One of the greatest challenges to network security is the illegitimate use of legitimate access - insider abuse. There are a number of insider abuse cases in the headlines, from the Countrywide employee that grabbed 20,000 customer records every Sunday for nearly two years, to the recently disclosed State Department Breach.
While the State Department breach is relatively small, it’s newsworthy for several reasons.
- It’s another failure for an organization that seems to be plagued with network security challenges. Considering they have detailed identity data on nearly 200 million U.S. passport holders, it’s reasonable to ask, “Who’s guarding this information, and how?”
- We’re dealing with identity theft originating from within a branch of the federal government!
We might be able to choose not to do business with a specific retailer, but we don’t have a choice when it comes to the government. If you apply for a passport, your records are stored in their database, apparently easily accessible, and with little to no oversight. While many states have passed data breach notification laws, these laws don’t seem to apply to the State Department. It wasn’t required to notify applicants that their records may have been compromised and their identities were at risk - and they didn’t notify them for over seven months.
Will the federal government be held to the same security and compliance standards that it has mandated for corporations or that states impose on businesses operating within their borders?
It seems unlikely, so we’re faced with a serious dilemma. The national ID campaign, and of course the drive toward national healthcare will both embody massive, centralized databases that we’re “assured” will be secure. How can we be sure as citizens that the ever-growing volume of citizen and visitor data being compiled by the government will be “secure”?
I’m not a cynic, just a practicing pragmatist. The challenge is enormous, the risks are real, and I’ve seen little evidence to-date that suggests the problem is being addressed. There are no easy answers, and certainly no cheap ones, but we can start by demanding the government play by the same rules they’ve imposed on business. I’d like to see the people signing off on government IT audits held to the same standards (and penalties) that SOX places on executives. At the very least, responsible disclosure requirements should be implemented.
Leave a Reply