SAN FRANCISCO – The latest report from ZATZ Publishing highlights a surprising lack of government record-keeping oversight, along with critical cyber-security gaps that indicates without proper records management, America won’t have critical records of the operation of their government.
These finding were revealed in the recent Government Accountability Office (GAO) audit of the National Archives and Records Administration (NARA) and four key government agencies: Homeland Security, the Environmental Protection Agency, the Federal Trade Commission, and HUD (Department of Housing & Urban Development).
The report, entitled “Where Have All The Emails Gone?,” found that while the GAO described certain record-keeping and computer management practices at these various agencies, they may not have fully understood how the practices they documented would lead to troubling security flaws at the Department of Homeland Security and Federal Trade Commission, and they certainly didn’t point them out explicitly for the Committee to investigate.
“Its politics,” said David Gewirtz, ZATZ editor-in-chief and the author of the report. “They are not technical people and they have a different agenda in mind [which is less] about security issues and more about political issues.”
The report explored how the NARA has completely abdicated responsibility for investigating records management in the U.S. government since 2000, putting all U.S. government record-keeping at risk.
“We are talking about a bureaucracy. People don’t like having records examined and don’t like having audits. They are not doing anything bad, it’s just not fun and takes time away from their primary mission,” Gewirtz conjectured.
The report also discovered two new potential cyber-security risks, this time at the Department of Homeland Security and another at the Federal Trade Commission (FTC), the government’s lead agency for identity-theft protection.
The first risk is how employees within Homeland Security are able to access their webmail like Gmail and Hotmail while at work.
“Their computers are going out on the network and accessing their hotmail accounts and we know all sorts of malware and spyware can be transmitted via somebody’s e-mail system whether it’s in an Active X control or an attachment someone shouldn’t open and does.,” said Gewirtz.
He added that while Homeland Security said they will be stopping this practice, it will take years for it to actual happen so in the meantime having access to those e-mail systems provide an interesting way to get bad stuff inside the firewall.
Over at the FTC, the opposite is occurring. While this department does prevent employees from accessing their webmail from the FTC directly, the FTC allows users to remote terminal to their home computer to get access to it. Gewirtz said that the problem here is users are tunneling through the firewall leaving it open and people cannot track what is going through it.
He also outlined recommendations that may be the only path that will prevent the problems from happening with future administrations.
Recommendations include establishing an electronic communications detail that would work similar to the Secret Service in that a dedicated IT team would span administrations and they would be in charge of all electronic communications.
Gewirtz also recommended that the Hatch Act be modified. He explained that this act, which was enacted in 1939, tells people they can’t use government resources for personal or political use. For example if they are going to go to a campaign stop and want to send an e-mail that they are going to be at that campaign, they can’t use government IT systems to send that e-mail but need to use their personal system.
“What that means is you are by-passing the firewall and using your private AOL account to tell people where you are going and what doing thus creating a huge security flaw,” he explained.
Another recommendation is that archiving needs to be managed by an administration spanning team as oppose to an ad hoc political point of view. As well, Gewirtz said there needs to be a comprehensive policy related to the use and recovery of mobile devices that get lost or stolen as they may contain important secure information or be compromise to provide access to secure information.
This column was written by Vanessa Ho of ConnectIT
a>>
