Last month, it was reported
that “three small vials of Venezuelan equine encephalitis virus were
determined to have been unaccounted for last year.” While it has been
concluded that this was not the result of misconduct , it does raise questions about the risk of mishandling sensitive
materials. An act of theft was not detected; the absence of things
inferred theft. So this demonstrates an administrative type of risk,
where alarms are sounded and must be responded to due to proper
inventory controls not being used, or used improperly.
An article in Wired magazine sums it up nicely: “Biological material can be grown, and on the other hand, it can die
off. So what happens if the bugs in a few test tubes die off, and the
scientist just shrugs and cleans them out without noting the action in
his lab books? A few years later, and people wonder, what happened to
the material in test tubes 45-48?” Following an adequate inventory control process could prevent this type of mishap.
A short list of activities that need to be conducted as a result of this panic:
Then there is the public relations impact. If something of this scope
leaked out for a company, how much would this cost in terms of loss of
trust and customers? The Army being a government entity, this type of incident has
the potential impact of increased anxiety and fear for the public,
which could significantly affect the nation’s productivity (which has
its own price tag.)
Some recommendations for things to do regularly and thoroughly:
My point is, it doesn’t always take an attack to cause a major security
incident. Sensitive material that cannot be accounted for may be
assumed to be in someone else’s hands, and if this is the case, the
safe default position to take may be to assume that the missing
material is in the hands of a threat agent. The reaction may be
appropriate (since these is an actual biological virus we are talking
about) but might have been avoided altogether if inventory, controls
and processes were reviewed regularly and thoroughly. They say the
insider threat is the biggest threat, and in this case it may have been
just an internal administrative faux pas that caused a very public security incident.
bp-serverscom unitvpscom
