The Wild Wild West of Data Hoarding in the Federal Government
There is a strong belief, both in the public and private sector, that the worst thing you can do with a piece of data is to delete it. The government stores all sorts of data, from traffic logs to home ownership statistics. Data is obviously incredibly important to the Federal Government – but storing large amounts of it poses significant compliance and security risks – especially with the rise of Nation State hackers. As the risk of being breached continues to rise, why is the government not tackling their data storage problem head on?
The Myth of “Free” Storage
Storage is cheap, especially compared to 10-15 years ago. Cloud storage has made it easier than ever to store swaths of information, creating what some call “digital landfills.” However, the true cost of storage isn’t in the ones and zeros sitting on the server somewhere. It’s the business cost.
As information stores continue to grow, the Federal Government’s ability to execute moving information to the correct place gets harder and harder, not to mention more expensive. The U.S. Government has a duty to provide accurate, up-to-date information to its taxpayers – meaning that sharing “bad data” is not an option.
The Association of Information and Image Management (AIIM) reports that half of an organization’s retained data has no value. So far, in 2019, through our work with Federal Agencies, we have discovered that this number, is in fact, low. Over 66% of data we’ve indexed, by the client’s definition, has fallen into that “junk” category. Eliminating junk data paves the way for greater accessibility, transparency and major financial savings. But what is “junk” data?
Redundant, Obsolete and Trivial (ROT) Data
Data is important – but if you can’t assign a value to it, it can become impossible to manage. Simply put, ROT data is digital information that an organization retains, that has no business or legal value. To be efficient from both a cyber hygiene and business perspective, the government needs to get better at purging their ROT data.
Again, purging data doesn’t just help with the hard cost of storage and backups, etc. For example, think about what needs to be done to answer a Freedom of Information Act (FOIA) request. You have a petabyte of data. You have at least a billion documents you need to funnel through to be able to respond to that FOIA request. By eliminating 50% of your ROT data, you probably have also reduced your FOIA response time by 50%.
Records and information governance, taken at face value, might seem fairly esoteric. It may not be as fun or as sexy as the new Space Force, but the reality is, the only way to know if the government is doing what it says it’s through records and information. You can’t answer an FOIA request if there’s no material. You can’t answer Congress if the material isn’t accurate. Being able to access timely, accurate information is critical. That’s why NARA is advocating a move to electronic records.
Moving to a Digital Government
“By December 31, 2019, all permanent electronic records in Federal agencies will be managed electronically to the fullest extent possible for eventual transfer and accessioning by NARA in an electronic format.” – The National Archives and Records Administration (NARA). NARA plays a critical role in overseeing records management and archives for the Federal Government.
NARA is making a concerted effort to make it easier for Federal agencies to obtain electronic records management (ERM) services and solutions, which is why they developed the Federal Electronic Records Modernization Initiative (FERMI). Simply put, FERMI’s goal is to help agencies find the right solutions to their digital problems.
NARA issues a Records Management Self-Assessment (RMSA) report every year, where they ask agencies to self-report. According to NARA, the goal of the self-assessments is ”to determine whether Federal agencies are compliant with statutory and regulatory records management requirements.”
At Active Navigation, we sent a request under the Freedom Of Information Act to every agency in the government to give us their self-assessments. We then compared those self-assessments to our notes from our meetings with those agencies. We found that there was a huge delta in scores. If agencies have different ideas of where they are vs. where they are going, how can they start preparing for FERMI?
- Understand Your Data
There’s a common expression “you can’t manage what you can’t measure.” This adage directly applies to complying with FERMI. You need to test your data to understand what you want to keep, and what you can delete. The easiest way to understand how unstructured data poses a real problem in your agency is by using your actual data as a test. Active Navigation can provide a proof of concept to show what’s hiding in your unstructured data, which typically includes PII and sensitive data.
Of all the POC’s we’ve conducted thus far in 2019:
- 100% of agencies found that more than 50% of their data fell into the ROT category (by their definition)
- 100% of the agencies had PII or PHI just sitting out in the open
- Start Minimizing
Data minimization is the practice of throwing ROT data away. At Active Navigation, we strongly believe that Federal Agencies need to start practicing data minimization. By reducing the amount of unstructured data, you are protecting your agency and the taxpayer, because fundamentally, digital risk lives in that ROT data. It’s the same type of risk we saw at OPM during their breach. Old data files, which provided no value, could have been purged. By throwing away your junk, you are reducing your threat profile.
The Important of Cyber Hygiene and Information Governance
The Ponemon Institute’s 2018 Cost of a Data Breach Study has found that, on average, it takes an organization 197 days to detect a data breach. This means that there may currently be a data breach occurring within an agency right now, but it may not be detected until next year.
Foreign nationals and foreign governments are constantly trying to infiltrate our government. One of the first things they do is get into networks, into unstructured data, and they look for password files.
We recently conducted a POC with two different agencies, and both had password files pretty much out in the open. IT had an Excel sheet with username and password for all their structured systems. Malicious hackers know that these types of files exist. They find them, and then they break into all the structured data.
Protecting your agency starts with protecting your data. As data continues to stack up, the Federal Government needs to learn how to throw it out. If you’re interested in eliminating your agency’s ROT, contact Active Navigation today for a free proof of concept.
This blog was co-written by John Cofrancesco, VP of Business Development, and Niamh Bennett, Marketing Manager.