Sunday, August 14, 2011
We need standards for government website security and meaningful consequences for violations
by Larry Geller
A San Francisco BART computer was hacked and private user information published by hackers today. The attack was said to be in retaliation for BART cutting off cell phone service in an effort to suppress protests over a police shooting on July 3. Protesters were reported to be also upset over the apparent (and well-videoed) police murder of unarmed BART rider Oscar Grant on New Year's Day 2009 (the former officer was only convicted of involuntary manslaughter).
According to a statement by the hackers,
"Any 8-year-old with an internet connection could have done what we did to find it. On top of that, none of the info, including the passwords, was encrypted."
[San Francisco Chronicle, BART website hacked, passenger info leaked, 8/14/2011]
I’m not an expert on data security, but I wonder why there are not standards, perhaps like ISO standards, for the protection of public data stored on government computers. And next, of course, there should be penalties for those who ignore the standards.
In Hawaii, we’ve just had another in a series of data breaches by our state university, the University of Hawaii. Who knows, tomorrow there could be another incident, and the day after, etc. There seem to be no consequences for the lack of attention to matters of security at UH.
Yet we have building codes, for example, and penalties for violating them. Why not some framework designed to improve and enforce data and information security?
Why was none of the BART customer data encrypted? BART was clearly asleep at the switch.
A side comment: I’m surprised that San Franciscans have not risen up over the cutoff of their cell phones. These days, cell phones are critical for personal communication, especially in emergency situations. Mass cutting off of cell phone use could endanger lives. Suppose someone needed medical attention? Try and find a payphone these days, or any phone at all on a train.
There oughta be a law about that, too.