Responsible reporting on cybersecurity
A couple of readers raised objections to the story "GAO finds Census Bureau vulnerable to cyberattack."
One reader wondered: Is this responsible reporting? Should these vulnerabilities be broadcast where anyone could read them?
Camille Tuutti responds: All GAO reports are publicly available and frequently covered by FCW and other news outlets. It would be irresponsible if reporters did not call attention to shortcomings and covered only positive news. Also, I would be surprised if some of these problems have not been solved already; according to the report, the Commerce Department, under which Census falls, said it would find the best way to address the issues. (In total, GAO made 13 recommendations to the Census Bureau to enhance its information security program and in a separate report with limited distribution, an additional 102 recommendations.)
Another commenter wrote: This article lacks specifics or context. It looks like Ms. Tuutti is saying that the Census Bureau does not have any IT security in place at all. That is not what the GAO report actually says. I think this story needs to be clarified with actual facts and less hyperbole.
Camille Tuutti responds: I would not call it hyperbole. What I wrote and concluded is the gist of the GAO report: That Census needs to address these weaknesses or it will continue being vulnerable to intrusion, data loss, etc. Although GAO said Census has made some progress, it still struggles with having adequate security in place. The main problem that GAO found, and which I pointed out, is that the bureau does not have a comprehensive information security program to ensure controls are effectively set and maintained. The lack of such a program has led to various problems, including who or what has access to the bureau's systems. Census did not adequately control connectivity to key network devices and servers or identify and authenticate users. The bureau also failed to encrypt data, monitor systems and network or ensure appropriate physical security controls were implemented. These were not the only problems, however. What I did not include in my story is that GAO also found the bureau only partially satisfied requirements for contingency planning. According to GAO, "without an effective and complete contingency plan, an agency's likelihood of recovering its information and systems in a timely manner is diminished."
Posted by Camille Tuutti on Feb 21, 2013 at 8:19 AM