Web Informant #213, 12 September 2000:
Learning from the government's security lapses


The General Accounting Office, the US Congressional watchdog agency, this week released a very disturbing report on the computer security capabilities of our federal government. In a word, it is a miserable picture. Agency auditors found security lapses in just about every place they looked at major federal agencies including Defense, the IRS, Energy, and Social Security.

As anyone who handles computer security for their corporation knows, the biggest vulnerabilities are from within -- rogue employees with inappropriate access could make changes to files, delete or add information, or set up payments for a conspirator on the outside. And this is perhaps the most distressing part of the GAO report: "Our auditors have been successful in readily gaining unauthorized access that would allow intruders to modify data for whatever purpose they had in mind." Every agency that they examined had problems with access control security, and many had more troubling security issues as well.

Weak access controls -- granting privileges to employees to particular databases or applications who shouldn't have, or making passwords easily guessed on sensitive areas -- really undermine an organization's data security. Given the increasing connectedness of computer systems, all it takes is someone with an ax to grind and a few minutes' work before a system can be compromised.

The number of security breaches at various national research labs continues to rise, and the press on these and other security problems (Ikea and Western Union just in the past week) indicate that security is not something that can be easily, or quickly, fixed. For those of you that are in positions to do something about information security at your company, take some time today to assess what needs hardening and begin to take some positive steps towards improving your situation. As our government has shown, many organizations have a long way to go. Some of the fixes are very simple and free: turn off computers at night, change passwords on files and applications regularly. Of course, others are more involved, but still that isn't any excuse.

It is easy for me to see how various government agencies became so vulnerable. Once upon a time, I worked for the fledgling Information Center at the Agriculture Department in downtown DC. The building was huge -- tens of thousands of people, covering several square blocks just across the street from the Smithsonian museums. We had set up a place to demonstrate the latest technology at the time -- things like 5 megabyte hard disks, the Apple Lisa, and a cool data backup system that worked in conjunction with a VCR and video tapes.

But we could only do so much to change things, and many habits were so inbred that demonstrating how to use this new PC technology appropriately didn't take the first or second or even third time. The level of inertia in government is immense, and it is easy to fall back on postponing any decisions rather than taking initiative and bringing about change. I recall one guy who insisted on formatting his hard disk. After trying to train him why this wasn't a good idea (and taking various steps after the second and third times he did it), I just gave up in disgust. I had hoped things would have gotten better by now, but this report doesn't give me much hope.

A PDF of the report is available here.

Self-promotions dep't

My thanks once again to all of you who have come out to support my upcoming bicycle ride from Boston to New York this coming Friday. Through your help, both financial and otherwise, I raised a huge amount towards two AIDS charities: the NY Lesbian and Gay Community Services Center and the Callen-Lorde Community Health Center. I'll let you know how the ride is and some of my impressions next week, assuming that I make it back to New York in one piece.

To subscribe, send a blank email to

To be removed from this list, send a blank email to

David Strom
+1 (516) 944-3407
back issues
entire contents copyright 2000 by David Strom, Inc.
Web Informant is ® registered trademark with the U.S. Patent and Trademark Office.
ISSN #1524-6353 registered with U.S. Library of Congress.