| Page 2 of 2 < |
To Agency Insiders, Cyber Thefts And Slow Response Are No Surprise
But it is agencies with low grades that have recently been hacked.
Last fall, an intruder gained access to a computer at the National Nuclear Security Administration in Albuquerque -- part of the Energy Department -- and took a file with personal identifying information for 1,500 employees and contractors.
 Which President signed the bill establishing the Smithsonian Institution? A. James K. Polk B. Zachary Taylor C. Franklin Pierce D. James Buchanan  
Security Cleared?
Government gurus and IT experts needed to fill positions in the D.C. area. Great Jobs & Benefits: Find Yours
|
Rather than alerting those whose data were compromised and senior Energy officials, the administration filed the episode away with about 830 other incidents the department experienced last year. The Albuquerque breach came to light only after the VA incident. In congressional testimony last month, the department's inspector general, Gregory H. Friedman, said "significant weaknesses continue to exist."
Rep. Thomas M. Davis III (R-Va.), chairman of the House Government Reform Committee, explained why he thinks the government doesn't pay enough attention to cybersecurity: "If you don't accomplish your current mission, you know you're going to get dinged. If you don't accomplish this security thing, there's only an outside chance you'll have a data security breach" that garners attention.
Davis said he worries about a kind of cyber Pearl Harbor, and the Pentagon noted in a statement that potential adversaries, realizing the United States's overbearing military might, "see cyber attacks as an inexpensive means of leveling that battlefield." It added, "These asymmetrical threats are real and the results of insecurity are potentially catastrophic."
Davis and OMB's Johnson said federal overseers need to hold accountable federal officials who fail to take the necessary steps to safeguard systems. Davis suggested that criminal penalties may be necessary.
One problem, experts say, is that almost all agencies lack department-wide security programs. Such programs provide "a framework and continuing cycle of activities for managing risk, developing security policies, assigning responsibilities, and monitoring the adequacy of the entity's computer-related control," Gregory Wilshusen, GAO director of information security, told Congress in March.
Bruce Brody, a former VA and Energy chief information-security officer who now works in the private sector, said agencies cherish decentralization, which has "contributed to effective delivery of services to taxpayers. But in the case of information technology, it creates fragmentation. It creates inefficiencies."
Experts also said departments must close the wide gulf between senior leadership and information-security personnel.
Paul Kurtz, who worked in the White House on cybersecurity and now is the security-software industry's trade group president, said that senior agency officials had the attitude that they "had much better things to do with my job" than work on information security.
The VA's chief information-security officer, who announced his resignation June 29, said he had been unable to implement security changes during his more than three years on the job. He told Government Executive magazine that he had met VA Secretary Jim Nicholson only once, at a social event.
"The department has no interest in doing the right thing," Pedro Cadenas Jr. told the magazine. "I am having personal difficulty looking veterans in the eye and telling them that things will be OK."
VA spokesman Matt Burns said Nicholson issued a memorandum empowering security officials to do what is necessary to beef up security, a move he called "a significant step in the right direction."
