Letters to the editor

Hold Agencies Accountable for Security

I read Diane Frank's article, "Agencies flunk security review" [FCW, Nov. 12]. I find it incredible to note that, in general, all federal government agencies are doing a much worse job dealing with security vulnerabilities than ever before. Just look at the statistics and it's clear that virtually every agency is failing to protect critical information. Governmentwide, agencies have gone from a D-minus to an F, with only one doing better than a C.

However, what I find even worse than the lackluster performance of government agencies in protecting critical information is the bureaucratic approach to dealing with it. The people who need to do more claim, "The reality is that the [chief information officers] in all these agencies are expected to take money for security out of hide." At the same time, the people who control the money say, "We don't believe that simply adding more money will solve the problem." Meanwhile, the Critical Infrastructure Assurance Office spends more time and money to develop a method (Project Matrix) to measure something we already know is horribly wrong.

So while the Office of Man.agement and Budget reviews Government Information Security Reform Act reports, and the CIAO prepares Proj.ect Matrix reports, critical information continues to be at risk!

You would think that the events of Sept. 11 would awaken everyone to the real and growing threats to physical and information security. When will the bureaucrats stop talking and do something? If agencies truly faced a penalty for failing grades, such as budget restrictions, then you would see CIOs sitting up and taking notice. Just tell an agency that any grade below a B will result in a 10 percent across-the-board budget cut, and watch the feathers fly.

We know we have security problems. Let's stop focusing on grades, reports and matrices and do something about the problems. Until government agencies face a hit to their budgets, they are not going to take the security issues seriously enough to do something about them. Let's stop talking and start holding people accountable.

Charles Scruggs, President and founder, InfoMediary Associates

Wireless LAN Security Not Easy

Your tutorial on wireless local-area networks ["Networking with no strings attached," FCW, Nov. 5] leads readers to believe that wireless LANs can be secured easily. Unfortunately, that's far from true. So-called Wired Equivalent Privacy (WEP) can be broken in minutes to hours, even using the 128-bit encryption option. Once broken, wireless networks can be used to steal network access, impersonate other computers on the network and attack other resources.

At a minimum, wireless LANs require a firewall between the wireless access point and the wired network, and encrypted communications on top of WEP, typically using a virtual private network with IP security protocols. Firewalls and VPNs significantly increase the cost of installing and operating a wireless LAN, and the VPN encryption will significantly reduce the throughput of the wireless LAN.

The wireless LAN industry is scrambling to design a successor to WEP, and existing equipment might not be easily upgraded. Please check security claims thoroughly before publishing information that could mislead your readers.

Rex Sanders, U.S. Geological Survey, Menlo Park, Calif.

Patience in Hiring

For too long, the federal government, like many parts of industry, has been lax in making sure that all workers have a thorough security background check. Hiring skilled information technology professionals requires patience in the hiring process even if you need that person today. I cannot impress upon you enough how "wonderful" a programmer could look on paper, compared to what you find when you dig a little deeper.

Most of our industry assumes that contract workers have been thoroughly checked out by contracting firms. Well, we have seen at our nation's airports what happens when contracting firms are left with that responsibility.

Background checks cost money. And most employers overlook this necessary tool, or human resources professionals in their haste neglect this important part of the process.

Everyone knows that the weakest link is behind the security machine. As a former airline employee in human resources, I am deeply concerned that federalizing baggage screeners without a lengthy security check would be a grave mistake, as would maintaining contract employees on a government network.

Mari Glass, SunGard Pentamation Inc.

WRITE US

We welcome your comments. To send a letter to the editor, use this form.

Please check out the archive of Letters to the Editor for fellow readers' comments.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.