Spaf on the VA Breach

I have belatedly seen the testimony by Prof. Eugene Spafford to the House Committee on Veterans’ Affairs Hearing on "The Academic and Legal Implications of VA’s Data Loss." As always, Spaf was crisp, insightful, and thought-provoking.

For decades, professionals in the field of information security have been warning about the dangers of weak security, careless handling of data, lax enforcement of policies, and insufficient funding for both law enforcement and research. Our warnings and cautions have largely been dismissed as unfounded or too expensive to address. Unfortunately, we are seeing the results of that lack of attention with incidents such as what happened at the VA. In addition we have seen new levels of sophisticated computer viruses and spyware, increasing cyber activity by organized crime, and significant failures of security across a wide variety of public sector entities and government agencies, including the Department of Defense...

There are many reports describing these threats, including reports from the PITAC, the GAO, the National Academies, the Department of Justice, and many commercial entities. From these reports the following general trends may be derived:
* The number of reported attacks of various kinds is increasing annually;
* Attacks are becoming more sophisticated and more efficient;
* Few perpetrators are ever caught and prosecuted;
* An unknown (but probably large) number of attacks, frauds and violations are not detected with current defenses;
* A large number of detected attacks are not reported to appropriate authorities;
* The problem is international in scope, both in origin of attacks and in location of victims;
* The majority of the attacks are enabled by faulty software, poor configuration, and operator error.

Undoubtedly the magnitude of the problems are greater than have been reported, and more has occurred than has been detected. Regrettably, I believe the situation is going to get worse because the problems have been ignored and neglected for too long to be quickly remedied.