Missing laptop, missing policy
Let's rewrite the laptop story. Let's see what Good Government might have done, beginning with the laptop and then looking at the larger issues of federal IT security and identity theft.
In Good Government, the civil servant's agency would have instituted some or all of the following practices:
- Disk encryption: Good Government would have encrypted everything on every laptop's hard drive so that even if a computer were stolen, no one could read what was on it without knowing the decryption password.
- Remote zeroization: The laptop would have had a program on it that covertly "phoned home" whenever the thief or new owner connected to the internet.
- Digital rights management (DRM): The sensitive file on the laptop would have had a DRM application so that it could only be read, or printed, or forwarded, or downloaded by an authorized user.
- Telecommuting: The department would have established a secure virtual private network (VPN) allowing workers at home to work on files stored on the department's servers. Even in the office they would not have the data on their desktop, but would access it from a secure file server.
- Two-factor authentication: The DRM and telecommuting would have allowed access only after the user had proved identity through the use of two- or three-factor authentication, such as a secure token.
These and other best practices would have been adopted by the U.S. Department of Veterans Affairs and all other federal agencies because in Good Government there would have been a powerful and independent office of a federal CIO with the authority to require the departments to institute security procedures. Instead, today in the real world of Bad Government, the leaders of the Office of Management and Budget (OMB) jealously guard the authority to regulate federal information security policies, but have so few people dedicated to the task that OMB can not realistically stay current with technology, develop policies, and engage in oversight to ensure the implementation of IT security policy.
Because it is not just from federal government computers that identities are stolen, Good Government would have instituted effective laws to protect citizens and corporations from cybercrime and identity fraud. First, the Congress would have passed legislation similar to Japan's, mandating IT security standards and third-party audits for any company that stores personal data on 5,000 or more individuals. Such standards would involve encryption and multi-factor authentication. Second, Congress would have passed a law requiring notification of citizens when their identity data may have been stolen. Over 30 states have already passed such laws, but in the real world of Bad Government, many in the Congress are instead actually trying to pass federal legislation that would water down the state notification laws. Finally, Congress would have required the use of two-factor authentication for online banking, as Hong Kong has, or for any significant new credit-related action, such as applying for a credit card or getting a mortgage.
Good Government solves problems, not through big bureaucracy or unnecessary regulation, but through smart adoption of technology. Unfortunately, we have Bad Government, which does little or nothing.
Richard Clarke served three U.S. presidents as an intelligence and terrorist expert. His latest books are Against All Enemies and The Scorpion's Gate. He is chairman of Good Harbor Consulting.