GAO information assurance chief offers security advice to agencies

GAO information assurance chief offers security advice to agencies

The General Accounting Office's Keith A. Rhodes said, 'I told you so,' last week to the House Science Subcommittee on Technology.

'About this time last year I testified before this subcommittee on the Melissa virus, which temporarily disrupted the operations of some agencies,' said Rhodes, director of GAO's Office of Computer and Information Assurance.

'I stressed that the next virus would likely propagate faster, do more damage and be more difficult to detect and counter,' he said. 'This is just what we have experienced with ILOVEYOU.'

The House panel held a hearing last week on the ILOVEYOU virus, which affected thousands of government computers in its two-day tear around the world. Rhodes said the government has not done enough to protect its systems from such threats.

'Federal agencies must implement vigorous security programs to enable them to closely watch their information resources for signs of attack or intrusion, and to quickly react,' he said.

He offered a list of immediate actions that agencies should take:

•Increase awareness of security needs.

•Ensure existing controls are effective.

•Ensure software patches are up-to-date.

•Use automated scanning and testing tools to identify problems quickly.

•Expand use of best security practices.

•Address common vulnerabilities.

'While these actions can jump-start security efforts, they will not result in fully effective and lasting improvements unless they are supplemented by a strong management framework,' Rhodes said.

'Shruti Dat'


  • automated processes (Nikolay Klimenko/

    How the Army’s DORA bot cuts manual work for contracting professionals

    Thanks to robotic process automation, the time it takes Army contracting professionals to determine whether prospective vendors should receive a contract has been cut from an hour to just five minutes.

  • Russia prying into state, local networks

    A Russian state-sponsored advanced persistent threat actor targeting state, local, territorial and tribal government networks exfiltrated data from at least two victims.

Stay Connected