Potential for fraud CoE emerges amid agencies’ cyber risk responses

Centers of Excellence exist for awareness, investigations and efficiencies, so why not one for something that combines all three?

Speaking at the Association of Government Accountants Internal Control and Fraud Prevention Training in Washington, D.C., Office of Management and Budget Senior Policy Analyst Heather Pajak said there is the possibility the future holds a “sort of centralized research and analysis capability” for cyber fraud.

“I don’t know that we are at the point of saying, yep, this is exactly what the administration wants, but if you step back and think about it conceptually, there’s so much data out there, data needed from some programs to be able to verify beneficiaries, lessons learned with some of our successful agencies, why not try to find a way that we can bring it together and get the proper authorities and get the right resources, so we can sort of have an enterprise focus and an enterprise approach and be one government,” Pajak said Sept. 19. “Conceptually, it’s just kind of like, well yeah, why don’t we do that? Whether or not we’re going there, it’s too early to say. I think that it’s something that could be a benefit to many programs.”

A wealth of data is available within the government, Pajak continued, and this data can often be used to verify something in another program to do something like make payments.

Advertisement

Knowing where to locate that data, and being able to access it in a safe and usable way, is a line of thinking needed across government, Pajak said.

That centralized research and analysis capability, Pajak said, “can pull from those agencies that have best practices, and sort of be able to share that across similar programs. CMS [Centers for Medicare & Medicaid Services] has a fantastic sort of center established that’s looking for bad actors and fraud, but we also have health care in other government programs. I’m thinking Department of Defense, VA. I am not a cyber expert, but I would go out on a limb and say there’s probably a good chance if we have a bad actor who is trying to get a payment from Medicare or Medicaid, if they’re successful, they may look to other health care programs that are similar. Why not find a good, safe, efficient way we can share the practices from some of these really successful agencies so that they can adapt quickly and put the safeguards in place necessary to try to make sure they don’t get taken advantage of.”

Pajak’s suggestion is just one example of how agencies are facing the shared threat of fraud while balancing their unique missions, resources, and risk — a reality highlighted during Pajak’s panel discussion on cyber fraud.

Linda Wilbanks, a senior adviser for cybersecurity risk management at the Education Department’s Federal Student Aid component, said working with other agencies to retrieve data and verify it is an example of a “large cybersecurity minimization” that’s already ongoing within the government, including, for example, FSA’s IRS Data Retrieval Tool.

“When sending data back and forth and linking to other agencies, you do open up a different risk. That occurred recently, where if another agency is infected with a virus or a worm, we now have provided them a conduit into us that we have to be careful for, so the agencies are very aware of watching for when a breach does occur, to ensure it’s contained within their area, and they notify us, if it is possible, to come to us, and then we have to monitor, too. I think it’s a success the federal government is sharing data across agencies so we don’t have to pass the data all around. That to me is a benefit.”

Accepting risk

Jarvis Rodgers, IT audit director within the Health and Human Services Department’s Office of Inspector General, said at his agency, while there are examples of working together, the nature of the department’s various components lead to a more siloed environment.

“It’s complex across HHS,” Rodgers said. “It’s almost a whole bunch of mini departments. But the missions are so different, so now when you drill down, the technologies are different, the type of fraud that you’re trying to prevent is different.”

Regardless of mission, Jarvis said there are things any agency can do to improve its fraud defenses.

The first step is “a really good risk assessment.”

Jarvis said it’s a good sign when senior officials are involved in the risk assessment process, and when he does an audit, the first thing he’ll ask for is a risk assessment and risk acceptances.

“If you don’t have any risk acceptances, that’s a red flag,” Jarvis said. “If you have 100 that have been signed off on at a lower level, that’s a red flag. There’s just a lot that can be gleaned from that. The second thing would be what we’re seeing a lot of now is penetration testing and hunting for what we call indicators of compromise.”

Wilbanks said when it comes to risk at FSA, she says the questions are about “risk appetite” and “risk tolerance.”

“The answer would be yes, you invest in all of them, but how you invest in each one has to be based on the risk for your organization,” Wilbanks said. “So if I was to answer it for FSA, it would be a very different answer than Jarvis would give or any of you would give. But what I would say is, if you’re not looking at your risk when you’re doing your investment, then you’re just throwing darts at the dartboard. You need to know what risk are you resolving, what risk are you mitigating, what risk are you accepting because you’re funding something else, and that’s how you’ve got to get the balance, and where are you willing to accept the risk.”