A report from the GTC East gave government IT attendees all the wireless security talking points that corporate personnel are used to hearing: the need for encryption, the importance of proper wireless settings, and the close relationship between wireless management and security.
The report was frightening.
It's one thing when a laptop with a few thousand names and a tremendous amount of personal data disappears. We're not making light of it. But, by this point, we are quite accustomed to laptops turning up missing. In fact, it's sort of a surprise when somebody shows up at his or her office with a machine safely in tow.
It's also apparent that the criminals are, by and large, ripping people off for the machines, not the data on them. Though the thefts and losses are serious, each instance just doesn't seem like the end of the world.
But the idea that the government isn't paying attention to mobile security may be, well, the end of the world. Or at least a sign of real danger to a lot of people on it.
How safe should we all feel when government IT executives are still being told that unprotected Wi-Fi networks can be tapped into from the parking lot outside a building? Indeed, one presenter at the conference recently found a government wireless network in Ohio that was completely unprotected. Some small companies make this mistake, but the government shouldn't.
We may be a bit neurotic, but we've been watching The Simpsons too long to be comfortable with the idea of an uneducated engineer running an inadequately secured wireless network at, for instance, a nuclear power plant.
Clearly, the audience may well have been security-conscious and totally competent. But the feeling from the report makes one a bit nervous at the apparently basic level of information conveyed during the presentations. That concern isn't ameliorated by the recent track record.
The point was driven home by one paragraph in the story. A presenter emphasized that security initiatives have to be prioritized. Fair enough. Users, the presenter said, should ask if people will die if security on a certain system is compromised. In the next sentence, he says that the IT department also should ask if users are properly trained.
We understand that the executive almost certainly was exaggerating for effect. But more than five years after 9/11, shouldn't it be a given that anyone involved with either the use or operation of government wireless systems -- especially one whose failure could be dangerous -- is adequately trained?