Security Blog Log: Was the analyst a scapegoat?

---

The VA data theft that left 26.5 million veterans and about 2.2 million active duty personnel at risk for identity fraud was an unforgivable screw-up in which everyone deserves scorn -- from the analyst who took the sensitive data home to supervisors who fell asleep at the security switch.

That was the verdict of U.S. Department of Veterans Affairs (VA) Inspector General George J. Opfer, who released a scathing report (.pdf) Tuesday on the now-infamous VA data theft.

Security bloggers generally agreed, though some wondered if a disproportionate amount of blame had been placed on the analyst's shoulders.

Sure, he showed poor judgment by walking out of the office with such a large volume of sensitive information, where it was eventually stolen in a burglary. But, some bloggers asked, wasn't the analyst's lack of security scruples simply a symptom of the larger problem? After all, they said, the data may never have left the office had department supervisors been paying closer attention.

About Security Blog Log Senior News Writer Bill Brenner peruses security blogs each day to see what's got the information security community buzzing. In this column he lists the weekly highlights. If you'd like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com. Recent articles: Metasploit creator promises browser flaws galore Would Blue Pill create a matrix for PCs? Microsoft and the peril of predatory pricing

Opfer outlined a litany of missteps, insufficient security measures and an overall lack of care in the events leading up to the May 3 burglary of the analyst's Maryland home. He also harshly criticized the analyst's chain of supervisors, including VA Deputy Secretary Gordon H. Mansfield, for waiting nearly three weeks to publicize the burglary. That decision, according to the report, unnecessarily placed veterans and active duty personnel at risk for fraud.

The supervisors deserve most of the blame, as far as Liquidmatrix blog keeper Gattaca is concerned.

"I'm still annoyed that the VA was trying to hang the employee out to dry on this issue in a bid to save face," he wrote in a posting this week. "Simply deplorable."

He added, "The funny part here is that the sacrificial lamb … had permission to have the laptop with SSNs [Social Security numbers] on it. I'll say it again, he HAD PERMISSION."

Tom Fragala, an identity theft victim and founder of Truston Corp., a credit-monitoring and identity-theft recovery service, noted in the Truston blog that the VA inspector general found that the analyst whose laptop was stolen had the OK to access the data, but apparently not to take the laptop home.

"I think there will be a different of opinion there," Fragala said. "The analyst (with 34 years at the VA) might argue that since his PC was a laptop, how could he use the data without taking it home?"

But when focusing on the analyst, one misses the point, he said: "It was lax security policies and lack of encryption, plus poor response measures that sunk this ship."

Of course, the VA has announced measures to strengthen those security policies. But Charles Stricklin wrote in the Homeland Stupidity blog that the latest proposals are too little, too late.

"In a case of closing the barn door after the cows have all gotten out, the [VA] took steps to get its information security in order … a half decade after security alerts were first issued and nearly two months after the largest personal data breach in U.S. history," he said, in reference to VA Secretary Jim Nicholson's plans to order a complete restructuring of information security.

During congressional hearings last month, Nicholson announced that VA facilities across the country would "stand down" for Security Awareness Week, during which VA managers would be expected to "review information security and reinforce privacy obligations and responsibilities with their staff."

In military terms, Stricklin noted, a "stand-down" is "an order given to military units, ranging from a single military command to the entire Department of Defense, to cease all but the most basic of duties and focus all attention and training on the special task given them."

Given all the internal security reviews over the years, he expressed doubt that this stand down will do any good. For instance, in 2003, he said, staff members in the VA inspector general's office demonstrated that online outlaws could get access to veterans' protected medical information from outside the VA network. Last year, internal reviews found that access controls were not consistently applied at dozens of data centers, medical centers and regional offices.

"Recommendations included ensuring that background checks are performed on VA and contract workers, restricting off-duty workers' access to sensitive information and providing annual security awareness training for employees," Nicholson said.

Still, access restrictions and security awareness training didn't stop the VA analyst from taking sensitive data out of the office, resulting in an incident that will long be remembered for its numerous and dumfounding missteps.