months, he said. “You have massive amounts of data that citizens have been compelled to have taken from them,” he said. “It’s a huge, target rich environment for nefarious acts, blackmail – it runs the gamut,” Waters said.
The wholesale collection of data combines with weak information security practices and strained budgets in ways that make both security and privacy sore points for government agencies.
Both Tien and Waters noted the use of commercial license plate scanners by law enforcement agencies. The scanners help police officers identify cars whose owners have outstanding warrants in public. But the scanned plates and owner information is also passed on to commercial vendors who contract with car “repo” firms (among others).
The increasing partnership between private technology vendors and public agencies is a slippery slope, Waters said.
“You’re correlating (scans) with law enforcement databases containing records of who owns cars,” he noted. “That’s a partnership of the type that we have not previously seen.”
Reagan of Deloitte said that discussions of government data, privacy and security get even more complicated when the conversations encompass what other nations are doing. The EU and its member nations, for example, typically have more strict privacy laws than exist in the United States, designating information like an IP Address as protected, personally identifiable information.
“There are real cultural differences and different levels of strictness about what they want to protect and how,” Reagan said. “There’s a seriousness about (privacy) that we don’t have in America,” he said. “We can’t just put an American lens on it.”
Reagan said there was hope for a way to bridge both privacy and security concerns: allowing governments to both collect data, benefit from analyzing it, but preventing it from being used to harm citizens. He cited research at MIT into using Blockchain technology to uniquely identify pieces of data but also make it untraceable as one possible solution.
Waters said legislators in Wyoming were working on legislation to clarify data retention laws around artifacts like police body cameras, license plate scans, video footage from crime scenes and so on. “We are trying to set privacy as a core tenet.” And that, in turn, may limit the scale of any cyber intrusion that might occur, he said.
Prescriptions for fixes were easy enough to come up with. Panelists advocated variously for better funding of information technology and information security within government, better information sharing, and legislation to give guidance to agencies about what kind of data to collect and how to secure it. Reagan said more cross-border cooperation is needed to harmonize laws and privacy protections and to simplify enforcement.
But none of the panelists saw easy solutions, especially given the gap between the lightening fast pace of technology development and the more ponderous pace at which government works.
“I don’t see any solutions anytime soon other than for all sides to appreciate that there are real issues and real problems,” said Tien. “Right now denial is the step that we’re at.”