Letters to the editor

Hold Agencies Accountable for Security

I read Diane Frank's article, "Agencies flunk security review" [FCW, Nov. 12]. I find it incredible to note that, in general, all federal government agencies are doing a much worse job dealing with security vulnerabilities than ever before. Just look at the statistics and it's clear that virtually every agency is failing to protect critical information. Governmentwide, agencies have gone from a D-minus to an F, with only one doing better than a C.

However, what I find even worse than the lackluster performance of government agencies in protecting critical information is the bureaucratic approach to dealing with it. The people who need to do more claim, "The reality is that the [chief information officers] in all these agencies are expected to take money for security out of hide." At the same time, the people who control the money say, "We don't believe that simply adding more money will solve the problem." Meanwhile, the Critical Infrastructure Assurance Office spends more time and money to develop a method (Project Matrix) to measure something we already know is horribly wrong.

So while the Office of Man.agement and Budget reviews Government Information Security Reform Act reports, and the CIAO prepares Proj.ect Matrix reports, critical information continues to be at risk!

You would think that the events of Sept. 11 would awaken everyone to the real and growing threats to physical and information security. When will the bureaucrats stop talking and do something? If agencies truly faced a penalty for failing grades, such as budget restrictions, then you would see CIOs sitting up and taking notice. Just tell an agency that any grade below a B will result in a 10 percent across-the-board budget cut, and watch the feathers fly.

We know we have security problems. Let's stop focusing on grades, reports and matrices and do something about the problems. Until government agencies face a hit to their budgets, they are not going to take the security issues seriously enough to do something about them. Let's stop talking and start holding people accountable.

Charles Scruggs, President and founder, InfoMediary Associates

Wireless LAN Security Not Easy

Your tutorial on wireless local-area networks ["Networking with no strings attached," FCW, Nov. 5] leads readers to believe that wireless LANs can be secured easily. Unfortunately, that's far from true. So-called Wired Equivalent Privacy (WEP) can be broken in minutes to hours, even using the 128-bit encryption option. Once broken, wireless networks can be used to steal network access, impersonate other computers on the network and attack other resources.

At a minimum, wireless LANs require a firewall between the wireless access point and the wired network, and encrypted communications on top of WEP, typically using a virtual private network with IP security protocols. Firewalls and VPNs significantly increase the cost of installing and operating a wireless LAN, and the VPN encryption will significantly reduce the throughput of the wireless LAN.

The wireless LAN industry is scrambling to design a successor to WEP, and existing equipment might not be easily upgraded. Please check security claims thoroughly before publishing information that could mislead your readers.

Rex Sanders, U.S. Geological Survey, Menlo Park, Calif.

Patience in Hiring

For too long, the federal government, like many parts of industry, has been lax in making sure that all workers have a thorough security background check. Hiring skilled information technology professionals requires patience in the hiring process even if you need that person today. I cannot impress upon you enough how "wonderful" a programmer could look on paper, compared to what you find when you dig a little deeper.

Most of our industry assumes that contract workers have been thoroughly checked out by contracting firms. Well, we have seen at our nation's airports what happens when contracting firms are left with that responsibility.

Background checks cost money. And most employers overlook this necessary tool, or human resources professionals in their haste neglect this important part of the process.

Everyone knows that the weakest link is behind the security machine. As a former airline employee in human resources, I am deeply concerned that federalizing baggage screeners without a lengthy security check would be a grave mistake, as would maintaining contract employees on a government network.

Mari Glass, SunGard Pentamation Inc.


We welcome your comments. To send a letter to the editor, use this form.

Please check out the archive of Letters to the Editor for fellow readers' comments.


  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected