VA breach highlights lapses in security


May 26, 2006|By MELISSA HARRIS

Last year, Congress gave the federal government a D+ in computer security.

Even worse, the Department of Homeland Security, the agency responsible for tracking digital security breaches, got an F. So did the Department of Veterans Affairs, where an employee this month compromised the Social Security numbers of up to 26.5 million veterans and their spouses after burglars stole a laptop and discs from an analyst's Montgomery County home.

In the VA case, the midlevel worker did not have permission to remove the material from VA offices. But Congress and the Government Accountability Office have been hounding agencies on this issue for years. The GAO declared computer security a "high-risk" issue almost a decade ago, and the Office of Management and Budget recently complained that agencies are not reporting breaches to Homeland Security -- or detecting them.

In fiscal year 2005, federal agencies reported 3,569 computer security "incidents." Of those, 674 involved "unauthorized access" or "improper use," according to the March 1 budget office report.

Homeland Security "continues to find sporadic reporting by some agencies and unusually low levels of reporting by others," the report states. "Less than full reporting hampers the government's ability to know whether an incident is isolated at one agency or is part of a larger event, e.g., the widespread propagation of an Internet worm."

Despite the magnitude of the recent incident, the VA did not tell the FBI or the Justice Department about the burglary until late last week -- two weeks after the incident. The employee did promptly report the incident to supervisors.

Clay Johnson III, deputy director of the budget office, has ordered all agencies to remind their employees within 30 days of their responsibilities in this area.

Here are some basic computer security tips for federal workers and the general public from Alan Paller, the director of research at the SANS Institute, a Bethesda-based computer security training firm:

Avoid putting sensitive data on a laptop or removing it from a federal building.

If that's not an option, cripple the data, such as deleting the last four digits of Social Security numbers, or encrypt it so that the material is unusable to someone without the key.

Password-protect your computer or laptop and ensure that when the machine goes into "sleep mode," a password is required to use it again.

Make it impossible for someone to start the laptop with a compact disc. Doing so is complicated, so ask a technology expert at your agency how to do it.

Paller said that never taking the data off-site is the most efficient way to prevent a breach because encryption is "hard and dangerous."

"You need the right software," Paller said. "It has to be installed in a way that's not intuitive. It's not like installing software where you just click yes, yes, yes, yes. And it's dangerous because if the machine gets damaged, you may never see the data again."

Paller said that Johnson is one of the few officials who can force computer companies vying for federal business to make encryption easier.

"They need to specify in their contracts with Dell, IBM, Hewlett-Packard, etc., that they all deliver computers with upgraded Windows systems that make it as easy as clicking `Yes' to encrypt something," Paller said. "Right now, it's too hard to ask people to do it."

Theft damage control

The first of what is likely to be many proposals in Congress on how to handle the fallout from the VA breach is the "Veterans Identity Protection Act of 2006," introduced this week by Rep. John T. Salazar, a Colorado Democrat and Army veteran.

According to a statement from Salazar's office, the bill would:

Provide one year of free credit monitoring to affected individuals;

Provide one additional free credit report each year for two years after the end of credit monitoring (one free credit report per year is already required);

Authorize $1.25 billion in emergency funds for the first year.

The Associated Press contributed to this article.

The writer can be reached at or 410-715-2885. Recent back issues can be read at

Baltimore Sun Articles
Please note the green-lined linked article text has been applied commercially without any involvement from our newsroom editors, reporters or any other editorial staff.