Left wide open: Encryption and the public sector
By now it should go without saying that government needs to do a better job of protecting sensitive data — a call to action that was outlined in the first Federal Cybersecurity Workforce Strategy earlier this month. The 2015 data breach at the Office of Personnel Management, in which records of 21.5 million Americans were leaked, was a clear wake-up call. But according to the consumer advocacy nonprofit Privacy Rights Clearing House, there were seven new data breaches involving government agencies reported in the first half of 2016 alone.
One measure that’s gaining increasing interest is the broader application of cryptography in government systems. Had the agencies involved in recent breaches been using end-to-end encryption, their data likely would have remained secure — not to mention they would have been spared the embarrassment of disclosing the incident publicly.
So why isn’t cryptography more of a hot-button issue for government IT?
The problem, unfortunately, is that getting encryption right has always been easier said than done, and for the most part that still holds true today. It’s not that encryption technology hasn’t improved over the years; it’s that the modern IT landscape has evolved, too.
21st century challenges
Today’s online world is 24/7 — and that’s as true for government as it is for the private sector. Gone are the days when an institution’s day is done when the last employee leaves the building. As government increasingly turns to information systems to engage the public and automate key processes, those systems are expected to be available around the clock.
Naturally, that becomes a problem when it comes to implementing encryption on in-place systems. There may be many terabytes or even petabytes of data that need to be secured. Encrypting all of that data while ensuring that it remains available throughout the process can be a tricky business that takes careful planning and can also be costly – for example, if it means maintaining multiple, redundant systems.
Further complicating matters, today’s IT environments look significantly different than they did when the first encryption products entered the market, decades ago. Where at one time IT organizations typically maintained all of their own data center infrastructure, today cloud computing is the “new normal” — and while government still lags behind the private sector in this regard, a fire was lit with the Cloud First policy, which in 2011, mandated that federal agencies evaluate their technology sourcing strategies to consider all cloud computing options where appropriate. In addition, Cloud First amplified the Federal Risk and Authorization Management Program, or FedRAMP, which has created a strong framework for qualifying cloud systems using standardized security assessments and authorization guidelines.
What’s more, as cloud deployments mature, increasingly the best practice is to use multiple, redundant clouds as a further hedge against downtime or to extend information systems into new geographic regions.
This kind of complex, multicloud infrastructure can make end-to-end encryption challenging, particularly when it comes to transferring workloads between clouds. For example, Amazon Web Services and Microsoft Azure each offer their own in-cloud cryptography services, but they’re incompatible. You can’t simply lift data from AWS and move it to Azure without decrypting and re-encrypting.
For many IT organizations, key management is another important concern. Particularly for institutions that control sensitive government data, allowing a cloud service provider or other vendor to have access to encryption keys is likely to be a nonstarter. It may, in fact, be prohibited by law. Again, this can be difficult to manage in a multi-cloud environment, where encryption and key management policies may vary between vendors.
Protect or perish
By now it should be clear that implementing encryption across an entire organization is seldom a trivial matter, even today. It can take hard work — and simply getting that work done is often the final obstacle that sounds the death knell for many encryption projects. There are only so many cryptography experts to go around and most institutions lack in-house expertise. IT organizations, meanwhile, are often working on tight budgets and already being tasked with doing “more with less.”
But if government has so far had the luxury of writing off encryption as too costly or cumbersome to implement, that time may be fast coming to an end. The recent increase in digital espionage — including attacks carried out by nation-states — should be concerning for agencies at any level of government. According to the FBI, economic espionage alone costs the U.S. economy hundreds of billions of dollars per year, and data theft attempts by foreign competitors are steadily becoming more brazen.
At the same time, public awareness of issues around privacy and data security is increasing, and citizens are increasingly calling on businesses and government alike to take a more proactive role in securing information systems. In addition to federal laws covering specific industries, such as health care, 47 U.S. states have enacted laws requiring various levels of public disclosure in the event of a data breaches. Organizations that operate nationally must be mindful of all of them, and where international data privacy laws apply — many of which are stricter than those in the U.S. — they create still further headaches.
Of course, setting the engine of government in motion is always difficult, and underfunded agencies almost certainly have long wish lists of budget items that will seem to take precedence over something like data encryption. Yet if government chooses to turn a blind eye to the issue of data security, it does so at its peril. The attacks against U.S. information systems are already highly sophisticated and becoming more so, and the time to begin taking a modern, mature approach to data security that includes encryption is now, across all levels of the public sector. The OPM data breach was an IT security catastrophe. Whose systems will be next?
Eric Chu is the president and co-founder of Mountain View, California-based cybersecurity company HyTrust.