Last month,
it was reported that "three small vials of Venezuelan equine encephalitis virus weredetermined to have been unaccounted for last year." While it has beenconcluded that this was
not the result of misconduct, it does raise questions about the risk of mishandling sensitivematerials. An act of theft was not detected; the absence of thingsinferred theft. So this demonstrates an administrative type of risk,where alarms are sounded and must be responded to due to properinventory controls not being used, or used improperly.
An
article in Wired magazine sums it up nicely: "Biological material can be grown, and on the other hand, it can dieoff. So what happens if the bugs in a few test tubes die off, and thescientist just shrugs and cleans them out without noting the action inhis lab books? A few years later, and people wonder, what happened tothe material in test tubes 45-48?" Following an adequate inventory control process could prevent this type of mishap.
A short list of activities that need to be conducted as a result of this panic:
- Interviews and interrogations
- Review of logs and accesses
- Full inventory audit
Then there is the public relations impact. If something of this scopeleaked out for a company, how much would this cost in terms of loss oftrust and customers? The Army being a government entity, this type of incident hasthe potential impact of increased anxiety and fear for the public,which could significantly affect the nation's productivity (which hasits own price tag.)
Some recommendations for things to do regularly and thoroughly:
- Audit inventory
- Review and test security controls
- Review checkout processes
My point is, it doesn't always take an attack to cause a major securityincident. Sensitive material that cannot be accounted for may beassumed to be in someone else's hands, and if this is the case, thesafe default position to take may be to assume that the missingmaterial is in the hands of a threat agent. The reaction may beappropriate (since these is an actual biological virus we are talkingabout) but might have been avoided altogether if inventory, controlsand processes were reviewed regularly and thoroughly. They say theinsider threat is the biggest threat, and in this case it may have beenjust an internal administrative
faux pas that caused a very public security incident.
More...