Sailor's Data Stolen. Everyone on deck with life jackets.

Friday, June 23, 2006. "The Navy has begun a criminal investigation after Social Security numbers and other personal data for 28,000 sailors and family members were found on a civilian Web site.The Navy said Friday the information was in five documents and included people's names, birth dates and Social Security numbers."

Meanwhile, this same week the General Accountability Office removed some records from its Web site this week containing some personal identifying information of 1,000+- government workers. The data included individual names and Social Security numbers. The Naval Criminal Investigative Service (NCIS) is investigating the incident and the discovery of this data loss was made by the Navy Cyber Defense Operations Command. This unit of the Navy monitors the Internet to identify security leaks.

My personal and professional view is that ALL government agencies should have CyberSecurity units because all government agencies have serious issues in storing, manipulating and analizing, and distributing sensitive information.

I have been working for several years with the Iowa State University Information Assurance Program (INFAS) training students in information security (my role is in training them in the area of public policy).

My great frustration is that the federal government agencies and Congress have been irresponsible by cutting funding and by refusing to rapidly expand programs such as this. We could RIGHT NOW be supplying dozens of highly trained and top secret security clearance viable experts who would be protecting the sensitive data that, like sand, seems to be sifting through the fingers of federal agencies.

One of the problems we have all worried about is the extensive use of outsourcing by government agencies at the local, state, and federal leves. In that context apparently U.S. Rep. Edward Markey, (D-Mass.), said "... he had asked Rumsfeld two years ago about the implications of federal agencies outsourcing data collection and processing activities. While there is no indication that outsourcing was the problem in the Navy case, Markey said he wants to know what effect that would have on the security of information on military personnel."

We don't know if the Navy data loss was due to outsourcing. However, it is now very clear that government agencies must develp in-house, well vetted, well funded, and aggressive cyber security capabilities. These should be directed at:

• careful and pervasive Internet security sweeps to identify breaches in information
• "primeter security" of all digital files through layered encryption and password protection of all data especially Social Security numbers which should be treated as the equivalent of "top secret" information.
• best practice rules on where data files may be taken by whom (NO laptops left in cars!)
• physical protection of data hardware and software storage sites and equipment including servers and data nodes (this may be as simple as security guards and locked doors!)
• relentless prosecution of data thieves.
• stiff penalties for companies that fail to implement the highest levels of information security.

Sources: NY Times, CNN.com, Wall Street Journal, C-Net, The Identity Theft Institute.