Letters to the editor
Hold Agencies Accountable for Security
I read Diane Frank's article, "Agencies flunk security review" [FCW,
Nov. 12]. I find it incredible to note that, in general, all federal government
agencies are doing a much worse job dealing with security vulnerabilities
than ever before. Just look at the statistics and it's clear that virtually
every agency is failing to protect critical information. Governmentwide,
agencies have gone from a D-minus to an F, with only one doing better than
However, what I find even worse than the lackluster performance of government
agencies in protecting critical information is the bureaucratic approach
to dealing with it.
The people who need to do more claim, "The reality is that the [chief information
officers] in all these agencies are expected to take money for security
out of hide." At the same time, the people who control the money say, "We
don't believe that simply adding more money will solve the problem." Meanwhile,
the Critical Infrastructure Assurance Office spends more time and money
to develop a method (Project Matrix) to measure something we already
know is horribly wrong.
So while the Office of Man.agement and Budget reviews Government Information
Security Reform Act reports, and the CIAO prepares Proj.ect Matrix reports,
critical information continues to be at risk!
You would think that the events of Sept. 11 would awaken everyone to
the real and growing threats to physical and information security. When
will the bureaucrats stop talking and do something? If agencies truly faced
a penalty for failing grades, such as budget restrictions, then you would
see CIOs sitting up and taking notice. Just tell an agency that any grade
below a B will result in a 10 percent across-the-board budget cut, and
watch the feathers fly.
We know we have security problems. Let's stop focusing on grades, reports
and matrices and do something about the problems. Until government agencies
face a hit to their budgets, they are not going to take the security issues
seriously enough to do something about them. Let's stop talking and start
holding people accountable.
Charles Scruggs, President and founder, InfoMediary Associates
Wireless LAN Security Not Easy
Your tutorial on wireless local-area networks ["Networking with no
strings attached," FCW, Nov. 5] leads readers to believe that wireless LANs
can be secured easily. Unfortunately, that's far from true. So-called Wired
Equivalent Privacy (WEP) can be broken in minutes to hours, even using the
128-bit encryption option. Once broken, wireless networks can be used to
steal network access, impersonate other computers on the network and attack
At a minimum, wireless LANs require a firewall between the wireless
access point and the wired network, and encrypted communications on top
of WEP, typically using a virtual private network with IP security protocols.
Firewalls and VPNs significantly increase the cost of installing and operating
a wireless LAN, and the VPN encryption will significantly reduce the throughput
of the wireless LAN.
The wireless LAN industry is scrambling to design a successor to WEP,
and existing equipment might not be easily upgraded. Please check security
claims thoroughly before publishing information that could mislead your
Rex Sanders, U.S. Geological Survey, Menlo Park, Calif.
Patience in Hiring
For too long, the federal government, like many parts of industry, has
been lax in making sure that all workers have a thorough security background
check. Hiring skilled information technology professionals requires patience
in the hiring process even if you need that person today. I cannot impress
upon you enough how "wonderful" a programmer could look on paper, compared
to what you find when you dig a little deeper.
Most of our industry assumes that contract workers have been thoroughly
checked out by contracting firms. Well, we have seen at our nation's airports
what happens when contracting firms are left with that responsibility.
Background checks cost money. And most employers overlook this necessary
tool, or human resources professionals in their haste neglect this important
part of the process.
Everyone knows that the weakest link is behind the security machine.
As a former airline employee in human resources, I am deeply concerned that
federalizing baggage screeners without a lengthy security check would be
a grave mistake, as would maintaining contract employees on a government
Mari Glass, SunGard Pentamation Inc.