GAO says federal cybersecurity has plenty of holes

GAO says federal cybersecurity has plenty of holes

Back in June, at a hearing before the Joint Economic Committee, Sen. Robert F. Bennett (R-Utah) suggested that the next terrorist attack on the United States would be cyberwarfare.

'That would produce more economic destruction in the long term,' he said.

But Lawrence K. Gershwin, the CIA's national intelligence officer for science and technology, replied with chilling foresight, 'Terrorists want to see something on television' [GCN, July 2, Page 8].

In spite of the physical damage done by the Sept. 11 attacks, Bennett has reiterated his warnings about information security.

'It is still vitally important that we pay attention to how vulnerable we are in the information age,' he said.

The extent of that vulnerability was underscored late last month in General Accounting Office testimony.

'Federal agencies have serious and widespread computer security weaknesses,' Joel C. Willemssen, GAO's managing director of IT issues, told the House Government Reform Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations.

Willemssen said a 1998 presidential directive calling for public-private cooperation in protecting critical infrastructure has had only limited success. Eight agencies have established liaisons with corresponding industrial sectors, and six information sharing and analysis centers have been set up. But antitrust restrictions and possible public disclosure of proprietary information have hampered data sharing, Willemssen said.

Security blind spot

Bennett called those concerns a serious security blind spot. Along with Sen. Jon Kyl (R-Ariz.) he has introduced a bill that would give limited exemption from the Freedom of Information Act and antitrust laws to companies that voluntarily share security information.

The bill, the Critical Infrastructure Information Security Act of 2001, would let companies request confidentiality for security information they submit to one of 13 designated agencies.

The antitrust exemption would let competitors cooperate on security matters. The exemption would not apply to efforts to organize boycotts, divide markets or fix prices.

Although the act addresses specific cybersecurity problems, Willemssen noted several pervasive weaknesses in government information systems. Since 1996, he said, GAO has found recurring problems in six areas:

  • Many agencies lack adequate security plans and have no programs for testing controls.

  • Few agencies adequately define their users' necessary levels of access to information and resources, or have secure controls against unauthorized access.

  • Agencies also lack adequate controls over use of system software, including operating systems and system utilities, which carry a higher level of risk.

  • Software testing is undisciplined and often ineffective, and documentation is inadequate.

  • Individuals often have too much authority, creating a risk of fraud or improper access.

  • Little effort has been made to ensure that critical mission activities survive natural, accidental or deliberate systems damage.

    These problems result from lack of a national plan for cyberprotection, Willemssen said.

    Ronald L. Dick, director of the National Infrastructure Protection Center, the multiagency law enforcement group housed at the FBI, told the subcommittee of the center's accomplishments.

    'For the past three years, the NIPC was working tirelessly to build the broad partnerships we have today, to mobilize great talent, to break down the old ways of doing business, and to forge ahead with a united sense of government and private-sector purpose,' he said.

    But NIPC has had only limited success, GAO concluded. It has cooperated in investigations and provided analysis and warnings of cyberthreats, but the warnings have come after threats were already under way. NIPC has not developed strategic capabilities to predict threats and issue timely warnings, and little information is being shared between public and private sectors, GAO said.

    The failures grow out of a lack of generally accepted methodology for analyzing threats, a lack of industry-specific data, prolonged leadership vacancies at NIPC and staff shortages, GAO concluded.
  • Reader Comments

    Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

    Please type the letters/numbers you see above