The changing cyber landscape and the increasing amounts of data that need protection, creates a series of spinning plates that the federal government must constantly work to balance.
One agency that knows this all too well is the Internal Revenue Service. The IRS keeps track of hundreds of millions of taxpayer information files, sends that information securely to a variety of recipients when directed by taxpayers, and watches for any sign of fraud when that data is requested and received.
“One of the key parts is what is that data going to be used for,” said Nitin Naik, IT technical director for strategic planning at the IRS, during a May 10 CA Technologies Government Summit in Washington. “I think this is sort of the balancing act between what I would say is your regular use of the internet — say Facebook, LinkedIn, Twitter, any of these. The more data you put out, great, people comment on it, people like it, people make whatever remarks on it. But then the other side of it, there’s certain pieces of data you want to be careful about, because that data is helpful in understanding you, identifying you, and if you have out too much in the open then there’s no way for the entity on the other end of that communication channel to know that you are you.”
“One of the key things in the federal government … is data is the primary thing that you are trying to protect,” Naik added. “Now protecting the data, you have to protect your systems, you have to protect your networks and you have to protect even your buildings to make sure the wrong people don’t get in.”
Insight by Carahsoft: This exclusive e-book demonstrates just how far agencies have come and where they still need to go to take fully advantage of DevSecOps to drive modern capabilities to their customers.
Making sure those systems and data are protected shows how in the past few decades, computer security has transformed into data privacy, said Jeff Voas, a National Institute of Standards and Technology (NIST) computer scientist.
“Is cybersecurity now a data challenge, because it’s certainly a challenge within the [internet of things] world,” Voas said. “Has security become more of a data problem, maybe a privacy problem? And maybe all the old days of what we used to think about confidentiality, integrity, availability … all that stuff, is that stuff kind of out the window? That’s the transformation I see 20 years ago to where we’re at today.”
Innovation in areas such as IoT can be good, Naik said, but then the question is how does an agency mature to address protection and security in light of those new developments.
“That is the balancing act between service and security, or privacy,” Naik said.
Earlier this year, the IRS requested $12.3 billion for fiscal 2017, which would be spent in part on cybersecurity.
In April, IRS Commissioner John Koskinen testified on Capitol Hill that his agency’s goal was to have “the strongest possible authentication processes for our online services while maintaining the ability of taxpayers to access their data and use IRS services online.”
Naik echoed that notion of a balancing act at the summit. He said that security is a “continuous activity” and not one in which you simply build a system and the job is done.
“Security is now everyone’s business and it is a continuous improvement,” he said.
The IRS tracks tax returns and payments, Naik said, and works to prevent someone from fraudulently filing on your behalf. When a data breach occurs at a corporation like Target or Home Depot, the IRS starts watching to see if and when attempts are made to steal tax information.
The proliferation of smart phones has helped confirm users are who they say they are, Naik said, but there are still a lot of moving parts in securing and sharing information.
“My day to day job is basically making sure when we design systems, when we operate systems from a security standpoint we have the appropriate security controls,” Naik said. ” One of the biggest issues at the IRS is personally identifiable information. [Making sure] all your tax information is protected at all times and making sure when we provide any services, whether it is to citizens or to other entities who need that information for whatever reason, it is given to them in a secure manner. Making sure that the access is appropriately monitored, controlled and then we provide the data in the right manner so we that don’t have exposure of your tax data.”
Naik added that the IRS is always looking for way to continuously improve its security and data storage, but when it comes to the cloud, the agency is “not confident in the risk side.”
Naik said the IRS was tracking developments in data encryption and “data encryption in motion” within the technology, but performance had left the agency “still hesitant to go to the cloud.”