Are Facebook, Twitter, and other social media tools “cybersecurity risks”? Of course there are hackers who claim that they can use Web 2.0 tools as gateways into networks. But the reality is that there are many gateways into networks from various avenues. Unfortunately, cybersecurity often becomes an exercise in triple bolting the front door of your house only to realize that the back door has been left wide open. Cybersecurity is a complex art that requires innovative solutions and is best managed by creating a defense in depth. If your cyber risk management approach is solely about hardening the exterior of the network, you may have already lost the fight.
There is a polarity between cybersecurity and Open Government. This polarity can lead to tension between your Information Security Officer and your Social Media champions. If the Information Security Officer has his or her way, the network would be locked down. The nature of IT innovation ensures that new gateways will continue to emerge and cybersecurity management will become increasingly complex. Rather than shut down these new gateways, it is important for an organization to be able to assess and manage emerging risks in a comprehensive manner. The new risks introduced by social media and other Open Government tools cannot be ignored. But they may be mitigated by controls in other areas so that the “shut it down” response can be avoided. It is critical that your Open Government planning address any organizational concerns so that the black cloud of lax cybersecurity does not hang over your Open Government efforts.
When reviewing the Open Government Directive and conducting planning you will need to strike a balance between cybersecurity concerns and open government objectives. There are no specific security requirements in the Directive. However, it requires agencies to include proposals for new collaborative technology platforms and innovative tools for public engagement. The best cybersecurity advice I can offer when developing your proposal is to keep the issues clear during the discussions and review the Guidelines for Secure Use of Social Media issued by the Federal CIO Council. Discussions regarding cybersecurity risks should not introduce publishing problems (i.e. the TSA poorly redacted policy), privacy concerns, workforce productivity issues, or message control challenges except to assess organizational impact and risk. For example, I often hear clients refer to social media tools as “security issues” only to then hear them talk about the reduced productivity that comes about by allowing You Tube. I am by no means suggesting that these other issues should be ignored. However, to properly address cybersecurity risks while conducting Open Government planning, it is important that cybersecurity discussions focus on managing risks to maintaining the confidentiality, integrity, and availability of information and not be clouded by other issues.