USAID Finds Safe Haven from Hackers

Case study: The U.S. Agency for International Development was an easy target for hackers until it turned to SIM technology.

Uganda, Senegal, Uzbekistan, Moldova, Ecuador, Haiti—name any impoverished country in the world, and the U.S. Agency for International Development is probably there on the ground. Increasingly, however, USAIDs humanitarian offense is relying on a solid IT security defense.

With a new financial record-keeping system due to come online within the next six months, USAID has sharpened its focus on hacking threats, using SIM (security incident management) technology to correlate and manage data from political and humanitarian hot spots around the world and to keep billions of dollars in U.S. development money flowing.

USAID sprang into existence with a stroke of the pen by President John F. Kennedy in 1961 and has provided economic and humanitarian aid as well as development assistance to needy countries ever since. The agency consolidated a hodgepodge of foreign aid and development organizations that grew out of the U.S. governments post-World War II Marshall Plan for rebuilding Europe.

The olive branch of U.S. foreign policy, USAID does most of its work in the background: helping Ugandan flower growers break into the U.S. market, battling armyworm infestations in Tanzania, providing food assistance in drought-plagued Kenya or helping to electrify rural India.

Maintaining operations in some of the worlds poorest countries has never been easy for a 21st-century aid organization with $9 billion in direct aid to distribute in conjunction with the U.S. Department of State. But more and more, USAIDs reputation as an agency of do-gooders with money to hand out makes the organization a popular target for malicious hackers, online criminal groups and others hostile to the United States, said Philip Heneghan, chief information security officer at USAID.

USAIDs field offices were natural targets, said Tracey Hulver, director of product management at NetForensics, in Edison, N.J.

"True or not, people feel like, if a machine is sitting in the Congo, its easier to access than a central hub in Washington, D.C.," Hulver said.

Until recently, USAID was an easy target, too. The agency was failing audits of its IT security and received a "C-" in 2003 on the House Government Reform Committees Federal Security Report Card, a measure of federal agencies compliance with FISMA (Federal Information Security Management Act) of 2002.

Like many organizations, USAID had a potpourri of different security products deployed around the globe, such as IDSes (intrusion detection systems) and firewalls, producing reams of data that nobody was looking at.

USAID also had no way to parse the data that was being produced by the devices, making incident response "pretty random," Hulver said.

"Getting an F gets embarrassing after a while," Heneghan said.

/zimages/3/28571.gifRead more here about the other agencies failing their security tests.

In 2003, USAID turned to Open System Sciences, in Newington, Va., for help.

SIM technology was key for turning the agencys performance on IT security around, Heneghan said. "We had to get awareness and see what was going on on our network," he said.

"Phils mantra was You cant improve what you cant measure," said Bill Geimer, a program manager for OSS.

The first task for OSS was to marry USAIDs firewall and IDS data, Geimer said.

Next page: A data marriage.