Analyst: VA Data Loss No Surprise - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

07:40 PM

Analyst: VA Data Loss No Surprise

The government is at least a decade behind the private sector in data security, says a Gartner research VP.

When the Department of Veterans Affairs admitted earlier this week that it had lost 26.5 million veteran identities, it only confirmed what everyone knew, said an analyst Wednesday: the agency is at least a decade behind private business in how it cares for data.

Monday, Veterans Affairs (VA) disclosed that the data, which included Social Security numbers of the millions of vets and some of their spouses, had been taken home by an employee, where it was stolen in a burglary.

The government is at least a decade behind the private sector in data security, says a Gartner research vice president.

"The VA has had [security] issues for years."

Litan's right. According to the annual grading cards filed to Congress by the chief information officers and inspector generals of the biggest federal agencies, the VA has drawn an "F" in 4 of the last 5 years. (The only non-failing grade was a "C" given in 2003.)

Overall, the federal government received a D+ on its 2005 efforts to lock down its data and secure its infrastructure from attack.

"There's a strong connection between the VA's poor score and this incident," Litan said. "Frankly, there's no reason someone should be able to carry home this much data, and unencrypted at that."

The cause-and-effect -- poorly-monitored data rules at the VA that allowed a mid-level employee to walk out the door armed with millions of Social Security numbers -- shows that even in business practices, government lags behind the business.

In technology, it's just as far back. "Security is a low-priority budget item," said Litan.

And the loss of so many Social Security numbers, she added, should be the straw that breaks the camel's back. "We need to stop relying on Social Security numbers as an identifier," said Litan. "More than 10 percent of [all] Social Security numbers have already been compromised. Rather than use these unreliable numbers as a sole identifier, private enterprise and government both should move to an identity scoring system."

That system, similar to the methods used to detect credit card fraud, pools numerous parameters -- from address and shopping habits to bill paying histories and the origins of credit applications -- to create "scores" that determine the likelihood of identities being legitimate.

"Citibank's using a form of this to determine the identity of people applying for a credit card," Litan said.

On the bright side of the VA debacle, however, she's convinced that the chance of the stolen identities being used is very low.

"Burglars usually aren't the brightest bunch," she said. "He probably didn't even know what he had. If he had, he wouldn't be a burglar, he'd be a cyber crook."

Research shows, Litan added, that there's less than a 1 percent chance that an identity on stolen hardware will be put to malicious use. "These vets aren't in any danger."

And although VA Secretary Jim Nicholson has taken a beating in the press and at the hands of Congress -- Tuesday Sen. Patrick Leahy (D-Vt.) called for President Bush to bring Nicholson "into the woodshed" -- the delay in reporting the loss may have actually been a good thing, said Litan.

"It's likely the burglar has already gotten rid of the laptop," she said. If he'd known the value of the contents of the data, she theorized, he would have sold it, not just the hardware. Stolen notebooks are usually cleansed of their data before they're sold.

Nicholson himself has raged at the delay in internally reporting the theft, which reportedly took place on May 3. He said he was first notified of the data loss nearly two weeks later, on May 16. The VA went public on Monday, May 22, three weeks after the burglary.

He has directed the agency's acting inspector general, Jon Wooditch, to press the investigation. "We are engaged in a very extensive review of individuals up and down the chain of command," Nicholson said Wednesday in a statement.

In a written briefing submitted to Congress this week, Wooditch noted that his office had warned the VA every year since 2001 about "material weaknesses" in the department's access control procedures and the overall state of its information security.

The briefing also cited vulnerabilities at the VA that ranged from unpatched operating systems and weak passwords to a lack of strong data loss detection alerts.

Ironically, the head of the VA's IT department, Assistant Secretary for Information and Technology Robert McFarland, left the agency last week. McFarland, a former executive with Dell and an Army veteran who served a tour in South Vietnam in 1964, was appointed to the post in 2003 by President Bush.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
Top 10 Data and Analytics Trends for 2021
Jessica Davis, Senior Editor, Enterprise Apps,  11/13/2020
Where Cloud Spending Might Grow in 2021 and Post-Pandemic
Joao-Pierre S. Ruth, Senior Writer,  11/19/2020
The Ever-Expanding List of C-Level Technology Positions
Cynthia Harvey, Freelance Journalist, InformationWeek,  11/10/2020
Register for InformationWeek Newsletters
Current Issue
Why Chatbots Are So Popular Right Now
In this IT Trend Report, you will learn more about why chatbots are gaining traction within businesses, particularly while a pandemic is impacting the world.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll