Larry Downes: If It Ain’t Broke…

Larry Downes Avatar

Updated on:

In May, Veterans Affairs Secretary R. James Nicholson told Congress he was “mad as hell” when he learned that a laptop computer containing unencrypted personal information on 26.5 million military personnel had been stolen from a VA employee’s home. Soon afterward, the White House released a memorandum recommending but not requiring basic security rules for mobile devices used by federal employees.

Then, in early August, only three days after two Maryland teenagers were arrested in connection with that laptop theft, the VA announced that another laptop, this one containing a mere 38,000 personnel records, had gone missing from defense contractor Unisys. No word yet on Secretary Nicholson’s mood.

Of course, these two Veterans Affairs’ affairs are only the latest in a string of embarrassing computer-security incidents involving government agencies. So it might seem oxymoronic to ask how a federal bureaucracy that can’t protect its own data from teenagers can be expected to protect yours and mine from natural disasters and terrorists. But that is precisely the question posed by “Internet Infrastructure: Challenges in Developing a Public/Private Recovery Plan,” a report published in July by the Government Accountability Office.

Not surprisingly, the GAO concludes that the Department of Homeland Security, whose job it is to protect all national infrastructures from natural and terrorist catastrophes, has so far done almost nothing with regard to the Internet. A few highlights:

  • After many of the agency’s Internet security staff resigned, DHS Secretary Michael Chertoff last year created a high-ranking post of “assistant secretary for cybersecurity and telecommunications.” This official, who Chertoff said would be responsible for “identifying and assessing the vulnerability of critical telecommunications infrastructure and assets; providing timely, actionable and valuable threat information; and leading the national response to cyber and telecommunications attacks,” has yet to be appointed.
  • The agency’s National Cyber Response Coordination Group, the “primary entity responsible for coordinating governmentwide responses to cyber incidents,” still hasn’t decided what it is supposed to do. Which is just as well, since the group has also not identified the kinds of events that would trigger its activation.
  • The DHS has begun several Internet-related initiatives. But it has yet to finish any of them, or offer a timetable for when it might, or indicate how any of them fit together. As a result, the GAO concludes, “the nation is not prepared to effectively coordinate public/private plans for recovering from a major Internet disruption.”

    What should the DHS—or, for that matter, any other arm of the federal government—be doing to protect the Internet? The administration’s own answer depends on whom you ask—or rather, when. In September 2002, the White House released a draft entitled “National Strategy to Secure Cyberspace,” an impressive report that evaluated the threats to Internet security on a variety of dimensions. The draft offered detailed recommendations for improvements to be made not only by government, but also by infrastructure providers, large and small companies, and home computer users, everything from “use a tough password” (home users) to “ensure that security is embedded in the business operations” (large enterprises).

    Next page: Looking to the Private Sector