Information-Security Issues Plague Federal Government
JOHN YDSTIE, host:
On Mondays we focus on technology. Today, the White House wants security problems fixed.
(Soundbite of music)
YDSTIE: The Office of Management and Budget is telling information security czars throughout the federal government to get their act together, and they have until mid-August to do it. The order is just part of the fallout from one of the biggest foul-ups in IT history. That's the theft in May of a government laptop containing the personal information of more than 26 million veterans and their families.
Even though the laptop has since been recovered, the incident has a lot of computer geeks shaking their heads at the continuing malaise afflicting government security efforts.
NPR's Larry Abramson has this report.
LARRY ABRAMSON reporting:
As someone who's been analyzing government computer problems for years, Greg Wilshusen says he's no surprised that major screw-ups keep appearing.
Mr. GREGORY WILSHUSEN (Acting Director, Information Security, Government Accountability Office): We have designated information security as a government-wide high-risk area since 1997.
ABRAMSON: Wilshusen works for the Government Accountability Office, an independent watchdog agency. Congress relies on his analyses when lawmakers hand out grades for computer security. There are always a lot of F's for major agencies like the Department of Veterans Affairs.
The reasons are often dumb mistakes. For example, Wilshusen says that when new computers arrive they come with an administrator account and an easy password that lets the computer guy adjust all the settings on the machine.
Mr. WILSHUSEN: One of the very basic information security controls you need to do is to change that password and user ID upon installation. We often find that that's not being done.
ABRAMSON: The theft of the Veterans Affairs data exposed another basic violation of computer security rules. When sensitive information leaves the office, it should be encrypted, scrambled so that hackers or thieves can't use the data. But a VA analyst was routinely allowed to take home millions of records that were sitting there ready to be opened. The thief who stole the laptop and the hard drive during a burglary could have easily copied the files, although that apparently did not happen.
According to Clay Johnson, Deputy Director of the Office of Management and Budget, there's no excuse for that.
Mr. CLAY JOHNSON (Deputy Director, Office of Management and Budget): First of all, there were already requirements. This is available at any office supply store. This is not an expense issues. This is a discipline issue. There is no resource reason why this can't be done.
ABRAMSON: All too often it isn't. So Johnson has given administrators until early August to start encrypting data on mobile computers and devices.
Security analysts say that the VA's negligence is even harder to justify given that security systems are becoming easier to use. Mike McGowan, a digital forensics expert in New York, showed me how two-factor authentication works in his office. McGowan has two passwords: one he keeps in his head, the other is a number that he gets from a key-fob sized ID token that he carries around with him.
Mr. MIKE MCGOWAN (CEO, Message Level): It's a six-digit number. It changes every 60 seconds. And there's a server that knows the corresponding number. And in order to log into my e-mail I need to enter the corresponding number that's on my ID card.
ABRAMSON: So even if someone guesses McGowan's password, his e-mail program is safe from intruders.
McGowan says he could go one step further by encrypting each file individually, but he says that would be a pain.
Mr. MCGOWAN: One of the goals of securing a laptop or a computer is that you want to have appropriate measures that will provide security but not be a nuisance to you or to other people at your company if you're responsible for security.
ABRAMSON: While there are a lot of security dunces in the federal government, there are some valedictorians. While the VA sits in the corner with the Departments of Homeland Security, State and Defense, A-pluses go to the Social Security Administration, the EPA, and the Office of Personnel Management.
OPM earned that top grade thanks in large part to the bullheaded determination of this woman.
Ms. JANET BARNES (Chief Information Officer, Office of Personnel Management): Janet, J-A-N-E-T, Barnes, B-A-R-N-E-S.
ABRAMSON: Okay. And you're title is?
Ms. BARNES: CIO.
ABRAMSON: Barnes pulled OPM's security grade from a C- to an A+ in part by giving unforgiving when it comes to training requirements.
Ms. BARNES: We track down every last individual, every computer user, whether it's a contractor or a staff person at OPM. Every one of them is tracked to make sure that they meet their annual security training requirement.
ABRAMSON: Riding herd(ph) on contractors is key; they often slip through the security net.
OPM has good reason to be careful, as the government's human resources manager, OPM learns a lot about the millions of people who work for the federal government.
To underscore that, Kathy Dillaman joins the conversation. She's in charge of OPM's investigations division, which employs 6,500 agents to investigate just about anyone who wants to work for the government.
Each agent has a laptop, but Dillaman says each machine is carefully configured to prevent unauthorized peeking.
Ms. KATHY DILLAMAN (Associate Director of Investigations, Office of Personnel Management): None of them contain the information. They have to sign into the mainframe to get to the information. And it's case-by-case, not volume data; it's on specific investigations that they're working on.
ABRAMSON: So I can't download 26 million names to my laptop and then take it to the beach.
Ms. DILLAMAN: You can't even download one.
ABRAMSON: Try to look at a file you're not allowed to see and you get a security alert followed by possible disciplinary action. One worker was sanctioned for looking up her boss' birthday so she could send a card.
The prize of all the security is perpetual nosiness. Janet Barnes and her staff regularly peruse workers' passwords to see if they're breaking the rules. Say, by using the name of a pet or some other pneumonic that's easily cracked.
Ms. BARNES: And we looked to, for example, those with security responsibilities, and we told them these are the passwords you're using and this was how quickly we were able to crack them. And then we encouraged them all to go in and get them fixed and changed and updated so that they weren't so easy.
ABRAMSON: After I stopped recording, Janet Barnes wonders whether it's such a good idea to talk publicly about successful techniques or whether she's attracting intruders who'll want to test her defenses. But why bother, when there're so many undefended government targets.
Larry Abramson, NPR News, Washington.
YDSTIE: This is MORNING EDITION from NPR News. I'm John Ydstie.
RENEE MONTAGNE, host:
And I'm Renee Montagne.
NPR transcripts are created on a rush deadline by a contractor for NPR, and accuracy and availability may vary. This text may not be in its final form and may be updated or revised in the future. Please be aware that the authoritative record of NPR's programming is the audio.