A government report paints a bleak picture for security at federal agencies. Agencies are constantly losing data and often have no idea what's been lost or who's been affected--proof that the government is simply not giving this the attention it needs, claims an industry advocacy group.
Federal agencies not only regularly lose personal identity data, but don't even always know what they've lost or how many Americans are affected, a recently-released House report claimed.
According to the report issued by the House Government Reform Committee, which is chaired by Tom Davis (R-Va.), all 19 federal departments and agencies from which data was requested had lost or compromised personal information in the three-and-a-half years since January 2003. Some of the breaches were losses, others were the result of theft.
In August 2006, for example, a Department of Defense laptop that contained personal information on 30,000 Navy applicants and prospects fell of a motorcycle driven by a recruiter. "The recruiter returned to the scene and was told by a road side worker that a car had stopped and picked up the bag," the report said.
"I commend Davis for asking agencies to come forward with this information," said Paul Kurtz, executive director of the Cyber Security Industry Alliance (CSIA), an industry advocacy group that counts Citrix, McAfee, RSA, and Symantec as members. "It was a necessary step and a positive move."
The Davis report concluded that data loss is a government-wide problem. "This is not restricted to the Department of Veteran Affairs or any other single agency," the report stated. More troublesome, however, was the fact that in many cases, agencies "do not know what information has been lost or how many individuals could be impacted."
"That's not surprising," said Kurtz. "But it does underscore the gravity of the situation. Government is simply not giving this the attention it needs."
Although Congress pondered several data breach bills in the just-concluded session, none were passed. Kurtz, who in the past has been critical of the low priority the issue was given, continued to hammer at legislators.
"People's sensitive information must be secured across federal agencies. Users are confused. They hear from the private sector, such as brokerage houses, that their information is secure, but then find out it's not secure in other places, like the government. There needs to be a set of common standards."
Still, Kurtz hasn't given up on the idea of national data breach and notification bill passing. "If I was a betting man, I'll take the bet [that Congress will pass something next session]. But that's because it's two years we're talking about."
In fact, Congress came close to putting something on the President's desk in the 190th Congress.
"This was in the top 10, but not in the top 5," Kurtz said. "There is a recognition and concern that this is a real problem. But it will take a lot of work."
That shouldn't bowl over anyone who has followed the federal government's abysmal record in IT security. In the most recent security report card issued by Congress, the government as a whole pulled a dismal "D+". Eight of the 24 departments and agencies graded were given an "F".
"There's definitely a connection between the grades and data losses," said Kurtz.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
Digital Transformation Myths & TruthsTransformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.