Thursday, June 19, 2008

Hacker Phobia

Okay, this isn’t really a common condition yet, but if there are a few more incidents like the one reported in the Boston Herald on Monday, there might be a few more cases reported. According to the news accounts, a state Investigator who was fired for having pornography on his state-issued laptop computer turns out to have been the victim of hackers, who were able to crack into his system because his state-issued anti-virus software was corrupted. Forensic examinations conducted by the defense team (and later confirmed by the State Attorney General’s office) indicate that the offending content was downloaded into the machine’s cache without participation from the operator. Unfortunately, the department this investigator worked for has decided to stand behind its decision to fire him, and is refusing to discuss taking him back…

The immediate reaction is to call this a gross injustice and start agitating for the punitive firing of the officials making this decision, a large cash settlement for the victim, and an audit of both human resources procedures and data security for the entire state of Massachusetts. Certainly, the lawsuit that is coming will request at least one (and probably all) of these things. But as satisfying as it would be to punish the guilty, compensate the wronged, and prevent similar bureaucratic stupidity while making sure that there aren’t any other ticking bombs of this type elsewhere in the system, these measures do not address the true strategic failures of this situation – and will not really prevent the next poor computer illiterate from being caught the same way…

For openers, the agency (and really the state government) needs to examine its equipment purchase and issue protocols, and figure out how a used computer with a compromised anti-virus software package ended up in the hands of a computer illiterate. They should then institute whatever measures are necessary to make sure that all used computers are properly wiped and flushed, and that all of their anti-viral and security software is checked and updated regularly. While they’re at it, the state should probably extend its computer training programs to include everyone who is likely to be issued an official computer for work, and make sure they know how to keep an eye out for this sort of hacker attack. Assuming that measures put into place years or even months ago will still suffice to protect your agency and your people today is asinine, and must be avoided…

Then there’s the matter of the criminal charges. Taking any disciplinary action against an employee before an independent investigation that PROVES wrongdoing is complete is so stupid I can’t even think of a bad metaphor for how stupid it is. If the department’s rules, the agency’s rules, or the state laws do not require such a waiting period (or worse yet, make one impossible) they must be corrected. In the meanwhile, rules that prohibit any mention of such a situation before the investigation is complete should be instituted at once; the public’s right to know about these accusations DOES NOT supersede a suspect’s right to be considered innocent until PROVEN guilty, and whoever filed those charges or leaked word of them to the media should be fired at once…

Finally, there’s the matter of what to do about the employee now that the investigation has cleared him and the criminal case against him has been dismissed. If the measures already discussed have been implemented, there should never have been a court case or public exposure in the first place, but if there had been, what can the agency do now? It can announce that the Inspector has been cleared of all charges and is returning to his duties, that’s what – he’s an industrial accident investigator, not a teacher or a health care provider! It’s unfortunately true that some of the stupid and ignorant people he runs into will not believe in his innocence, but if the agency does (and it should) then they need to stand up for their people and do the right thing…

And if the hackers responsible are ever caught, they should be forced to apologize and make whatever restitution is possible, and then shot…

No comments: