When Will Governments Secure Data? Probably Never
They're with the government and they're here to protect you -- but not your data. Texas apparently had exposed personal data of 3.5 million residents for a year on the open Web. And remember when WikiLeaks made a massive number of diplomatic cables public? Even now, the Department of Defense is industriously working on closing the security hole that made it possible ... sometime by 2013.
Either case taken alone would set any sane person's head shaking. Together, they raise the question of whether government can be trusted with the most basic information security. Even when information is of the most sensitive personal nature or of claimed national security importance, their best efforts seem to be in studies to learn why they failed to do what they were supposed to.
The Texas story is stunning. Several departments were transferring data that included names, addresses, Social Security numbers, dates of birth, and even driver's license numbers -- and doing so in the clear, even though Texas law required the information to be encrypted. If that weren't bad enough, people in the Comptroller's office failed to follow established procedures and managed to post it on a public-facing server. For a year, the government let the data sit in full view.
The state discovered the problem on March 31 and didn't get around to telling anyone until yesterday. But, if you're on the list, not to worry: Texas says that information could not have been misused "in any way" at this time. Well, there's a load off everyone's mind. Personnel probably scrupulously followed procedures to determine that. And, after all, no one on the Web ever stumbled across data or made illegal use of it.
As for the Department of Defense, it already knew that removable media were a danger to its classified networks because of a malware experience in 2008. So, the DOD said no more: no USB drives, no CDs, nothing. This must have been a case of the honor system, because the DOD didn't disable the ability to use removable media, as that is exactly how Bradley Manning allegedly took the State Department cables out the door.
Even after arresting Manning in mid-May, the DOD did nothing until August 12, 2010, after WikiLeaks released the first of the cables. At that point, the Powers That Were decided to study what had happened. And that was even though the Defense Department knew of the security dangers for years. Congress decided that basic levels of information security that would be considered standard in a well-run corporation must be hard to achieve, and so is giving them until October 1, 2013 to fix the problems.
Good gravy, and we complain about Google (GOOG) and Facebook. Given that they have appropriate-sounding rules and procedures, governments seem understand the need for security and even have some ideas of how to implement it. And governments constantly seek private user information from Internet industry and telecommunications companies. Maybe they figure that practice makes perfect.
Related:
- Android's Next Big Challenge: Leaky Personal Data
- The Epsilon Email Break-In: A Bad Break for The Cloud
- Mobile Malware: Symbian Is Worst, Apple and Google Nearly Tied
- More Chinese Attacks on Gmail; It's Time for Everyone to Rethink Info Security
- Obama Supports Online Privacy, Except When Big Donors Don't