The Packet Rat | A Swiftian plan for security

OMB’s push for agencies to adopt lines of business and shared-services centers is gathering additional steam, and it looks like the efforts to create a Security LOB are off the back burner once again. Now that someone is actually being paid to provide support for the process, the Rat suspects that the wheels will spin a little more freely on the Security LOB wagon.Of course, that someone is SiloSmashers Inc., a subcontractor for CapGemini.When he heard the name, the whiskered one thought that maybe some anti-nuclear protestors from Plowshares and Jonah House had gotten in the wrong line one morning and found themselves getting handed a GSA contract instead of getting arrested.But, given the continued security woes at the Veterans Affairs Department (what with another notebook PC gone missing with veterans’ personal data aboard), the Rat thinks he has a modest proposal on how to get things moving even faster.“If the OMB wants real movement,” the cyberrodent said to his agency undersecretary as they went over a Federal Information Security Management Act audit, “they should create an Insecurity LOB, and bring back those folks that have gotten the axe at VA to run a shared-services center for security screw-ups.”“See, if we centralized all of the executive branch’s inaction on data security intoone place, it could save billions a year. By pushing all our security policies over to a ‘center of incompetence’ for security, we could quickly see where the weaknesses are and how feckless users might try to circumvent them.”“So, let me get this straight,” the confused appointee said. “You think OMB should centralize … incompetence?”“It’s clearly a cross-agency business function, and with two strikes so far this year, VA seems to be the perfect testing ground for security practices. I mean, to paraphrase Sinatra, if it doesn’t fail there, it won’t fail anywhere.”“So you’re talking about a test environment,” the undersecretary offered.“Well, after a fashion,” replied the Rat. “If they think it’s testing, it won’t work. So they have to actually think it’s real work to be effective. Plus, I doubt the ROI on keeping all those folks around just to see how they evade security policies would be high enough to make the proposal attractive.”“But that would mean that they’d be violating security with actual live data!” the distressed officio interjected.“Sure,” the furry one said soothingly. “But it wouldn’t be our data. I mean, do we want to let our users be the next security scandal? Or for that matter, do we want the Energy Department people accidentally releasing nuclear test hard drives into the wild?”The perplexed politico furrowed his brow. “Well, no. I think I see your point.”“Good,” smiled the Rat. “Feel free to claim the idea as your own, and pitch it to the Security LOB task force. I’m sure they’ll love it.”