IT Security: Still a People Problem

The recent experience of a former defense employee, shared during the Executive Leadership Conference Monday in Williamsburg, Va., showcases what very well may be the biggest threat to government's information security posture: the government people themselves.

This individual, who left DoD to join another federal agency, but who can't be named due to privacy policies of the conference, drove up to a security gate at the entrance of a military base. He was initially impressed by the care taken to follow security procedures: A guard used a handheld device to scan his government-issued identification card, then waved him on to another individual, seated in front of computer, to verify his credentials.

He was then asked if he had ever been issued a government ID card before, to which he responded yes â€" years earlier, when he was still at DoD. The person behind the computer was troubled, and finally explained that the photograph attached to his name and social security card in a file saved in the system was not him. He was asked if he had ever owned a SAAB, which he had not (apparently his impersonator had). After producing a variety of documents that ultimately proved he was indeed who he claimed to be, the he was told the old document in the database would be deleted, and replaced by his own.

What would be done about the individual who had presumably used his social security number to be issued a government ID card? Nothing, he was told.

The specifics of how a false government identification card could be issued is somewhat unclear, and in theory, this particular example of identity fraud would be nearly impossible to pull off today. The Homeland Security Presidential Directive 12, or HSPD 12, which requires all government employees and contractors to be issued a biometrically-enabled card for access to federal buildings and networks, would prevent an individual from using only personal identifiable information, such as name and social security number, to be issued a government credential. That doesn't make the fact that it was possible as recent as a few years ago any less scary, nor does it provide much comfort to this former defense employee who was obviously a victim of identity theft.

But neither HSPD 12 nor any other federal mandate can rationalize away the response to the situation by that person seated behind the computer. Delete the false information out of the system and replace it with accurate data, but do nothing to track down how this individual was granted a card in the first place, and make no effort to track down the guilty parties. That failure to detect or react to an instance of stolen government identity is perhaps the most troubling lesson of all. It reflects the people problem -- the insider threat that we all hear so much about, but have yet to tackle appropriately to protect the individual or federal networks as a whole.

"We in America are naive," the employee said. "Sometimes I'd say stupid."