Comment on Belmont's "Select from tblveterans"
The Belmont Club has a brief, interesting and interestingly titled post today: "Select * from tblVeterans." It concerns this AP story about the loss or theft of personal records of 26.5 million U.S. Veterans:
Personal data, including the Social Security numbers of 26.5 million U.S. veterans, were stolen from an employee of the Department of Veterans Affairs this month after he took computer disks home without authorization, the agency said Monday. The secretary for veterans affairs, Jim Nicholson, said there was no evidence so far that the burglars who robbed the employee's home had used the material - or even knew they had it. The employee, a data analyst whom Nicholson would not identify, has been placed on leave "pending the outcome of an investigation," the agency said on its Web site. Nicholson declined to comment further on the incident. Congressional sources who were briefed on the theft said the employee had taken the data disks home to work on a project.
Regarding the apparent data theft, Belmont Club proprietor Wretchard reminds readers of the existence and intent of best practices that prevent or greatly reduce the likelihood of such events:
Professional database administrators know about things like granting permissions on tables and putting audit scripts in, the kind that send pager messages or emails to warn, for example, when somebody wants 26.5 million keys and related records. Normally one tries to restrict direct query access to a database to a chosen few; it being better to provide data access to users through an application front end. And you can control the living daylights out of a front end. It is good practice to provide select access through stored procedures or some similar mechanism where execute permissions can be assigned and where at least one can count the rowset requested before returning it. You want twenty six thousand records? Maybe and you'd log it. But somebody asking for twenty five million records and change -- the whole dataset -- would make you wonder.
Commentary
What I see in this story and in Wretchard's commentary is a partial explanation as to why information technology and organizational performance are not and can not ever be perfectly correlated. Empirical research, especially that couched at the firm level, that uses large data sets, and that defines IT with expenditure-based measures (e.g. IT budget per employee) has noted the existence of a strongy positive correlation. Similarly, stock market returns to firm's announcements of major IT initiatives are, on average, not only positive, but statistically significantly so.
But despite positive average performance associated with IT there are many firms that achieve below average results. A handful experience drastic failures attributable to their use or investment of IT. Certainly the presence or absence of best practices like those Wretchard outlined can explain some of the sub-par performance.
Another class of explanations focuses on the distinction between performance benefits attendant to the automation and those due to the infomation of organizational processes. In the former, human judgement, involvement, and decision-making is greatly reduced or altogether eliminated. Through automation organizations save costs because of reduced headcount and improved operational efficiency, especially from reduced error rates and faster data processing. The Department of Veterans Affairs has undoubtedly benefitted from the use of IT in this manner.
With "infomation", a term first termed by retired Harvard Business School professor Shoshana Zuboff, organizational peformance is enhanced by increasing the role of human judgment, discretion, and decision-making; by increasing access to and the ability to analyze data; and by relaxing constraints and decentralizing authority to those performing vital tasks. Such an approach has definite rewards. For example, it can allow organizations to develop the valuable, rare, difficult to imitate resources which strategically differentiate them from their competitors and thereby gain competitive advantage. But it also has enormous attendant risks; it can produce the most serious of organizational failures, the kind that would rarely happen in more tightly controlled and highly automated environments.
Were I a betting man, I'd predict that one result of the investigation into this theft will be the creation of additional controls or rules, plus technical barriers like Wretchard discussed, to prevent this kind of problem from occurring again. The offending employee and some of his supervisors will also likely be fired. I understand why this has to be: errors like this are not only highly embarrassing, they undermine public confidence and can have very negative effects for the veterans whose identities may have been stolen. Someone has to be held accountable.
But is overly simplistic to think that technical fixes or more rules, particularly those imposed from on high and from the outside, will be the ultimate guarantor of the desired end. Tightening the DVA's screws and reducing degrees of freedom for key employees will actually be counter-productive if auditors fail to recognize that somewhere in there, more rather than less authority may need to be devolved. Somehow I don't feel confident betting that this last suggestion of my will be heeded.
Links: Belmont Club
Comments
Doug,
Its a no-brainer the guy is going to get it. Nice try to turn all of this into a Bush-bash.
Anyway as to the security thing in general. Hey, lets face it procedures and security make it hard for a person to get what they want. I am a contractor and go through the security gauntlet on a regular basis. You get set up, you work work work and then you discover you need something extra (they didn't expect or missed) and you wait a couple of days for the security stuff to clear.
Usually, the first thing I look for at a client site is not the software and stuff I need to do my work, but the grease-monkeys who can expedite such procedures.
(ab)Users, data-analysts, and such should never have direct access to the data but go through the front end or file requests.
There are different types of people in an organization. There are clerks who record and feed in data, they have no idea what the data is, where it came from or where its going to go they just know what info to fill into what field on what screen. This is where automation comes into play and works to take the load off of the workers. Management, OTOH, then takes all that data and then uses it to make their manual decisions.
I've seen all sorts of different (ab)users from those who litterally wouldn't know how to turn their workstation on, to those who are constantly asking for new reports and data dumps (that they can slice & dice in Excel or write their own Focus scripts on).
Posted by: Marcus Aurelius | May 25, 2006 8:44 AM
My son's job includes being responsible for security of Segmented Compartmentalized Information for the Air Force at the Supercomputer facility here.
Like all other examples I have heard of from the Military, procedures are far more scrupulously followed than is generally the case in government.
(From what little I hear, since he doesn't tell Dad anything he isn't supposed to know!)
Posted by: Doug | May 25, 2006 6:54 AM
I work for the applications developmnt department of a large consulting firm. Most of our clients are small to mid-size governmental entities. Best practices are rare indeed among public agencies in their use of IT resources. They tend to be strong on the lockdown part - enforcing access to the server room, setting strong password policies, and all the other stuff that is amenable to centralized control; but striking a happy medium between giving workers access to the data to enable them to do their jobs effectively, and at the same time controlling access to that data appropriately (as Wretchard suggests, the best practices for database access are well known, but seldom oberved), is way beyond their capabilities. More centrally mandated procedures will likely restrict useful access to information more than protect continued safe access to needed data. Since the agencies are protected from the consequences of anti-productive policies, and since they are irresistably biased toward top-down centralized management, there is probably no real solution short of privatizaton and competitive outsourcing of these functions.
Posted by: cato | May 24, 2006 3:52 PM
I don't think the VA -- as opposed to say, the CIA -- has much security in place for IT. In fact, maybe even the CIA doesn't!
If this is innocent, the guy was probably a consultant who "took stuff home" to work on...if it was nefarious, who knows? That's one heck of a database.
When the Baron left his senior programmer/analyst job recently no one even checked on what he took with him -- which, of course, was his coffee pot and pens and his own proprietary programs he'd brought in with him. But he could have walked off with a whole lotta stuff. No one asked, looked, or ventured an opinion. And the industry he was in is competitive so an unscrupulous person could've done something or other...
Posted by: dymphna | May 24, 2006 8:59 AM
"Someone has to be held accountable."
---
I dunno, unless he's a Republican.
Accountability has been sadly lacking in this Admin, imo.
To have the Corruption of Clinton followed by the laizze faire neglect of GWB regarding all the crooks and traitors Bubba put in place is a sad coincidence of history indeed.
Posted by: Doug | May 24, 2006 2:22 AM