Here we go again. Sensitive, personal information stolen -- and the files weren't encrypted. The negligent organization this time? NASA. Yes, the very same NASA that defeated a legal challenge last year to intrusive background checks, based in part on privacy concerns:
Justice Alito said that the plaintiffs' privacy concerns should be allayed because the Privacy Act imposes strict restrictions on how the government could use the information it obtained.
Nothing stopped it, however, from leaving personal information, in unencrypted form, on a laptop in a parked car. That's where the thieves found it. Data on 10,000 NASA employees, including social security numbers, dates of birth, and -- yes -- some of that background check information the Supreme Court was so confident could be protected.
But this is beyond a joke. Only last week, I wrote about the theft of hundreds of thousands of unencrypted records from the South Carolina Department of Revenue. Do people think encryption is something that exists only in spy novels? Trying to get states to focus on adequate security measures may be like herding cats, but at the level of federal agencies, somebody needs to take ownership of this problem.
We have a seemingly intractable challenge with trusted identities in cyberspace -- ensuring that only the right people get to look at files. But we could, at least, encrypt the sensitive data contained therein. Encryption isn't perfect; keys can be stolen. But it's better than no encryption at all.
One argument against encryption, of course -- especially full disk encryption -- is cost. Some analysts maintain that the benefit of encryption in mitigating damage from data breaches more than justifies the expenditure involved. Others advocate encrypting data only when necessary.
In my book, when sensitive data is going to be placed on a laptop, and taken outside the security perimeter, it's necessary.
What other data from federal agencies is sitting unattended in the backs of cars? Remember, we still have a rump of Republican senators filibustering attempts to pass cybersecurity standards for the national grid. To the extent the grid is in private hands, security is unsupervised; to the extent it's in the hands of federal agencies -- well, given this example from NASA, we might as well give up.
If we're not going to give up, however, what we need are mandatory security benchmarks, at least for government departments and agencies. It's not impossible: FedRAMP (the Federal Risk and Management Program) has set standards for federal use of cloud computing services.
I'm asking for something more basic. Rules on the storage, distribution, and use of defined types of sensitive data, together with sanctions if the rules are broken. Once the federal government has standards in place, it can engage again in the difficult task of persuading the private sector to adopt standards at least as stringent.
— Kim Davis , Community Editor, Internet Evolution