Government Flunks Its Own
Security Grades"> "Gathering that information and putting it into state DMVs with a skyrocketing incident rate of identity thefts is a really bad idea," said Marc Rotenberg, executive director of the Electronic Privacy Information Center in Washington, an organization which has long opposed the idea of national IDs. Its not that the database information cant be encrypted, security experts point outits that the government has proven untrustworthy in doing so."The metric Id give you is FISMA [the Federal Information Security Management Act]," Oltsik said, referring to legislation that mandates that government agencies be graded on their ability to protect data. "The Department of Homeland Security has gotten four Fs in a row. If theyre not securing data, do we really want to trust state RMVs with this data?" Indeed, the Nevada DMV initially reassured residents that information stolen from the DMV near Las Vegas was encrypted, making it virtually useless to thieves. State DMV chief Ginny Lewis subsequently told news outlets that Digimarc Corp., which provides digital drivers licenses for the state, had informed her that the information was not encrypted and was easily accessible. "The practical reality with this issue is the information is already in these databases," said Ted Julian, vice president of strategy for the database security tools vendor Application Security Inc. "Do you want it in 50 of them or in one of them? I dont know which of those scenarios is better." The bigger issue, Julian said, is that databases are directly under attack. "Thats where the goods are," he said. "[Thieves] are hunting for valuable data they can sell or can otherwise benefit from. Lets face it, that typically sits in a database." A roadblock to securing databases is a false sense of security derived from firewalls, Julian said. Obviously, he said, building firewalls on the perimeter doesnt mean the back-end database is safe, given that "every headline of the week, theres a database break-in," he said. "Which is not to say the perimeter stuff is a waste of time. Its necessary, but no longer sufficient." Check out eWEEK.coms for the latest database news, reviews and analysis.
"Yes, there are methods to protect the data. There are documented best practices," Oltsik said. But in determining whether or not to trust government to protect the data, he said, one need look no further than its poor performance to date.