We've known for quite some time that government agencies have turned their horrible privacy practices into an art form. The GAO's report found that out of 24 major government agencies, 18 had inadequate information security controls. Of those, eight federal agencies got failing grades when it came to implementing the 2002 Federal Information Security Management Act. (Ah well, a decade is on par with Congressional Standard Time.) Those agencies included the Department of Veterans Affairs and the Department of Health and Human Services, each of which have met just over 50 percent of the law's requirements.
Terrified yet? As the agencies responsible for running some of the government's largest entitlement programs, the VA and Health and Human Services retain deeply private, unspeakably sensitive information on millions of Americans. The VA's terrible performance shows that so far it has failed to learn its lesson on privacy, since this is the agency responsible for one of the largest government data breaches in history -- a 2009 incident in which the VA lost a hard drive containing the names and Social Security numbers of tens of millions of veterans.
Combine that with the fact that hacking is on the rise. Only four government data breaches were caused by hackers in 2009, according to the Rapid7 report. By 2011, the total had grown to 18, and there were another 11 breaches perpetrated by hackers in the first five months of 2012. Those numbers will continue to increase -- and why wouldn't they? The government's own metrics show that the "sophisticated" computer defenses of many federal agencies are on a par with the blundering army of archers defending the fictional European country in the 1959 Peter Sellers movie, "The Mouse That Roared." Judging by appearances, mining those computers for all the private data they hold is about as daunting to a professional hacker as a child's piggy bank would be to a professional safe cracker.
Mailing a USB drive brimming with names and Social Security numbers to the wrong person, failing to delete data from discarded drives -- the list of governmental idiocies is long. And all of these unforced errors by incompetent or untrained pencil-pushers are like waving a red flag at a herd of very aggressive bulls -- in this case, a herd of hackers. The difference is, when those bulls charge, it's not the bureaucrats who get skewered. It's you and me: American taxpayers who have been forced to hand over to the government all of our private information -- names, addresses, phone numbers, Social Security numbers -- just to take care of the basics (pay our taxes, receive our Medicare benefits, even register to vote).
Unfortunately, the bureaucrats seem to be unable to fix this mess. That means it's up to us. What should we do?
First, let's put some teeth into the law. The Information Security Management Act is ridiculous. Agencies are reviewed regularly for compliance, but what happens when they fail to comply? They receive a very stern talking-to from the GAO. They might even get written up in a report using words like "vulnerable" and "weak."
Give me a break. We need nationally mandated security protocols, backed by a law that imposes serious sanctions on offending agencies and the bureaucrats who run them.