Leave My ID Alone

Unisys employee working for the VA lost a laptop

Congress is moving to require security technologies to protect sensitive data from compromise, and several department heads and officials are calling for stiff penalties for people--government employees and contractors--who fail to protect data.

Well it's about time! My faith, however, in the government's ability to police itself is low. Here's why.

The government has long been the bearer of security standards—for others and itself. While laws for the private sector—Sarbanes-Oxley, HIPAA, GLBA—have done great things to motivate corporate digital security, the government's own measures still haven't instilled a holistic security culture.

Take the Federal Information Security Management Act (FISMA), the law that set "minimum" standards for securing federal IT systems. The 2003 law requires federal agencies to report their security status to Congress. Congress has used these reports to issue scorecards on agencies' security and, as you can guess, the grades have been consistently dismal. Worse, agencies with the most sensitive data--Veterans Affairs, State, Homeland Security, Energy, Defense, and Health and Human Services--all received failing grades last year.

Requirements just coming into being will require federal agencies to restrict access to sensitive data, the use of encryption to protect data in storage and transit, and the completion of PKI projects that ensure the integrity of data and verifies user's rights to access.

Still, these measures will fall short if the federal government doesn't do more to create a culture where personal identities are guarded with the same urgency and seriousness as nuclear missile launch codes and the president's breakfast menu. As security gurus will tell you, security is a process, not a product.

You can't help a laptop being stolen, but you can take measures to protect the data if the hardware is compromised. Encryption and access control would have gone a long way to keep the thieves from accessing the data. But in the case of the VA analyst whose home was burglarized, what was he doing with 26 million records outside the office? That's where process makes a difference.

It's beyond time that the governments take the medicine it prescribes the public sector, ratchet down its security policies as well as technologies, and do more to protect the data its constituents cherish, not just secrets of state.

By the way: After the FBI recovered the first VA laptop and determined the two teens who stole it didn't access the hard drive (not sure how you can determine that), House Speaker Dennis Hastert (R-Ill.) withdrew $160 million to provide credit-monitoring services for the affected veterans. Mr. Speaker, I think I want that money back.