May 24, 2006 (03:05 PM EDT)
Analyst: VA Data Loss No Surprise

Read the Original Article at InformationWeek

When the Department of Veterans Affairs admitted earlier this week that it had lost 26.5 million veteran identities, it only confirmed what everyone knew, said an analyst Wednesday: the agency is at least a decade behind private business in how it cares for data.

Monday, Veterans Affairs (VA) disclosed that the data, which included Social Security numbers of the millions of vets and some of their spouses, had been taken home by an employee, where it was stolen in a burglary.

The government is at least a decade behind the private sector in data security, says a Gartner research vice president.

"The VA has had [security] issues for years."

Litan's right. According to the annual grading cards filed to Congress by the chief information officers and inspector generals of the biggest federal agencies, the VA has drawn an "F" in 4 of the last 5 years. (The only non-failing grade was a "C" given in 2003.)

Overall, the federal government received a D+ on its 2005 efforts to lock down its data and secure its infrastructure from attack.

"There's a strong connection between the VA's poor score and this incident," Litan said. "Frankly, there's no reason someone should be able to carry home this much data, and unencrypted at that."

The cause-and-effect -- poorly-monitored data rules at the VA that allowed a mid-level employee to walk out the door armed with millions of Social Security numbers -- shows that even in business practices, government lags behind the business.

In technology, it's just as far back. "Security is a low-priority budget item," said Litan.

And the loss of so many Social Security numbers, she added, should be the straw that breaks the camel's back. "We need to stop relying on Social Security numbers as an identifier," said Litan. "More than 10 percent of [all] Social Security numbers have already been compromised. Rather than use these unreliable numbers as a sole identifier, private enterprise and government both should move to an identity scoring system."

That system, similar to the methods used to detect credit card fraud, pools numerous parameters -- from address and shopping habits to bill paying histories and the origins of credit applications -- to create "scores" that determine the likelihood of identities being legitimate.

"Citibank's using a form of this to determine the identity of people applying for a credit card," Litan said.

On the bright side of the VA debacle, however, she's convinced that the chance of the stolen identities being used is very low.

"Burglars usually aren't the brightest bunch," she said. "He probably didn't even know what he had. If he had, he wouldn't be a burglar, he'd be a cyber crook."

Research shows, Litan added, that there's less than a 1 percent chance that an identity on stolen hardware will be put to malicious use. "These vets aren't in any danger."

And although VA Secretary Jim Nicholson has taken a beating in the press and at the hands of Congress -- Tuesday Sen. Patrick Leahy (D-Vt.) called for President Bush to bring Nicholson "into the woodshed" -- the delay in reporting the loss may have actually been a good thing, said Litan.

"It's likely the burglar has already gotten rid of the laptop," she said. If he'd known the value of the contents of the data, she theorized, he would have sold it, not just the hardware. Stolen notebooks are usually cleansed of their data before they're sold.

Nicholson himself has raged at the delay in internally reporting the theft, which reportedly took place on May 3. He said he was first notified of the data loss nearly two weeks later, on May 16. The VA went public on Monday, May 22, three weeks after the burglary.

He has directed the agency's acting inspector general, Jon Wooditch, to press the investigation. "We are engaged in a very extensive review of individuals up and down the chain of command," Nicholson said Wednesday in a statement.

In a written briefing submitted to Congress this week, Wooditch noted that his office had warned the VA every year since 2001 about "material weaknesses" in the department's access control procedures and the overall state of its information security.

The briefing also cited vulnerabilities at the VA that ranged from unpatched operating systems and weak passwords to a lack of strong data loss detection alerts.

Ironically, the head of the VA's IT department, Assistant Secretary for Information and Technology Robert McFarland, left the agency last week. McFarland, a former executive with Dell and an Army veteran who served a tour in South Vietnam in 1964, was appointed to the post in 2003 by President Bush.