Earlier this month the Federal Aviation Administration became the latest in a long line of agencies and companies that have had data hacked into and/or stolen. It announced that "the personally identifiable information of more than 45,000 employees and retirees was stolen electronically.(As an aside, the FCW headline said that a "massive" data breach had occurred. It makes me wonder what the journalistic levels are for this terminology. At what number does it become a "massive" breach? I suggest the following terminology levels:
- 1- 99 "Human error."
- 100 - 751 "Trend-setting."
- 752 - 5,499 "Noticeable."
- 5,500 - 10,000 "Knocking on problem's door."
- 10,001 - 24,999 "someone's bound to hear about this."
- 25,000 - 39,999 "Typical."
- 40,000 - 74,999 "Massive."
- 75,000 - 125,000 "There's no such thing as bad publicity, right?"
- 125,001 - 250,000 "I'll call the press just as soon as I update my Monster.com profile."
- 250,001 - 750,000 "I'm not telling. You tell."
- 750,001 - 999,999 "Thank goodness we have a form letter for this."
- 1,000,000 - 10,000,000 "What's the record?"
- 10,000,001 - 50,000,000 "Can we get a book deal?"
- More than 50,000,000 "Do you think California will be mad?"
I was all prepared to write a sarcastic piece on this breach. I was ready to put on my school teacher's hat and play another version of the "Why aren't these people practicing commonly acknowledged security measures?" lecture. I had prepared a concept to make anyone losing data look foolish. I had lined up quotes taken out of context. I was poised to shoot fish in a barrel.
This snark tour de force was written and ready to ship earlier this week. I like to wait one more day before sending it out, in order to give myself 24 hours to look at it again and clean up the numerous mistakes in logic and spelling I normally accumulate in a short space, or come to my senses. In the meantime, I did some reading.
I draw cartoons for a couple of technology publications. In order to educate myself on possible cartoon subjects, I spend several hours reading whatever I can find on the topics. This week, while reading the various tech journalism outlets and waiting to send out the blog entry, a couple items caught my eye.
- Federal Computer Week ran a follow-up on the FAA data breach situation.
- In the course of checking out my usual outlets, I found stories covering at least a half dozen breaches -- in both the federal and private sectors -- this week alone, with remnants and follow-ups on three or four other breaches. In short, data breaches aren't the isolated incidents they used to be. In addition, to ridicule them -- as entertaining as that can be -- is simplistic and doesn't nearly acknowledge the depth of the problem, or the efforts of those addressing it. (As a working cartoonist, I will deny ever having made that statement. The editors added it. And this.)
In particular, the FCW article fleshed out the issue with points that can be applied to all data breaches. In particular, this line: "A new report from the Homeland Security Department's U.S. Computer Emergency Readiness Team (US-CERT) adds even more fuel to the fire. The report listed 18,050 cybersecurity incidents in agencies in fiscal 2008, compared to 5,144 in fiscal 2006."
The piece goes on to point out that the increase in reported attacks has a couple of angles to it. Is there really an increase? Or better discovery and reporting by those attacked? There may have been 18,000 attacks -- according to my chart, this would be headlined as a "someone's bound to hear about this" number -- in 2006, but the available security detection technology, combined with the fear of bad publicity, allowed only 5,000 ("noticeable") to be reported. The truth is probably somewhere in between, but I don't think anyone would argue that there aren't many more data attacks occurring today. Everybody is vulnerable, despite their best security efforts. Heck, the FAA's systems' security is so highly regarded that OMB chose it to be one of four agencies to help other agencies with their cybersecurity efforts. And they just had 45,000 names hit. (In a future snark piece, I will work up the recognition one receives based on the size of the security breach. e.g., 40,000 - 49,999, you get to advise other agencies, 50,000 - 74,999, you get named the cybersecurity czar, etc.)
The bottom line is that every computer system is under attack, and even vulnerable, despite the best security measures. Based on my own highly unscientific and even more highly anecdotal count, the vast majority of us have experienced a data theft in one way or another.
There are some legitimate complaints, however. The FAA, other than notifying authorities, was mum, waiting a week to notify those affected. As someone who has experienced several data breaches I can empathize with employees who receive little to no information and await communication from those supposedly charged with protecting that information. At the least, please realize I'm going to have to spend my time replacing information, so acknowledge that; don't add to my work by making me have to chase you down for the smallest tidbit of information. If I can go back to my snarky opus, why is everything about a data breach high tech, 24/7, etc., and the organization responds with...a good old-fashioned letter? What, the Pony Express wasn't available? The FAA also used Social Security numbers as identification. If we're going to acknowledge that data attacks are ever present, it's probably not a good idea to leave skeleton keys laying about.
I'm also a little uncomfortable with one point of the FAA's defense. It was mentioned in the follow-up reports:
"The IT and security shop did it right," he said. "They couldn't stop all attacks, but they, unlike most agencies, actually found the problem. The user groups, on the other hand, had some files with personally identifiable information left in a vulnerable location.
In other words, it's the users who have a problem, not us.
You're only as strong as your weakest link, guys, and something tells me that, as a fed agency, you're going to have a wide variety of user groups with a wide variety of systems and security practices. It's going to be a long road getting everyone on the same security page, so please don't start by throwing bombs at the folks whose data you're storing. We're all on the same team here.
But this is going to be really hard for us snarkers.
Posted by John Klossner on Mar 03, 2009 at 12:18 PM0 comments
In the past few weeks I have encountered a variety of technology-related problems. At the risk of boring you, it goes like this:
The battery on my laptop started acting strange. The machine would turn off even though the battery claimed to be 50-65 percent full. It is a little over two-year-old battery, with much fewer cycles than the claimed lifetime of the battery. I found a chat room on the Apple site (LINK BELOW) (I'm a Mac user) that fully recognized and described the same troubles I was experiencing. The discussion also claimed that in some cases Apple would replace the faulty battery for free. When I took the laptop into my local Mac dealer, a place where I have done frequent business, the clerk and store manager wouldn't even listen to my story -- once they heard my described symptoms, they immediately declared that I needed a new battery. When I told them about the discussion online, they acted as if they hadn't heard me, and repeated that I needed a new battery. I went home and called Apple support, which did know of the problem I described. They looked up the serial number of my machine and battery, and then told me that my battery was not among those listed that would have been replaced. I bought a new battery.
I received a new cell phone for Christmas. The volume switch on my new phone did not work, so I returned to the point of purchase. They told me that they had no replacement models in the store but that it would be no problem - they would order another phone. When I did not hear from them for a week, I stopped in the store again. The manager (who stayed in his office, relaying these messages through the clerk at the counter) told me that this model had been discontinued, (Maybe the entire line had faulty volume switches?) and that my choices were to upgrade or let them call other stores seeing if they could find some back stock of these phones. This phone was a fairly recent model, and I liked it, so I asked them to look around for other phones. When I did not hear from them for another week, I stopped by the store again. This time the manager came out of his office to tell me "Oh, I'm sorry. I forgot to make that call. I dropped the ball." (While refreshing in its honesty, this is not something you want to hear from someone you're doing business with.) Not being savvy on how to get out of wireless contracts, being able to use my volume-limited phone in the meantime, and having this store en route of my daily errands, I chose to give him another chance. When I made my stop the next week (funny, for a phone store they don't seem to make many calls) the manager told me that he could find no phones. Being a borderline Luddite and not wanting to a) spend on another model or b) have to spend too much time learning another phone (as an aside, I have avoided the cell phone lifestyle up until this phone. It's another story.) I asked him what he suggested. He then told me of an option where I contact AT&T (the provider) and they can do something called a "warranty swap." This involves them sending me a refurbished phone in the same model, and I send them my faulty phone. The only risk here, kind of like buying a used car, is not knowing what the refurbished phone's history was. I took the chance, thinking that a) the refurbished phone may have had a tiny problem, like a non-working volume switch, and b) this new phone had certainly received a lot of attention. I promise to declare in a future blog entry if I made a terrible mistake. As of now I am awaiting delivery of the new phone, after which I will take it to the store to have the transfers of my data completed. (NOTE: Since starting this blog entry, I have received the replacement phone. The camera didn't work. Oops. I contacted AT&T and they were very nice and put another replacement phone in the mail. I am wondering whether I have gone through enough to be able to legally say I am now in a Kafkaesque technology experience.) (ADDITIONAL NOTE: I have received the second replacement phone. It is in perfect working order.)
On Super Bowl Sunday, I noticed that I hadn't received any e-mail. At the time I was glad to take a day away from e-mail and I figured, it being Super Bowl Sunday, that maybe the world had gone offline for a day, something I aspire to and occasionally pull off. When I went online Monday morning, I still had no e-mail. For me to have no e-mail two days in a row would require an event larger than even the Super Bowl. It would mean either the end of civilization (and spamming) as we know it, or that something was wrong with my computer. Since having former New York Giants linebacker Lawrence Taylor on "Dancing With the Stars" (LINK BELOW) is probably the end of civilization as we know it, I thought I'd check the second option, just to eliminate all possibilities. I went to my ISP's site, where I can check my e-mail when I have problems. (I was able to get online; I was just not receiving mail.) From the ISP site I was reminded that my former telecommunications provider, Verizon, had in the past year sold its Northern New England (Maine, New Hampshire and Vermont) accounts to Fairpoint Communications. Fairpoint has been our local telephone provider for several months now, and they had chosen Feb. 1 to move all the data from the Verizon systems they had been using to their own systems. On my end, this meant I had to enter new settings to my computers' mail accounts. In their defense, Fairpoint had sent out a mailer describing this transfer, including the necessary settings, in December. Being a 21st century English-speaking American male who believes that all information is at our fingertips all the time, I noted on the mailer that this wasn't happening for a couple months, and I would be able to look up the settings at that time. I then "lost" (either threw out or put in one of the many piles of paper in my non-paperless office) the mailer.
Verizon had a link to the Fairpoint site. The link was dead. When I went to the Fairpoint site independently, I found no working links to webmail or the information I was looking for. There was a page of phone numbers, however. I called the customer support number. It was busy. I figured okay, they probably have a few people with problems, I'll try again. (Over the next 48 hours, I tried that number no fewer than 25 times. It was always busy. Isn't it required by law that any telecommunications provider have a maze of automated options before telling you that an operator will be with you in 25 minutes?) After some frustration had built - I knew what I needed, I just couldn't find it - I started calling other numbers on Fairpoint's page. One operator told me she was sorry - the phones had been ringing off the hook and even she couldn't get ahold of anyone in technical support. A later operator was much snippier and told me that they "are going through a major transfer. I'll just have to be patient." Well, that helps. I'm sure they won't have difficulties billing me for these days. One person (it was in sales, I believe) offered another URL for me to look into. (She told me a caller had informed her of this page.) This URL wasn't linked from the main page, but it did offer a live chat link. I entered it and -- voila!, -- I was told that I was in a queue, and would be talking with someone in five minutes. After the four and a half minute wait, I was told that I was next. I was then told that the live chat was not operating that day. (See? That's how telecommunications works!)
I then called my state's Public Utilities Commission. I spoke with a person with excellent listening skills who told me that she would call her contact at Fairpoint and get back to me. She called an hour later to give me a phone number and URL. These were the customer support number and the live chat URL. Later that day, Fairpoint had put up a page with the necessary mail account server settings -- the info I had been looking for all along -- and I was able to set up and receive my e-mail. (I just looked up the Fairpoint site again and noticed they had put a link to these settings on their home page. Wouldn't that have been one of the first things you should've done, when scheduling a systems transfer six months down the road?)
I share this technology trifecta not to relive the stress, nor to offer an insight into my mishandling (and I'm sure there's much) of these situations. The time spent listening to busy signals and waiting for web pages to load allowed me to reflect on the thread in each of these situations - lack of communications. While I can point to problems in each company's handling of these situations, better communications - and, specifically, better listening - on their parts would have alleviated much of the trouble. I didn't feel heard by any of the parties involved. The local Mac store could have listened to the research I had done, and discovered for themselves that Apple had, in fact, declared some batteries faulty and replaced them. When the Apple technician acknowledged this, even though my battery didn't qualify, I felt satisfied in the resolution. The AT&T store would not have told me anything had I not stopped in each week to check up on the situation. I certainly didn't feel listened to there. And the Fairpoint systems transfer? - that speaks for itself. AT BEST they were unprepared for the magnitude of the transfer. (Based on this and other service experiences I have had with them, I don't look forward to having my phone and internet service reliant on their growing pains.) This went beyond not being listened to -- this felt like being avoided.
You could argue that being listened to wouldn't have necessarily solved my problems, and I would agree. Maybe being listened to would have merely been a symbolic gesture to placate me while they continued to ignore the specifics of my problem. Perhaps, but in this climate I think it is important to a) use all available resources in problem-solving, which may mean including the off-base experiences of your customers / users, and b) keep your customer / user base satisfied. If they felt heard, this would prevent them from taking their business elsewhere.
This brings us to the president's smart phone. I have found the hubbub over this piece of equipment to be silly. Does anyone really think someone with the discipline necessary to survive the national primary and election process and who is surrounded by advisors and security personnel is itching to sneak away so he can drop state secrets on his handheld to his old college roommate? Please. Besides, since he is the first president to go through this scrutiny about his PDA, it makes me think that not too many other world leaders have smart phones either, making it less likely that high security topics would be shared, should he be texting another head of state. No, I think this falls into the symbolism I mentioned earlier. If the president's smart phone was taken away, it would give the appearance of not communicating, wouldn't it? Even if he sends out an "I thought you'd be interested in this" a couple times a day, it gives the appearance that he's communicating.
That said, is the president's smart phone even a legitimate piece of equipment? Between running the country, making numerous public appearances, and having family time he probably has about 15 minutes to send off a couple YouTube links. (LINK BELOW) This handheld screams of "symbolic." Nevertheless, it allows me some fantasizing…
If I were a political cynic, I'd ask if it's possible that the president's smart phone has better security than several East Coast ports.
Which would be the bigger "get": a picture of the president on his smart phone or with a cigarette?
If you were one of the persons given access to the president's handheld device, what could you possibly send? Is there any privacy here? I imagine a scene where you have to get clearance before sending updates on the Cubs' chances in 2009. (LINK BELOW)
There was an old comedy routine -- I believe during the Ford administration -- which relied on the running joke of "...Secret Service agents jumped on the offending _______ and wrestled it/them to the ground." This started with human characters filling in the blank, but got humor out of inanimate objects - "The president was hit on the head by a tree branch today. Secret Service agents jumped on the offending branch and wrestled it to the ground. The President poked himself in the eye with his thumb today. Secret Service agents jumped on the offending thumb and wrestled it to the ground." This joke can now be resurrected to include the smart phone.
Of course, there's always the chance that he's dealing with one of my suppliers, in which case we know the smart phone isn't working properly.
LINKS:"chat room on the Apple site" former NY GIants linebacker Lawrence Taylor on "Dancing With the Stars"YouTube linksCubs' chances in 2009
Posted by John Klossner on Feb 12, 2009 at 12:18 PM1 comments
My daughter once came home from her elementary school to tell us how embarrassed she was because that day someone was speaking to her class about careers and asked everyone whose parents went to a workplace to raise their hands, leaving my daughter as the only student with her arms by her sides.
We'd like our children not to be ostracized at school, but we also like working at home. I have not gone to a workplace for anything other than a meeting with a client for over 20 years now, and my wife, who works part time for a federal agency, goes in one day each week, working the rest of her hours from home.
(As an aside, the president works from home, doesn't he? Does that mean that the people who go into a centralized workplace are the exceptions? Or is this merely executive privilege? When asked the same question, are the president's children singled out among their classmates? I've never seen the president with a half-finished bowl of cereal on his desk in the Oval Office, but I assume that's something that's off the record.)
I suppose I can't call myself a telecommuter. I have been working from home since before the term "telecommuting" was coined. I assume that in order to telecommute, you have to be telecommuting from some central office. Also, I would suggest that one of the rules of telecommuting be that you know what the person or people on the other end of the telecommute look like. I rarely know what the people I'm working with look like and, if I do, it is always by accident.
My wife is probably a more official telecommuter. She works part time -- 18 hours -- for a federal agency, half of that from home. When I recently reached her in the kitchen, I was able to ask her a few questions about her fed telecommuting experience.
What are the pluses to your telecommuting experience?
Not having to commute, obviously. The time and money saved by not commuting. Could you pass me the sugar? And the flexibility of being here. There are no interruptions, and I'm able to be more productive.
And the minuses?
I feel out of the loop, but that might be because I'm part time. I think this causes my co-workers not to ask me to do as much, because I'm not there to ask. Communications are harder on my end -- sometimes I can't reach someone I need to talk with as easily as if I could go into their office. Are you going to the store today?
Is lunch better at work or at home?
Much better at work, because I go out to lunch there. I think my office relationships are better from my telecommuting. We make a more concerted effort to connect with each other when I'm in the office. Speaking of which, don't eat that leftover salad in the fridge -- I'm saving it for my lunch.
How has working from home affected your relationships with managers?
I think everyone who works at home feels a sense of guilt by not being at the office. I've always had bosses who understand that productivity is more important than the time clock. I've heard of bosses who are constantly checking in to make sure the workers are at home. Not that I'm not.
I've got you covered.
Can you remove that? I don't want to give the wrong impression. I'm very productive.
I know that. I don't think I should remove it. You have nothing to hide.
No. Seriously. Please remove it.
But then it will seem like this interview is hiding something. I want it to be a truthful experience for the reader.
How can it seem hidden if the piece isn't there to begin with?
This is a very savvy reader group. They can pick up on these things.
C'mon. Please take it out.
No. It will be okay. Trust me.
I'll let you have my leftover salad.
See if you ever get an interview with me again.
I'm sure that I can find another federal employee in a pinch.
Think they'll let you have their salad? Fat chance.
Maybe I should consider going to an office.
You? I'm sure there are all kinds of openings for a cartoonist who watches old Jack Benny clips on YouTube for an hour each day.
That's pretty harmless on the list of potential flaws. Besides, it gives me ideas.
I've got to get to work. See you at lunch.
Can I have this salad?
Posted by John Klossner on Jan 30, 2009 at 12:18 PM3 comments