Commentary | NASA Security Breach Should Be Wake-up Call

The recent breach at NASA from a stolen laptop is the latest in a number of alarming, high-profile breakdowns resulting from antiquated policies for security, identity management and remote access. The password-protected asset was taken from a teleworking employee whose job responsibilities included reviewing personally identifiable information.

Computerworld reported that this breach prompted an immediate agencywide initiative to implement full disk encryption on all NASA laptops, starting with those carried by teleworking employees. While I applaud the NASA team for taking action, their plan to encrypt laptops was an insufficient response to a breach of this nature, and symptomatic of a nationwide epidemic.

Government agencies across the country that manage the most sensitive information must accept a simple truth: Data of a confidential nature should never be allowed to leave the safe confines of the enterprise’s network. This is a far better approach to ensuring that private files are not exposed to unauthorized access or unnecessary risk.

The security and financial consequences of weak policies or protocols should sound an alarm that the current thinking in regard to security is flawed — to put it mildly.

Also of note is the conclusion of leading security analysts that among the top reasons for data breaches was loss of a laptop or mobile device, or third-party mishaps — a logical supposition when you consider that regardless of their education, training or security clearance, people are still “only human.”

Individuals make mistakes every day — it’s an indisputable fact of life. Accordingly, without the appropriate technology in place, there is no policy, mandate or executive directive capable of completely protecting an organization from breaches. This must be realized and effective technology must be deployed, or we will continue to see the same story over and over again.

According to “A Chronology of Data Breaches,” a report published in July by the Privacy Rights Clearinghouse, the total number of records containing sensitive personal information involved in security breaches in the U.S. had reached 562,943,732 since January 2005. Gartner Group forecasted that through 2016, the financial impact of cybercrime would grow 10 percent per year due to the continuing discovery of new vulnerabilities.

The impetus on across-the-board government cost-cutting in 2013, coupled with a rise in the number of federal teleworkers (and contractors), should motivate administrators to be proactive and take preventative technological measures. Further, there must be a wholehearted paradigm shift in the overall philosophy on data entitlement, as well as how files are accessed and managed.

Remote workers should be empowered with tools that provide them with an identical user experience to perform their duties as if they were onsite, but no data should ever be downloaded onto an external USB drive, laptop or smartphone, thereby eliminating any risk of cache, file transfer, middleware or cyber footprint. In addition, remote access should be based on the identity of an individual — not the device.

In an article for the information security website Dark Reading identifying the top 10 government breaches of 2012, Ericka Chickowski notes that “the circumstances [of the NASA breach] offer glaring evidence of how government agencies still lag in employee awareness and training. Personally identifiable information was left on an unencrypted agency laptop, which was subsequently stolen. … When large caches of information are transferred from the database, who knows where they’ll end up. The NASA breach shows once again how easy it is for unencrypted information on laptops to ‘walk away’ from authorized users.”

Well said.

This incident should serve as a wake-up call for government and private business in terms of how they protect their most sensitive assets and data files. Without the proper technology, there is no possible way to enforce security policies and protocols.

Unfortunately for many organizations, the reality of today’s computing environment is that security is a punchline without any entitlement management component, which allows for data to leave the friendly confines of their respective networks. 

Digital security is about risk management and mitigation, and should be looked at through the same filter as any other risk management subject decision. There are two central questions to address:

• What is the cost to the organization of doing nothing?
• What are the upfront and ongoing costs or savings associated with a new investment in a more effective security solution?

As has been shown, the cost of complacency can be crippling on multiple levels. The organizations that think they have time before investing in a sound security policy and technology will undoubtedly find themselves on the wrong side of an attack or breach. There are just too many potential threats, with the extent of damage they can cause growing exponentially.

In 2013, universal security, data management and protection must be top priorities for the U.S. government. The growing contingency of teleworkers will amplify not only the risk of breaches caused by lost devices (encrypted or not) but also the prevailing allowance of employees to “bring your own device” (BYOD).

We all know that there is no such thing as perfect security, but that is no excuse for the inadequate protocols and lack of the right technologies being used more often than not.

 

Tony Busseri is chief executive of Route1, a Toronto-based digital security and identity management company whose clients include the U.S. departments of Defense, Homeland Security and Energy and the Canadian federal government.