The Government Accountability Office?s (see image) (GAO) harsh criticism of the federal bureaucracy for ?pervasive weaknesses? that ?threaten the integrity, confidentiality, and availability of federal information and information systems? should come as no great surprise. In fact, when the private sector?s record in securing its information systems is examined, it should almost be expected that the federal bureaucracy experiences similar difficulties in its attempt to implement robust cybersecurity policies and procedures.

Surprisingly, there has not been a large-scale breach of government-stored data. In the past year, the private sector has suffered targeted attacks against ChoicePoint, LexisNexis, and CardSystems ? just to name a few. All of these attacks were the result of both patient attackers and negligent defenders. In the case of ChoicePoint, the attackers chose social engineering tactics to gain access to sensitive data. The LexisNexis attack involved the use of a Trojan horse inserted into the LexisNexis network via an email attachment. Finally, the CardSystems breach apparently occurred through a vulnerability in the company?s customer service Web site that allowed hackers to access improperly stored customer transactions. Each of these cases illustrates not only that there are a variety of means that an organization can be attacked, but that there is a vibrant market for personal information. Based of this track record, and the apparent increased focus by hackers on stealing and selling personal information, it is surprising that the government has not been a target of some form of electronic attack.

<