The Sept. 11 attacks and the ongoing war on terrorism are, understandably, making Americans uneasy. War is unpredictable and produces risks seemingly everywhere. One of those risks concerns the federal databases that store vital information on every American.
Your Social Security number and your address are simply the tip of the iceberg of the information that is vulnerable to savvy cyber terrorists. After all, this is the government we are talking about and you do not need to be a wacky conspiracy theorist to realize the volume of information our government has on file about each citizen.
A little over a year ago, Rep. Stephen Horn (R‐Calif.) declared: “Obviously there is a great deal of work ahead… [Federal agencies] must take the necessary steps to mitigate [privacy] threats. There is no room for complacency.” Horn, chair of the House Committee on Government Reform, was reacting to the findings of a Government Accounting Office (GAO) study his committee had commissioned to examine the security of federal databases. The Government Security Reform Act of 2000 requires all agency Chief Information Officers (CIOs) to evaluate their agency’s computer security programs and report the findings to the Office of Management and Budget (OMB) for evaluation.
Now, a year later, it seems that little work has been done. In fact, most federal agencies still receive a failing grade based upon the recent release of the 2001 evaluations by the OMB. Horn’s words today sound eerily familiar to his condemnation of the federal database security a year ago: “It is disappointing to announce that the executive branch of the federal government has received a failing grade for its computer security efforts.” Horn further says that a full two‐thirds of the 24 agencies failed completely in their computer security efforts. Noteworthy among the agencies receiving an “F” grade in this time of war are the Department of Defense, Department of Transportation (which oversees the FAA), and the Department of Energy (which helps to oversee the nation’s nuclear weapons).
This comes on the heels of the nation’s new cyber‐security czar statement that the United States is vulnerable to imminent cyber attacks. He points out correctly that we have become a society that is dependent upon networks and an attack on these networks could disrupt everything from the operation of our health care system to our banking system and to our communications systems. His image of a “cyber Pearl Harbor” does not instill confidence in a nation still so visibly shaken by Sept. 11.
What should we do? While there isn’t an easy answer, it seems there are a few logical suggestions. First, reduce the amount of information collected on each citizen. When an individual’s data are stored in several different insecure federal databases, it increases the likelihood that his personal information will fall into the wrong hands. Second, the agencies should heed the remarks that Horn’s committee has now made two years in a row, and secure the data they collect. No one is perfect. But the fact that the National Science Foundation received a “B+” this year indicates that at least one agency has a handle on computer security. Finally, if agencies are failing to protect the information extracted from their own citizens, often in a non‐voluntary way, those who are responsible for the collection should be removed from their positions.
What would happen in private industry if the CEO of a major corporation allowed its client information to remain vulnerable to computer security attacks? Suffice it to say that he would not be around to fail twice.