Rushing to latch the barn door as the horses thunder into the sunset, government agencies are rushing to implement safeguards for data security following an embarrassing series of data breaches and equipment thefts.
The Veterans Administration (VA) announced that it had contracted with two "mobile security specialist" companies to impose new data encryption on all of its machines, including desktop computers, laptops, and thumb drives.
In a press release trumpeting the initiative, VA Secretary Jim Nicholson said that the agency-wide encryption program will be "a tremendous step forward in improving the safety and security of sensitive veteran information."
Nicholson claimed that final testing of the new encryption products was underway, and that all of the agency's laptop computers would be updated and protected within four weeks.
Not to be outdone, the Justice Department's chief information security officer announced that he was launching an examination of all of the agency databases for potential security vulnerabilities.
CIO Dennis Heretick told Information Week that he has an agency-wide license to deploy AppDetective, a security program that examines databases for vulnerabilities and reports its findings back to the user.
According to Heretick, only 30% of the Justice Department's active databases are currently being examined by AppDetective, including systems used by the FBI. Heretick said that he wants personnel fully trained in the program before rolling it out agency-wide.
The Office of Management and Budget (OMB) had set a deadline of August 7th for federal agencies to meet a "security checklist" for protecting remotely used data, but many agencies have not yet met the deadline.
Laptop on the Loose
The saga of the stolen VA laptop remains the standard-bearer for government-based data security breaches.
The laptop, containing unprotected personal information on 26.5 million veterans, was stolen from the home of VA data analyst Wayne Johnson, who is currently fighting his termination from the agency.
Two Maryland teens and a juvenile were arrested and charged with the theft, and the laptop was returned by an anonymous informant.
Not only did the VA reveal that two other security breaches had occurred in the past twelve months and were kept quiet, it suffered another blow when a desktop computer containing information on thousands of veterans was stolen from Unisys, a technology services company contracting with the VA to process insurance claims.
The VA wasn't the only agency to suffer embarrassing data breaches.
In July 2006, a contractor working for defense and aerospace giant BAE Systems hacked the network of the FBI offices in Springfield, Illinois. Joseph Colon, who claimed he did so with permission of local FBI higher-ups, was spared jail time in the incident, but was terminated from his job.
Just last week, a special agent with the Department of Transportation (DOT) reported his laptop stolen from an agency vehicle in Miami, Florida. The laptop contained information on thousands of people in the area with commercial drivers' and pilots' licenses, and was being used in a fraud investigation.
Many government data breaches don't involve theft, but simple incompetence.
In January 2006, the Justice Department moved to "scrub" many of its Web sites after it was tipped off that it had published the names, addresses, and Social Security numbers of individuals involved in litigation against it.
And the Navy accidentally published personal data on Web sites not once, but twice in two weeks. Both times, the data was quickly scrubbed and information remains scanty as to why the data breaches occurred.
The Government Accountability Office (GAO), the watchdog arm of the government, has published numerous reports warning Congress that many federal agencies do not have proper data safeguards or protections for data, and that an excessive reliance on contractors and third parties for infrastructure and business tasks may lead to more breaches in the future.
Or to put it simply, a few barn doors have been latched but many others remain wide open.
