Lessons from Veteran Affairs laptop fiasco
It seems the storm clouds which gathered in the aftermath of the several high-profile US government data breaches over the past few months have not yet dispersed. An internal report by the Inspector General on the Veterans Affairs laptop fiasco was published last week, but this has done little to allay fears about such incidents occurring in the future.
Additional fuel for criticism (if any was needed!) was provided by the FBI, whose computer network was recently found to be wanting in terms of security. Facts of blunders and poor management have been revealed in the case of a government consultant who hacked the FBI network and gained access to tens of thousands of secret employee passwords, including that of the FBI director. The FBI now says it has started work on a new computer network up to date in terms of features and security that will cost some $305 million over the next six years. The agency has also requested funding from Congress to pay for a system called Sentinel, due to be launched in 2009.
But while the FBI seems to have its bases covered, other agencies will have to do with merely following a government-issued set of recommendations asking for the implementation of secure practices including encryption. However, it is now beginning to become more apparent that security is not merely down to encryption. A former senior Security Officer at the VA has recently cited “cultural issues” as being responsible for poor security and spoke about fragmented security policies and lack of responsibility. The actions of the VA management were indeed branded as “unprofessional” in the Inspector General report on the laptop theft published last week.
Jim Nicholson, the VA Secretary, and George Opfer, the VA’s Inspector General, will surely face some tough questions regarding the laptop incident when they face Congress regarding the laptop incident. The problem is that experts are now suggesting that the situation, which led to the laptop being lost, can be mirrored in many other organisations, which may not even know where their sensitive data is and what to do about it. Rather than a set of government guidelines, a complete “culture change” regarding the use of sensitive data, its storage and transmission may be needed to prevent future breaches of such magnitude.