TheConversation

Blog archive

Responsible reporting on cybersecurity

cyber attack button

A couple of readers raised objections to the story "GAO finds Census Bureau vulnerable to cyberattack."

One reader wondered: Is this responsible reporting? Should these vulnerabilities be broadcast where anyone could read them?

Camille Tuutti responds: All GAO reports are publicly available and frequently covered by FCW and other news outlets. It would be irresponsible if reporters did not call attention to shortcomings and covered only positive news. Also, I would be surprised if some of these problems have not been solved already; according to the report, the Commerce Department, under which Census falls, said it would find the best way to address the issues. (In total, GAO made 13 recommendations to the Census Bureau to enhance its information security program and in a separate report with limited distribution, an additional 102 recommendations.)

Another commenter wrote: This article lacks specifics or context. It looks like Ms. Tuutti is saying that the Census Bureau does not have any IT security in place at all. That is not what the GAO report actually says. I think this story needs to be clarified with actual facts and less hyperbole.

Camille Tuutti responds: I would not call it hyperbole. What I wrote and concluded is the gist of the GAO report: That Census needs to address these weaknesses or it will continue being vulnerable to intrusion, data loss, etc. Although GAO said Census has made some progress, it still struggles with having adequate security in place. The main problem that GAO found, and which I pointed out, is that the bureau does not have a comprehensive information security program to ensure controls are effectively set and maintained. The lack of such a program has led to various problems, including who or what has access to the bureau'’s systems. Census did not adequately control connectivity to key network devices and servers or identify and authenticate users. The bureau also failed to encrypt data, monitor systems and network or ensure appropriate physical security controls were implemented. These were not the only problems, however. What I did not include in my story is that GAO also found the bureau only partially satisfied requirements for contingency  planning. According to GAO, "without an effective and complete contingency plan, an agency'’s likelihood of recovering its information and  systems in a timely manner is diminished."

Posted by Camille Tuutti on Feb 21, 2013 at 12:10 PM


Rising Stars

Meet 21 early-career leaders who are doing great things in federal IT.

Featured

  • SEC Chairman Jay Clayton

    SEC owns up to 2016 breach

    A key database of financial information was breached in 2016, possibly in support of insider trading, said the Securities and Exchange Commission.

  • Image from Shutterstock.com

    DOD looks to get aggressive about cloud adoption

    Defense leaders and Congress are looking to encourage more aggressive cloud policies and prod reluctant agencies to embrace experimentation and risk-taking.

  • Shutterstock / Pictofigo

    The next big thing in IT procurement

    Steve Kelman talks to the agencies that have embraced tech demos in their acquisition efforts -- and urges others in government to give it a try.

  • broken lock

    DHS bans Kaspersky from federal systems

    The Department of Homeland Security banned the Russian cybersecurity company Kaspersky Lab’s products from federal agencies in a new binding operational directive.

  • man planning layoffs

    USDA looks to cut CIOs as part of reorg

    The Department of Agriculture is looking to cut down on the number of agency CIOs in the name of efficiency and better communication across mission areas.

  • What's next for agency cyber efforts?

    Ninety days after the Trump administration's executive order, FCW sat down with agency cyber leaders to discuss what’s changing.

Reader comments

Fri, Feb 22, 2013

Truth be known, what agency or department would not struggle to meet the lofty goals set by the GAO or other audit agency. Auditors are paid to find issues. It seems the goal is checklist based security, which is anything but secure. The proof is in the doing. Did they find evidence of compromise? And while it is public information now, publishing the info provides information to attackers. Making the information public in the first place is the issue.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group