TheConversation

Blog archive

Responsible reporting on cybersecurity

cyber attack button

A couple of readers raised objections to the story "GAO finds Census Bureau vulnerable to cyberattack."

One reader wondered: Is this responsible reporting? Should these vulnerabilities be broadcast where anyone could read them?

Camille Tuutti responds: All GAO reports are publicly available and frequently covered by FCW and other news outlets. It would be irresponsible if reporters did not call attention to shortcomings and covered only positive news. Also, I would be surprised if some of these problems have not been solved already; according to the report, the Commerce Department, under which Census falls, said it would find the best way to address the issues. (In total, GAO made 13 recommendations to the Census Bureau to enhance its information security program and in a separate report with limited distribution, an additional 102 recommendations.)

Another commenter wrote: This article lacks specifics or context. It looks like Ms. Tuutti is saying that the Census Bureau does not have any IT security in place at all. That is not what the GAO report actually says. I think this story needs to be clarified with actual facts and less hyperbole.

Camille Tuutti responds: I would not call it hyperbole. What I wrote and concluded is the gist of the GAO report: That Census needs to address these weaknesses or it will continue being vulnerable to intrusion, data loss, etc. Although GAO said Census has made some progress, it still struggles with having adequate security in place. The main problem that GAO found, and which I pointed out, is that the bureau does not have a comprehensive information security program to ensure controls are effectively set and maintained. The lack of such a program has led to various problems, including who or what has access to the bureau'’s systems. Census did not adequately control connectivity to key network devices and servers or identify and authenticate users. The bureau also failed to encrypt data, monitor systems and network or ensure appropriate physical security controls were implemented. These were not the only problems, however. What I did not include in my story is that GAO also found the bureau only partially satisfied requirements for contingency  planning. According to GAO, "without an effective and complete contingency plan, an agency'’s likelihood of recovering its information and  systems in a timely manner is diminished."

Posted by Camille Tuutti on Feb 21, 2013 at 12:10 PM


Who's Fed 100-worthy?

Nominations are now open for the 2015 Federal 100 awards. Get the details and submit your picks!

Featured

Reader comments

Fri, Feb 22, 2013

Truth be known, what agency or department would not struggle to meet the lofty goals set by the GAO or other audit agency. Auditors are paid to find issues. It seems the goal is checklist based security, which is anything but secure. The proof is in the doing. Did they find evidence of compromise? And while it is public information now, publishing the info provides information to attackers. Making the information public in the first place is the issue.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above