Last month, it was reported that "three small vials of Venezuelan equine encephalitis virus were determined to have been unaccounted for last year." While it has been concluded that this was not the result of misconduct, it does raise questions about the risk of mishandling sensitive materials. An act of theft was not detected; the absence of things inferred theft. So this demonstrates an administrative type of risk, where alarms are sounded and must be responded to due to proper inventory controls not being used, or used improperly.
An article in Wired magazine sums it up nicely: "Biological material can be grown, and on the other hand, it can die off. So what happens if the bugs in a few test tubes die off, and the scientist just shrugs and cleans them out without noting the action in his lab books? A few years later, and people wonder, what happened to the material in test tubes 45-48?" Following an adequate inventory control process could prevent this type of mishap.
A short list of activities that need to be conducted as a result of this panic:
- Interviews and interrogations
- Review of logs and accesses
- Full inventory audit
Then there is the public relations impact. If something of this scope leaked out for a company, how much would this cost in terms of loss of trust and customers? The Army being a government entity, this type of incident has the potential impact of increased anxiety and fear for the public, which could significantly affect the nation's productivity (which has its own price tag.)
Some recommendations for things to do regularly and thoroughly:
- Audit inventory
- Review and test security controls
- Review checkout processes
My point is, it doesn't always take an attack to cause a major security incident. Sensitive material that cannot be accounted for may be assumed to be in someone else's hands, and if this is the case, the safe default position to take may be to assume that the missing material is in the hands of a threat agent. The reaction may be appropriate (since these is an actual biological virus we are talking about) but might have been avoided altogether if inventory, controls and processes were reviewed regularly and thoroughly. They say the insider threat is the biggest threat, and in this case it may have been just an internal administrative faux pas that caused a very public security incident.
