Wyatt Kash | Editor's Desk: VA's data spill
There is every reason to be disturbed by the Veterans Affairs Department's loss of personal data affecting as many as 26.5 million veterans. But most disturbing is how vulnerable other agencies are to the same kind of loss.
VA secretary Jim Nicholson certainly has a new appreciation for the importance of information security. He may also have new regard for the warnings VA got from its inspector general and from Rep. Tom Davis' Government Reform Committee, citing poor progress in dealing with weaknesses in the agency's information security systems.
But if Nicholson is on the hot seat, many others should also heed the heat.
It's not very comforting to hear Nicholson declare that VA will upgrade data security guidelines and have all VA employees take a cybersecurity course by June 30; or of plans to increase background checks of employees with access to sensitive data. Such efforts might have prevented this incident, but the odds aren't encouraging they would prevent other workers'whatever their intentions'from removing valuable data.
What's needed more than another round of policies is the leadership, resources and commitment to close what, in most cases, are already well-defined security gaps and to apply existing encryption technologies to valuable government data. The National Institute of Standards and Technology has already approved more than 600 cryptographic products for federal use.
The tragedy of the VA incident is that the risks of a data spill of potentially Exxon Valdez proportions were readily apparent'and so were the measures to mitigate them.
VA estimated it may have to spend up to $250 million to pay for credit reports, monitoring and potential damage that results from the theft, according to Nicholson, assuming it gets funding. It also is in discussions on ways to begin using automatic encryption of all sensitive information.
One can only hope the heads of other agencies are having the same discussions'and weighing the wisdom of investing now versus paying later.