When you hear a number like “94 million” in the news, it’s usually because somebody won the lottery. This time around, no such luck. This 94 million is the number of Americans’ files in which personal information has been exposed, since 2009, to potential identity theft through data breaches at government agencies. Go ahead, count the zeroes: 94,000,000. That’s like releasing the personal data of every man, woman and child in California, Texas, New York, and Ohio.
Believe it or not, this number — which was just revealed in the latest report from tech security firm Rapid7 — is only the most conservative estimate. When you take into account the difference between reported data breaches, which is what this report measures, and actual incidents, you are talking about a much, much bigger number. As bad as the numbers are, it gets worse. Much worse. Indeed, the biggest threat doesn’t come from smart hackers — it comes from dumb politicians and bureaucrats.
First, let’s consider the scope: The newly released Rapid7 report is based on the list of data breaches compiled by the Privacy Rights Clearinghouse, a nonprofit privacy advocacy group (and remember, we’re only talking about the last three years). According to Rapid7’s analysis, government agencies at the local, state and federal level are becoming infinitely more proficient at exposing our personal data, putting more and more of it at risk with each passing year. Government agencies reported that they exposed 1.5 million records containing personally identifiable information (you know, the sensitive stuff: your name, your address, your phone number…) in all of 2010. The following year that total more than doubled, to 4 million. (If you’re worried that you’re a victim, read this.)
So far this year, government agencies have more than doubled their totals from last year, reaching 9.6 million in just the first five months of 2012. Who knows where we’ll be by the end of the year — or how many innocent people will be exposed to fraud and identity theft due to the negligence of government employees or third-party vendors?
And remember, these are just the breaches we know about. In some states, government agencies are not legally required to publicly report data breaches, or to notify potential victims that their personal information has been exposed. To take one little-known example, local governments in California are exempted from that state’s breach notification law — “a big exception, in my opinion,” as Clearinghouse founder and director Beth Givens told us, since local governments “compile a great deal of personal information.” Furthermore, out of 268 breach incidents reported since 2009, the 67 of the public agencies responsible (and I use that term loosely) couldn’t even figure out how many records were lost. That fact alone will tell anyone with basic math skills and a lick of common sense that this epidemic is much worse than we know.
What’s even more astonishing than the total number of personal records breached is how the databases were compromised in the first place. Despite what news reports, urban legend, and simple logic might lead you to believe, sophisticated, premeditated attacks by hackers accounted for only 40 breaches since 2009, a mere 15 percent of the total.
Plain and simple stupidity and negligence caused most of the rest. In 78 of the breach incidents, government employees inadvertently disclosed citizens’ private information by posting it on a public website or sending it to the wrong people. Loss of physical, paper documents — not digital ones — accounted for another 46 data breaches. In 51 of the cases, government bureaucrats lost our private data by losing track of a portable device such as a laptop, smartphone, hard drive or back-up tape. A few of the breaches took place after these rocket scientists left a device filled with our PII inside an unlocked car.
Of the many screw-ups detailed in this report, that last one is the one that lights my fire. What Neanderthal (with all due respect to the GEICO cavemen) leaves a laptop sitting in the back of an unlocked car — especially a laptop containing the private records of thousands of citizens? What form of bureaucratic insanity allows this to keep happening, over and over and over again?
While the Rapid7 report phrases its description in less incendiary terms, the facts are still damning: “Government agencies are facing an increase in data breaches as a result of cyber attacks, weaknesses in federal information security controls, and poor best practices for protecting data on portable devices.”
“Poor best practices,” indeed.
Meanwhile, other branches of government are busy exacerbating the problem. Based on all the grandstanding by Republican officials about the need to rein in an unaccountable federal bureaucracy and get tough on national security, I expected GOP lawmakers to quickly pass the 2012 Cybersecurity bill, which would have required all organizations that run the nation’s critical infrastructure (think nuclear power plants, water supply systems and roads) to meet certain basic standards that would help defend them against hacker attacks. But Republicans were so myopically focused on preventing President Obama from achieving even the slightest legislative victory in this do-or-die election year that they almost unanimously opposed the bill, even after the Democrats caved entirely by offering to make the bill’s provisions voluntary.
How are we ever going to convince government agencies to take information security seriously when their own bosses in Congress treat our data and our most valuable infrastructure like just another pawn in a never-ending chess match for power?
Here’s the bottom line. We hear a lot of genuine, well-grounded concern about the growing number and sophistication of hacker attacks. But based on the information contained in this report, while hackers are partially to blame, the sad truth is that our own government’s security policies — or lack thereof — have put us all at risk.
Too many bureaucrats are losing track of too much of our data, and their oops! moments are being magnified by civil servants who consistently fail to implement the necessary access controls, encryption, physical security, and performance audits required to comply with the law and keep citizens’ private data private, according to a recent study by the Government Accountability Office.
We’ve known for quite some time that government agencies have turned their horrible privacy practices into an art form. The GAO’s report found that out of 24 major government agencies, 18 had inadequate information security controls. Of those, eight federal agencies got failing grades when it came to implementing the 2002 Federal Information Security Management Act. (Ah well, a decade is on par with Congressional Standard Time.) Those agencies included the Department of Veterans Affairs and the Department of Health and Human Services, each of which have met just over 50 percent of the law’s requirements.
Terrified yet? As the agencies responsible for running some of the government’s largest entitlement programs, the VA and Health and Human Services retain deeply private, unspeakably sensitive information on millions of Americans. The VA’s terrible performance shows that so far it has failed to learn its lesson on privacy, since this is the agency responsible for one of the largest government data breaches in history — a 2009 incident in which the VA lost a hard drive containing the names and Social Security numbers of tens of millions of veterans.
Combine that with the fact that hacking is on the rise. Only four government data breaches were caused by hackers in 2009, according to the Rapid7 report. By 2011, the total had grown to 18, and there were another 11 breaches perpetrated by hackers in the first five months of 2012. Those numbers will continue to increase — and why wouldn’t they? The government’s own metrics show that the “sophisticated” computer defenses of many federal agencies are on a par with the blundering army of archers defending the fictional European country in the 1959 Peter Sellers movie, “The Mouse That Roared.” Judging by appearances, mining those computers for all the private data they hold is about as daunting to a professional hacker as a child’s piggy bank would be to a professional safe cracker.
Mailing a USB drive brimming with names and Social Security numbers to the wrong person, failing to delete data from discarded drives — the list of governmental idiocies is long. And all of these unforced errors by incompetent or untrained pencil-pushers are like waving a red flag at a herd of very aggressive bulls — in this case, a herd of hackers. The difference is, when those bulls charge, it’s not the bureaucrats who get skewered. It’s you and me: American taxpayers who have been forced to hand over to the government all of our private information — names, addresses, phone numbers, Social Security numbers — just to take care of the basics (pay our taxes, receive our Medicare benefits, even register to vote).
Unfortunately, the bureaucrats seem to be unable to fix this mess. That means it’s up to us. What should we do?
First, let’s put some teeth into the law. The Information Security Management Act is ridiculous. Agencies are reviewed regularly for compliance, but what happens when they fail to comply? They receive a very stern talking-to from the GAO. They might even get written up in a report using words like “vulnerable” and “weak.”
Give me a break. We need nationally mandated security protocols, backed by a law that imposes serious sanctions on offending agencies and the bureaucrats who run them.
Low-level bureaucrats who leave unencrypted laptops in unlocked cars should be suspended without pay for meaningful periods of time. High-level bureaucrats who fail to improve their computer security safeguards in compliance with the law should at the very least be fired. In the case of actual data breaches, firing isn’t enough. Depending on the level of negligence, it’s not unreasonable that the bureaucrat should stand trial; if they are convicted of negligence and enabling fraud, they should arguably go to jail.
Second, instead of simply playing defense on data security, we need government to aggressively play offense. The federal government already spends $13.3 billion a year to secure its computer systems and bring federal agencies into compliance with the 2002 Information Security Management Act, according to a report published in March by the Office of Management and Budget. That’s 18 percent of everything those agencies spend on information technology.
However, a security system is only as good as its weakest link — people. Among a host of other initiatives, the government needs to better monitor the systems they have in place, develop effective breach response programs, and pro-actively train people to think security 24/7.
Here’s the point: It’s not just about punishing bad behavior. We must incentivize good behavior and inculcate best practices. Many Federal agencies have good rules in place, unfortunately, not enough are striving to meet them and several could strive a whole lot harder.
Finally, we, the people — the ones government is supposed to protect — need to get fired up and take action. While Federal agencies tend to ignore complaints from individual citizens, they do take complaints from members of Congress very seriously (since enough angry senators could cause an agency major tsouris when budget season comes around). If you are one of the millions of citizens whose information was improperly exposed, and received a notice from a federal agency to that effect, don’t just stand there, do something about it.
Letters to senators — good old fashioned snail-mail, handwritten missives — get noticed. Groups of seniors or veterans or Medicare patients showing up on a Congressman’s office doorstep get noticed. Blog articles that help track identity-related fraud get noticed.
Whatever your skill and whatever your interest, you have something to add to this fight. And if you’re an American taxpayer, you probably have something to gain from it. Rapid7’s report shows that federal bureaucrats still don’t take seriously their responsibility to protect our privacy. It’s high time for us to target the things they do take seriously: their budgets, their jobs, and their freedom.
Image: Don Hankins, via Flickr