Letters to the editor

Hold Agencies Accountable for Security

I read Diane Frank's article, "Agencies flunk security review" [FCW, Nov. 12]. I find it incredible to note that, in general, all federal government agencies are doing a much worse job dealing with security vulnerabilities than ever before. Just look at the statistics and it's clear that virtually every agency is failing to protect critical information. Governmentwide, agencies have gone from a D-minus to an F, with only one doing better than a C.

However, what I find even worse than the lackluster performance of government agencies in protecting critical information is the bureaucratic approach to dealing with it. The people who need to do more claim, "The reality is that the [chief information officers] in all these agencies are expected to take money for security out of hide." At the same time, the people who control the money say, "We don't believe that simply adding more money will solve the problem." Meanwhile, the Critical Infrastructure Assurance Office spends more time and money to develop a method (Project Matrix) to measure something we already know is horribly wrong.

So while the Office of Man.agement and Budget reviews Government Information Security Reform Act reports, and the CIAO prepares Proj.ect Matrix reports, critical information continues to be at risk!

You would think that the events of Sept. 11 would awaken everyone to the real and growing threats to physical and information security. When will the bureaucrats stop talking and do something? If agencies truly faced a penalty for failing grades, such as budget restrictions, then you would see CIOs sitting up and taking notice. Just tell an agency that any grade below a B will result in a 10 percent across-the-board budget cut, and watch the feathers fly.

We know we have security problems. Let's stop focusing on grades, reports and matrices and do something about the problems. Until government agencies face a hit to their budgets, they are not going to take the security issues seriously enough to do something about them. Let's stop talking and start holding people accountable.

Charles Scruggs, President and founder, InfoMediary Associates

Wireless LAN Security Not Easy

Your tutorial on wireless local-area networks ["Networking with no strings attached," FCW, Nov. 5] leads readers to believe that wireless LANs can be secured easily. Unfortunately, that's far from true. So-called Wired Equivalent Privacy (WEP) can be broken in minutes to hours, even using the 128-bit encryption option. Once broken, wireless networks can be used to steal network access, impersonate other computers on the network and attack other resources.

At a minimum, wireless LANs require a firewall between the wireless access point and the wired network, and encrypted communications on top of WEP, typically using a virtual private network with IP security protocols. Firewalls and VPNs significantly increase the cost of installing and operating a wireless LAN, and the VPN encryption will significantly reduce the throughput of the wireless LAN.

The wireless LAN industry is scrambling to design a successor to WEP, and existing equipment might not be easily upgraded. Please check security claims thoroughly before publishing information that could mislead your readers.

Rex Sanders, U.S. Geological Survey, Menlo Park, Calif.

Patience in Hiring

For too long, the federal government, like many parts of industry, has been lax in making sure that all workers have a thorough security background check. Hiring skilled information technology professionals requires patience in the hiring process even if you need that person today. I cannot impress upon you enough how "wonderful" a programmer could look on paper, compared to what you find when you dig a little deeper.

Most of our industry assumes that contract workers have been thoroughly checked out by contracting firms. Well, we have seen at our nation's airports what happens when contracting firms are left with that responsibility.

Background checks cost money. And most employers overlook this necessary tool, or human resources professionals in their haste neglect this important part of the process.

Everyone knows that the weakest link is behind the security machine. As a former airline employee in human resources, I am deeply concerned that federalizing baggage screeners without a lengthy security check would be a grave mistake, as would maintaining contract employees on a government network.

Mari Glass, SunGard Pentamation Inc.


We welcome your comments. To send a letter to the editor, use this form.

Please check out the archive of Letters to the Editor for fellow readers' comments.


  • IT Modernization
    shutterstock image By enzozo; photo ID: 319763930

    OMB provides key guidance for TMF proposals amid surge in submissions

    Deputy Federal CIO Maria Roat details what makes for a winning Technology Modernization Fund proposal as agencies continue to submit major IT projects for potential funding.

  • gears and money (zaozaa19/Shutterstock.com)

    Worries from a Democrat about the Biden administration and federal procurement

    Steve Kelman is concerned that the push for more spending with small disadvantaged businesses will detract from the goal of getting the best deal for agencies and taxpayers.

Stay Connected