Agencies Scolded for Lax Computer Security

Despite legislation passed last year directing federal agencies to beef up security plans for their computer systems, they are falling short as cyberattacks continue to rise, representatives from the General Accounting Office and other organizations told Congress.

"Since 1996, our analysis of information security at major federal agencies has shown that federal systems were not being adequately protected from these threats, even those systems that process, store and transmit enormous amounts of sensitive data, and are indispensable to many federal agency operations," Robert Dacey, director of information security issues at GAO, told the House Commerce subcommittee on oversight and investigations at an April 5 hearing.

Ronald Dick, director of the FBI's National Infrastructure Protection Center (NIPC), said there is a pending caseload of 1,219 government computer intrusions, including those into federal, state, local and military systems. A single case can consist of hundreds of compromised systems, he said.

While the NIPC has made progress over the past three years in building a capability to respond to cyberintrusions, "much work remains [and] more can be done to achieve the interagency and public-private partnerships," Dick told the panel.

Lawmakers, having received this latest GAO assessment and other reviews, expressed anger that the agencies are not taking the cyberthreat more seriously, particularly after last year's passage of the Government Information Security Reform Act.

"Our reviews consistently have found poor computer security planning and management, and a general lack of compliance with existing requirements of law and policy," said subcommittee Chairman Rep. James Greenwood, R-Pa. "We also found that, with few exceptions, the agencies were not testing their own systems to determine whether their security plans and policies were as effective in practice as they looked on paper."

When Congress passed the law in October 2000 reiterating computer security requirements contained in previous federal laws and Office of Management and Budget directives, it also imposed a new requirement that agencies' inspectors general conduct an independent test of an appropriate subset of agency systems each year, Greenwood said.

"While a few of the agencies are still in the process of producing documentation to us, it is fair to say that, at this point, we are not surprised or pleased by what we are finding," Greenwood said.

Few of the responding agencies have conducted true penetration tests of their computer systems, he said. Many of the tests have been limited in nature and scope and were done as part of financial system audits, he said.

Commerce Committee Chairman Billy Tauzin, R-La., said he and others on the committee will be looking at the issue seriously over the upcoming weeks to determine if more legislative action is required.

"Unless we get serious about this effort, we will never keep up with the rapid advances of technology in this area, which continually reveal new ways to attack cybersystems," Tauzin said. "In this increasingly interconnected world, we're either going to prioritize our resources better to meet this challenge ? something that, to date, Congress has not forced the agencies to do ? or we're going to find ourselves in deep, deep trouble."

Some industry representatives testifying before the panel said one way to bolster computer security is to increase partnerships with industry to obtain the needed expertise and technologies.

"Funding for secure government systems must be increased by a substantial amount, and outsourcing should be considered an option," said Tom Noonan, president and chief executive officer of Internet Security Systems Inc., a network security management company in Atlanta that provides security management software globally.

While the government often does well with the resources it has, Noonan said it is very expensive to obtain the computer security specialists now required to implement and coordinate many different security products and services to adequately secure a system.

"As computer security expertise is extremely rare, the cost of computer security specialists is astronomical," he said. "In my company alone, the average salary of my 2,000 employees is around $80,000."

Noonan said that to help address the cost of computer security, educational efforts must be taken to train personnel.

"Computer programmers in universities should be trained in computer security," he said. "Currently, they are not. In addition, specialized programs in computer security should be encouraged."

Information Technology Association of America President Harris Miller also urged the lawmakers to facilitate more cooperation with industry in this arena.

Miller said increased financial support from Congress should match the private sector's efforts to secure its information systems. Government also should fund advanced information security research, filling the gap between industry-led, market-driven research and development and long-term, national security-defense based R&D.

ITAA also recommended the government adopt some means of ensuring internal accountability for information security, making it part of every manager's responsibilities.

And government should organize and develop sound information security policies and practices and communicate about security with the private sector and among various agencies, Miller said.