TheConversation

Blog archive

Responsible reporting on cybersecurity

cyber attack button

A couple of readers raised objections to the story "GAO finds Census Bureau vulnerable to cyberattack."

One reader wondered: Is this responsible reporting? Should these vulnerabilities be broadcast where anyone could read them?

Camille Tuutti responds: All GAO reports are publicly available and frequently covered by FCW and other news outlets. It would be irresponsible if reporters did not call attention to shortcomings and covered only positive news. Also, I would be surprised if some of these problems have not been solved already; according to the report, the Commerce Department, under which Census falls, said it would find the best way to address the issues. (In total, GAO made 13 recommendations to the Census Bureau to enhance its information security program and in a separate report with limited distribution, an additional 102 recommendations.)

Another commenter wrote: This article lacks specifics or context. It looks like Ms. Tuutti is saying that the Census Bureau does not have any IT security in place at all. That is not what the GAO report actually says. I think this story needs to be clarified with actual facts and less hyperbole.

Camille Tuutti responds: I would not call it hyperbole. What I wrote and concluded is the gist of the GAO report: That Census needs to address these weaknesses or it will continue being vulnerable to intrusion, data loss, etc. Although GAO said Census has made some progress, it still struggles with having adequate security in place. The main problem that GAO found, and which I pointed out, is that the bureau does not have a comprehensive information security program to ensure controls are effectively set and maintained. The lack of such a program has led to various problems, including who or what has access to the bureau'’s systems. Census did not adequately control connectivity to key network devices and servers or identify and authenticate users. The bureau also failed to encrypt data, monitor systems and network or ensure appropriate physical security controls were implemented. These were not the only problems, however. What I did not include in my story is that GAO also found the bureau only partially satisfied requirements for contingency  planning. According to GAO, "without an effective and complete contingency plan, an agency'’s likelihood of recovering its information and  systems in a timely manner is diminished."

Posted by Camille Tuutti on Feb 21, 2013 at 12:10 PM


Featured

  • IT Modernization
    Eisenhower Executive Office Building (Image: Wikimedia Commons)

    OMB's user guide to the MGT Act

    The Office of Management and Budget is working on a rules-of-the-road document to cover how agencies can seek and use funds under the MGT Act.

  • global network (Pushish Images/Shutterstock.com)

    As others see us -- a few surprises

    A recent dinner with civil servants from Asia delivered some interesting insights, Steve Kelman writes.

  • FCW Perspectives
    cloud (Singkham/Shutterstock.com)

    A smarter approach to cloud

    Advances in cloud technology are shifting the focus toward choosing the right tool for the job and crafting solutions that truly modernize systems.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.