Lawmakers call for accounting of data breaches
Committee wants picture of cybersecurity compromises
The House Government Reform Committee wants a governmentwide picture of the risk from data breaches and has given agencies two weeks to provide a list of compromises since 2003.
Committee chairman Tom Davis (R-Va.) and ranking member Henry Waxman (D-Calif.) last week asked all cabinet level agencies, the Office of Personnel Management and the Social Security Administration to report any 'loss or compromise of sensitive personal information held by the federal government since Jan.1, 2003.' Agencies must deliver a summary of each incident by July 24.
Agencies recently have reported a plague of data breaches, especially since the Veterans Affairs Department experienced a loss of sensitive data for millions of veterans, reservists and active-duty personnel in May.
Since VA's data breach, the IRS, Social Security Administration, Navy, the Health and Human Services and Agriculture departments, and, last week, the State Department, also reported data compromises.
In the VA case, police have since recovered the missing laptop and the hard drive containing the sensitive data.
'Not all agencies are so lucky. And we can't go forward hoping for the same good luck in the future. The federal government must become a better steward of sensitive personal information' Davis said in a statement.
Agencies are to provide the committee with the date and circumstances of each data breach, information that was lost or compromised, number of individuals affected and remedial efforts.
However, one security expert said Davis will likely get information only about attacks that didn't hurt anyone or have already been made public.
'The agencies cannot answer that honestly, because if they do they will provide evidence that they had not told U.S. CERT about all of the attacks,' said Alan Paller, research director at the SANS Institute in Bethesda, Md.
Under the Federal Information Security Management Act, all federal civilian agencies are required to notify the U.S. Computer Emergency Response Team within one hour of discovery of any data breaches, unauthorized access or suspicious activity on their networks.
In a memo last week, Karen Evans, OMB administrator for e-government and IT, reinforced that rule.
Davis is working on legislation to strengthen notification requirements.
Last week, State said it was investigating a hack into unclassified department IT systems, starting with embassies and offices in the East Asia/Pacific region and migrating to department headquarters.
State cybersecurity personnel took immediate steps when they detected the intrusion, and initial findings show that they prevented any loss of sensitive information, State spokesman Sean McCormick said.