First it was decided that Corporations are people and money is free speech. Then it was decided that the right to privacy only applied to the spies. I guess 1984 was just 30 years early.
What I find really ironic about this is the news that even though Snowden was a lowly system administrator at the NSA, it was easy for him to just impersonate people with more security clearance than himself, and even give himself the clearance to download top secret information onto thumb drives. Yes, that’s right, the NSA’s network security is so weak that a contractor had no problem circumventing it. And they still have no idea what all he downloaded. I think it is pretty darn likely that just about every one of our enemies has more access to this secret information than either the American people or Congress.
6 Comments
Yeah and they say don’t worry your private and personal information we collect and keep is perfectly safe from unauthorized use.
Like this one reported in July 2013:
The IRS now confirms that it inadvertently posted Social Security numbers of tens of thousands of Americans on a government website.
Or this one from 2012:
South Carolina’s governor faulted an outdated Internal Revenue Service standard as a contributing factor to a massive data breach that exposed Social Security numbers of 3.8 million taxpayers plus credit card and bank account data.
HHS even has a website to list breaches affecting 500 or more individuals. I looked at the 659 individual events that involved breaches affecting from 500 to 4.9 million persons. The breaches range from theft and unauthorized access (like Snowden) to loss and improper disposal (the dumpster).
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html
Does anybody out there really trust that our big brother knows what the heck their doing and is competent?
To add the the hypocrisy of article you linked to, I know in 2008 the Army disabled the ability to use thumb drives on all its computers to lessen the risk of compromise, both as data loss and intruduction of virus, bugs, worms etc.
But the NSA still allows this? Really? Oh my lord…
Computer security is a tough problem, and will always be a tough problem. I don’t think it is a question of competence. I know some companies that are extremely competent that still have had massive security breaches.
Any time anyone (government, corporation, or otherwise) says your data is safe with us, they are lying.
I could get all theoretical here and mention Harrison-Ruzzo-Ullman, which (in layman’s terms) proves that security is not just hard…it is impossible.
A few years ago, my kid came home with boxes of paperwork that he picked up behind a mall. Included were job applications that contained priveledged personal info and credit card receipts with enough info to go on a buying spree. It’s NOT just a government problem. It’s a user problem at all levels. It just gets worse when there’s lots of users.
I’d be interested in seeing comparative data re: govt vs private sector as to how much personal data each has lost through time. My memory tells me I’ve seen many more losses of personal data from non-governmental sites, but that’s just what little anecdotal data my memory comes up with.
Don, researching this type of stuff is very hard in practice because (a) organizations don’t want to disclose this stuff and (b) a lot of times they aren’t required to. Probably the best resource for monitoring data breach trends is the Verizon Data Breach Report. To answer your question in a short way, when only network intrusions are considered, only 3.5% of the breaches studied were against the public sector. For a full picture, you also have to consider the size of breaches, the size of the industry, etc., etc. But for a starting analysis, data losses overwhelmingly occur in the private sector.
There are some very compelling arguments for why this is so. First, you always have to look at the goal of an attack. By far the biggest goal is financial. It’s a lot easier to turn stolen credit card numbers into cash than, say, stolen voter registration numbers. So attackers are much more motivated to go after private enterprises.
Second, the public sector is much better (though not perfect by any stretch of the imagination) about adhering to best practices. A state has the power to require all municipalities to use a common data format and authentication standard. In the private sector, there is no such authority. All companies are working independently and make their own decisions about whether to follow certain practices. That’s why you still hear about company X suffered a breach because they were storing login credentials in an unencrypted form. This is known bad practice, but there is (for the most part) no agency that can issue mandates. The closest we get in the private sector is PCI-DSS, but many firms are exempt from demonstrating compliance (though they are exposing themselves to liability if they don’t).