open government could lead to data leaks
Without new data classification and other governmentwide standards, the Obama administration's push to make information more accessible could lead to the inadvertent exposure of sensitive data, according to security experts.
The warning comes in the wake of last month's accidental posting of a document on the U.S. Government Printing Office (GPO) Web site that listed all U.S. civilian nuclear sites along with descriptions of their assets and activities.
The 267-page document was part of a federal government report being prepared for the United Nations' International Atomic Energy Agency (IAEA).
The document had been categorized as "sensitive but unclassified" -- or SBU -- a government designation that usually includes at least some controls over disclosure. A large number of government documents fall under the SBU category.
Meanwhile, President Barack Obama is looking to fulfill a campaign pledge by pushing federal agencies to make government data more easily accessible to the public.
Earlier this month, federal CIO Vivek Kundra announced plans to quickly make more than 100,000 data sources available to the public on the government's Data.gov Web site.
"The federal government is trying to push out more data, but they need to make sure ... that [sensitive] data isn't pushed out to places where it shouldn't be," said John Pescatore, an analyst at Gartner Inc. "There still is such a thing as 'need to know.' "
"Openness is a wonderful thing, so long as you have checks and balances to see that it doesn't become too open," said Ken Silva, chief technology officer at VeriSign Inc. and a former executive technical director at the U.S. National Security Agency.
When data previously available from a few hundred government sources suddenly starts becoming available via thousands of Web sites -- including widely used social networks like Facebook and MySpace -- there need to be controls in place to protect against inadvertent leaks, Silva added.
Karen Evans, formerly de facto CIO of the federal government as administrator of the Office of Electronic Government and Information Technology at the Office of Management and Budget, suggested that the sensitive data on U.S. nuclear sites was probably posted because the GPO had a different process for handling SBU documents than the IAEA.
Evans noted that there is little consistency in the way the various federal agencies handle SBU data. Each has its own process for defining, labeling and protecting such information, she said.
In fact, there are some 107 unique markings and more than 130 different handling processes and procedures for SBU information among U.S. government agencies, Evans added.
Such differences are likely to cause more unexpected problems as agencies move to share more information among themselves and with the public.
No responsibility can be taken for the content of external Internet sites.
Return to hosting news headlines
View Hosting News Archive