On July 6, The Washington Post reported that"[a] government consultant, using computer programs easily found on the Internet, managed to crack the FBI's classified computer system and gain the passwords of 38,000 employees, including that of FBI Director Robert S. Mueller III." This article followed the Post's May 23 report that "[a]s many as 26.5 million veterans were placed at risk of identity theft when intruders stole an electronic data file this month containing their names, birth dates and Social Security numbers from the home of a Department of Veterans Affairs employee."
As Media Matters for America has noted, the conventional wisdom among the media is that the Bush administration and Republicans are "stronger" on national security issues than are Democrats, and this narrative has endured despite abundant evidence of lapses and missteps. Now that it has been reported twice in the past two months that lapses in security placed the personal information of millions of veterans and the integrity of the FBI's computer system in jeopardy, will the media finally begin to question the national security credentials of the White House and the GOP?
The Post reported on July 6 that, in 2004, a consultant working for the FBI easily and inappropriately gained access to "records in the Witness Protection Program and details on counterespionage activity," and that this was not the first major obstacle the FBI has encountered in bringing its computer systems up to date. According to the Post:
The break-ins, which occurred four times in 2004, gave the consultant access to records in the Witness Protection Program and details on counterespionage activity, according to documents filed in U.S. District Court in Washington. As a direct result, the bureau said it was forced to temporarily shut down its network and commit thousands of man-hours and millions of dollars to ensure no sensitive information was lost or misused.
The government does not allege that the consultant, Joseph Thomas Colon, intended to harm national security. But prosecutors said Colon's "curiosity hacks" nonetheless exposed sensitive information.
Colon, 28, an employee of BAE Systems who was assigned to the FBI field office in Springfield, Ill., said in court filings that he used the passwords and other information to bypass bureaucratic obstacles and better help the FBI install its new computer system. And he said agents in the Springfield office approved his actions.
The incident is only the latest in a long string of foul-ups, delays and embarrassments that have plagued the FBI as it tries to update its computer systems to better share tips and information. Its computer technology is frequently identified as one of the key obstacles to the bureau's attempt to sharpen its focus on intelligence and terrorism.
On May 23, the Post reported that a laptop computer and an external hard drive containing veterans' personal data were stolen on May 3, and that the employee from whom the information was stolen was not authorized to take the data home. According to the Post:
The theft represents the biggest unauthorized disclosure ever of Social Security data, and it could make affected veterans vulnerable to credit card fraud if the burglars realize the value of the data, one expert said.
"In terms of Social Security numbers, it's the biggest breach," said Evan Hendricks, publisher of the Privacy Times newsletter and author of the book "Credit Scores and Credit Reports." "As long as you've got that exact Social, most of the time the credit bureaus will disclose your credit report, and that enables the thief to get credit."
For years, the VA inspector general has criticized the department for lax information security, chiefly concerning the ease with which hackers might penetrate VA computer systems. "VA has not been able to effectively address its significant information security vulnerabilities and reverse the impact of its historically decentralized management approach," acting Inspector General Jon A. Wooditch wrote in a November 2005 report.
Democrats on the House Veterans Affairs Committee issued a statement calling on the department to restrict access to sensitive information to essential personnel and to enforce those restrictions. "It is a mystifying and gravely serious concern that a VA data analyst would be permitted to just walk out the VA door with such information," the statement said. Sen. Larry E. Craig (R-Idaho), chairman of the Senate Veterans Affairs Committee, said his panel will hold hearings on information security at the department.
The Post reported on June 30 that the laptop and hard drive had been recovered, and that the data had apparently not been accessed.