“EPA’s deployment of a SIEM tool did not comply with Agency requirements for deploying IT investments.”
“EPA does not have a computer security log management policy that complies with federal requirements.”
“EPA did not follow up with staff to confirm that corrective actions were taken to address known information security weaknesses. … Office of Management and Budget Circular A-123, ‘Management Accountability and Control,’ states managers are responsible for taking timely and effective actions to correct identified deficiencies.”
— EPA, Office of Inspector General, “Improvements Needed in EPA’s Network Security Monitoring Program,” Report No. 12-P-0899, September 27, 2012
A report from EPA’s Office of Inspector General found serious deficiencies in EPA’s network security. These shortcoming raise concern about the integrity of agency data. Specifically, the report states that EPA’s Office of Environmental Information
“which is responsible for securing EPA’s network from internal and external exploits, has not developed a process to verify that known weaknesses have been addressed. As a result, known vulnerabilities remained unremediated and key steps to resolve those weaknesses remain unaddressed, which could leave EPA information exposed to unauthorized access.” [Emphasis added]
The Harms From Unauthorized Access to EPA Data
The possibility of unauthorized access to EPA information raises an array of concerns since EPA-held data includes various types of Confidential Business Information, scientific research data, environmental databases, agency plans for responding to “incidents of national significance” and other security-related matters, and environmental monitoring data used in regulatory enforcement actions. Thus, the dangers from unauthorized access to EPA data range from disclosure of sensitive business information to the alteration/manipulation of environmental data so as to trigger, or not trigger, an investigation or enforcement action.
EPA has been warned before about their security shortcomings. One section of the OIG report is titled, “EPA Did Not Address Recommendations From Internal Reviews.” The OIG found that EPA did not act on three separate analyses of the agency’s information security, including one by Carnegie Mellon’s Computer Emergency Response Team (CERT) Program and one by Booze Allen Hamilton that provided recommended steps for cyber security improvements. One of the Booze Allen recommendations noted by the OIG was that “EPA must adopt automated tools to achieve continuous monitoring for threats.”
It is worth noting that EPA’s continuous monitoring practices are at sharp variance with the Best Practice Principles developed by the Center for Regulatory Effectiveness (CRE). In its study of Information Security Continuous Monitoring Best Practices, CRE found that agencies need security professionals who are trained to take advantage of the capabilities of advanced software tools.
The OIG, however, found that EPA’s Technology and Information Security Staff “did not develop a structured training plan to use with the SIEM tool” and “Without a structured training curriculum, users’ needs are not being met and the continued use of the SIEM tool by EPA’s information security staff will be of limited value in performing information security activities.”
The importance of continuous monitoring to agency cybersecurity should not be underestimated. As the report succinctly states, “Continually monitoring network threats through intrusion detection and prevention systems and other mechanisms is essential.”
Information Security: A Data Quality Act Requirement
The Data Quality Act (DQA) sets quality standards for virtually all information disseminated by Executive Branch agencies. The Office of Management and Budget’s government-wide Information Quality Guidelines state, “Agencies are directed to develop information resources management procedures for reviewing and substantiating (by documentation or other means selected by the agency) the quality (including the objectivity, utility, and integrity) of information before it is disseminated.” [Emphasis added]
OMB’s binding guidelines define “integrity” as referring “to the security of information — protection of the information from unauthorized access or revision, to ensure that the information is not compromised through corruption or falsification.” The guidelines state that “agencies may rely on their implementation of the Federal Government’s computer security laws…to establish appropriate security safeguards for ensuring the ‘integrity’ of the information that the agencies disseminate.”
In EPA’s case, however, the OIG report makes clear that the agency is not in compliance with essential elements of the federal security requirements and these lapses “could leave EPA information exposed to unauthorized access.”
The question becomes, how can EPA continue to substantiate the integrity of its information under the DQA given the serious problems with its intrusion detection capabilities and non-compliance with federal IT security requirements?
The question is not a trivial one. If the agency cannot substantiate the integrity — the cybersecurity — of data in its possession, it can’t by law disseminate that data or information based on that data. EPA could find itself silenced on key issues where its voice is needed.
It is important to recognize that the DQA requirements are not minor technicalities that can be ignored. Instead, the statue establishes the right of affected persons the right to “seek and obtain” correction of information not meeting quality standards — including the integrity standard. Thus, an agency study or report could be subject to challenge under the DQA on the grounds that the underlying data may have been corrupted.
Agency reports, studies and other information disseminations may be used in rulemakings, act as warnings regarding certain types of products, and/or be used in litigation. Thus, affected persons have a significant incentive to seek and obtain retraction of any study based on altered/tampered data. They also have the legal tools.
The concept of “informational standing,” i.e., the right of affected persons to seek judicial review of a harmful, non-regulatory federal information disseminations, is well established in case law.
Moreover, the US Court of Appeals for the DC Circuit has explained that OMB’s guidelines implementing the DQA are “binding” and in doing so cited the Supreme Court’s Mead decision regarding rules carrying the force of law. It is noteworthy that the DC Circuit refused to modify their Opinion even after its primary implication, that DQA decisions are subject to judicial review, became clear and the subject of a Justice Department petition.
Thus, the cyberinsecurities identified by the EPA OIG have wide ranging environmental and legal ramifications. The most important lesson that can be drawn from the OIG report, however, a lesson applicable to all federal organizations, is that cybersecurity is not merely an internal housekeeping matter, it is the underpinning of every agency’s ability to carry out their mission.