Let's say you happen to gain access
to confidential information, either on a Web site or on another individual's system. Do you report it? Do you read the confidential information yet not act on any of it? Or do you read the information and immediately use it to your own personal advantage?
It's a question of ethics, really, one that speaks to the integrity of the individual involved and the security policy in place in a given environment.
Dirty politics in Washington, D.C.
If you are a certain Republican staff member for the politically divided U.S. Senate Judiciary Committee, apparently you choose that last option. According to the Boston Globe
and other news sources, GOP committee members gained access
to computers used by their Democratic colleagues and, from the spring of 2002 well into 2003, both monitored communications and leaked information to the press.
According to the U.S. Patriot Act of 2001, criminal hacking is synonymous with international terrorism.
The material obtained through this breach has already been used by columnists and talk show hosts, who offered their audiences unprecedented insight into the inner workings of the Democratic party.
This is as wrong as a criminal hacker breaking into a corporation's Web site. If these allegations hold up under investigation, those responsible should be punished just as a criminal would.
It could happen in the private sector as easily as in the public one. Many corporate employees work on shared networks and systems that contain plenty of confidential materials--everything from corporate strategy to trade secrets. Can you imagine the financial losses and legal repercussions had the same thing happened between competing businesses?
What really amazes me is the way accused Senate staffers are defending themselves.
Manuel Miranda, legal counsel for Senate majority leader Bill Frist and one of those being investigated, claims
"there was no wrongdoing." He defends himself and others by saying, "The bottom line here is that the technology staff of the Democrats was negligent. They put these memos in a shared hard drive. It was like putting the memos on our desk."
Sounds to me just like a criminal hacker who's been caught stealing passwords or credit card information. According to the U.S. Patriot Act of 2001, criminal hacking is synonymous with international terrorism. Had this happened within Microsoft or some other large company, you can bet the Department of Homeland Security would be calling a press conference to announce an arrest.
Somehow I doubt we'll see that happening here.
It could have been prevented
Not to defend the Republicans' action, but it is true that none of this would have happened if the government were more careful about computer security. Chris Rouland, vice president of Internet Security Systems'
X-Force, told me that the Senate and many corporations put all their security money into protecting the perimeter and have given little thought to what's happening inside their firewalls. He calls it the "hard-candy shell with a soft, chewy interior" approach.
Indeed, just last summer many companies were caught off guard by the MSBlast worm
outbreak, in which a single infected PC connected to a corporate network could compromise the other Windows 2000 and XP machines inside the business's firewall.
This breach is not as big a scandal as, say, Watergate, but it is serious.
Rouland said this sort of breach could be eliminated through a layered approach to security. For example, the Senate Judiciary should have one server for each of the major political parties, separated by a firewall. On top of that, every account should be password-protected (something the Senate Judiciary system apparently didn't require), every security event logged, and frequent audits run to expose any security compromises.
This breach is not as big a scandal as, say, Watergate, but it is serious. I'd like to see those investigating the case--the Senate sergeant-at-arms and the U.S. Secret Service--press charges. I'd like to see someone facing the same 1- to 10-year prison sentence for illegal computer intrusion that criminal hackers face. I'd like to see the same laws written to police you and me applied to those in government. Only then would I feel that the U.S. government is run by people of integrity who truly care about computer security.
What do you think should happen to those being investigated for the Senate Judiciary security breach? What do you think will happen? Tell me about it--TalkBack to me!