Hill panel laments IT security weaknesses
Hill panel laments IT security weaknesses
Agencies that have shown the most improvement are the ones that have been embarrassed in the past, congressman saysBY TONY LEE ORR
| GCN STAFF
The government's failure to secure its information systems is leaving the federal infrastructure open to significant risk, witnesses this month told the House Energy and Commerce Subcommittee on Oversight and Investigations.
Agencies that have felt 'the sting of public embarrassment' have shown some improvement, said the committee's chairman, Rep. W.J. 'Billy' Tauzin (R-La.), but agencies overall 'are just treading water.'
Rep. W.J. 'Billy' Tauzin waves an IG report about flawed HCFA security. Public embarrassment sometimes forces agencies to get serious about computer security, he says.
Tauzin cited a report from the Health and Human Services Department's inspector general about numerous systems weaknesses that permitted unauthorized access to Health Care Financing Administration data.
Poor system controls are the norm at HCFA, according to the IG's review, Report on the Financial Statement Audit of the Department of Health and Human Services for Fiscal Year 2000
The IG said HCFA contractors are responsible for most of the weaknesses. Of the 124 flaws the IG's staff identified during reviews at nine Medicare data processing facilities, it attributed nine to HCFA employees or procedures.
The report said control vulnerabilities allowed unauthorized access to sensitive information and made it possible for hackers to tamper with files.
HCFA officials said the report overstated the problems.
'To our knowledge there have been no problems involving money or confidential medical records,' said a HCFA spokesman who asked not to be identified. 'No sensitive records have been hacked into.'
Tauzin said he would have his committee investigate whether HCFA records had been compromised. In the meantime, HCFA is cracking down on its contractors, the spokesman said.
HCFA's problems are not uncommon, said other officials who testified.Moving target
Securing the government's systems against intrusion is like trying to secure a house that has 65,536 doors and windows, each needing to be locked, said Tom Noonan, president and chief executive officer of Internet Security Systems Inc. of Atlanta.
The open nature of most operating systems increases risk, he said, noting that most users aren't savvy enough to lock down all the loopholes.
Federal investigators are working on 102 cases of intrusion into government systems, said Ronald L. Dick, director of the FBI's National Infrastructure Protection Center. Many cases involve multiple incidents, he said, and some cases involve hundreds of compromised systems.
Sallie McDonald, the General Services Administration's assistant commissioner for information assurance and critical infrastructure, said about 80 percent of hacking incidents go unreported because systems operators are unaware of them. Last year, 586 were reported, she said.
GSA is pushing agencies to hire security companies to help them lock down their systems against cyberattacks, McDonald said. Agencies that use services are asked to share their findings with GSA so other agencies can learn how to protect themselves, she said.
A good cybersecurity program includes both an evaluation of vulnerabilities and consistent intrusion detection, McDonald said. It is only by sheer luck that agencies have avoided a serious hacking attack by a foreign power, she and others testified.Growing menace
The threat of cyberwarfare grows with technological advances and the increased dependence on systems, Dick said.
So far, severe hacking incidents mainly have affected agencies that deal with the environment and scientific research, McDonald said.
In September 1999, a hacker took over an Environmental Protection Agency computer and altered the system's access controls, blocking EPA employees from accessing their own files, said Robert F. Dacey, the General Accounting Office's director of information security.
EPA is implementing a plan to offset the weaknesses but doesn't expect to complete the work until 2002, he said. In the meantime, the agency continues to report internal control weaknesses under the Federal Managers' Financial Integrity Act of 1982.
Most agencies with poor systems security have failed to establish agencywide security frameworks, Dacey said.