In May, Veterans Affairs Secretary R. James Nicholson told Congress he was “mad as hell” when he learned that a laptop computer containing unencrypted personal information on 26.5 million military personnel had been stolen from a VA employee’s home. Soon afterward, the White House released a memorandum recommending but not requiring basic security rules for mobile devices used by federal employees.
Then, in early August, only three days after two Maryland teenagers were arrested in connection with that laptop theft, the VA announced that another laptop, this one containing a mere 38,000 personnel records, had gone missing from defense contractor Unisys. No word yet on Secretary Nicholson’s mood.
Of course, these two Veterans Affairs’ affairs are only the latest in a string of embarrassing computer-security incidents involving government agencies. So it might seem oxymoronic to ask how a federal bureaucracy that can’t protect its own data from teenagers can be expected to protect yours and mine from natural disasters and terrorists. But that is precisely the question posed by “Internet Infrastructure: Challenges in Developing a Public/Private Recovery Plan,” a report published in July by the Government Accountability Office.
Not surprisingly, the GAO concludes that the Department of Homeland Security, whose job it is to protect all national infrastructures from natural and terrorist catastrophes, has so far done almost nothing with regard to the Internet. A few highlights:
What should the DHS—or, for that matter, any other arm of the federal government—be doing to protect the Internet? The administration’s own answer depends on whom you ask—or rather, when. In September 2002, the White House released a draft entitled “National Strategy to Secure Cyberspace,” an impressive report that evaluated the threats to Internet security on a variety of dimensions. The draft offered detailed recommendations for improvements to be made not only by government, but also by infrastructure providers, large and small companies, and home computer users, everything from “use a tough password” (home users) to “ensure that security is embedded in the business operations” (large enterprises).
Next page: Looking to the Private Sector