Government networks still have weak links
Despite efforts to improve security, experts say government information systems remain vulnerable
- By William Jackson
- May 06, 2009
House lawmakers who held a hearing on threats to the country’s information infrastructure May 5 heard a familiar tale of inadequately protected government systems facing a growing array of increasingly sophisticated threats.
“In the absence of robust security programs, agencies have experienced a wide range of incidents involving data loss or theft, computer intrusions and privacy breaches, underscoring the need for improved security practices,” testified Gregory Wilshusen, director of information security issues at the Government Accountability Office.
GAO and agency inspectors general have repeatedly identified vulnerabilities in the form of inadequate information system controls, Wilshusen said. At the same time, the number of incidents federal agencies have reported to the U.S. Computer Emergency Readiness Team has increased dramatically. In the past three years, such incidents have more than tripled — from 5,503 in fiscal 2006 to 16,843 in 2008.
Wilshusen made his statements before the House Oversight and Government Reform Committee’s Government Management, Organization and Procurement Subcommittee. He cited numerous GAO recommendations for improving cybersecurity and a number of recent initiatives that offer hope for improvement.
Other witnesses called for the White House to take a stronger leadership role in forming a national cybersecurity strategy.
“To date, there has not been an ongoing, coordinated, national approach with senior White House leadership that would drive strategy development and cohesive implementation, bringing the strengths and capabilities of the various agencies and the concerns and input of stakeholders to bear,” said Liesyl Franz, vice president of information security programs and global public policy at information technology industry group TechAmerica.
Threats have evolved in recent years from rapidly spreading worms and often obvious hacks to more targeted attacks that use a combination of technical and social tricks to get past defenses. Increasingly, the attacks are the work of organized criminals seeking financial gain. Espionage by foreign nations is also suspected as more breaches in government systems are discovered.
The Obama administration recently completed a review of the country’s cybersecurity initiatives and is expected to release a report with recommendations for revamping policies soon. Melissa Hathaway, who led the review, has said that the reviewers will recommend that the White House direct cybersecurity policy and agencies manage operational activities.
Franz agreed that White House officials cannot be expected to direct the operational details of cybersecurity.
“As part of the public dialogue on cybersecurity, some have expressed concern that a new adviser in the White House would take authorities or responsibilities away from the Department of Homeland Security or other agencies, but we do not believe that is the case,” she said. “Certainly, DHS and other agencies will have a large role to play in providing strategy input and implementing key elements of it.”
Franz also said TechAmerica officials believe the Federal Information Security Management Act needs to be reformed to emphasize risk management and security monitoring rather than more static certification and accreditation programs.
Witnesses described information security as crucial to the country’s economic development. Retired Air Force Lt. Gen. Harry Raduege Jr., chairman of the Deloitte Center for Network Innovation, said the government must lead by example, and it needs to start now.
“The federal government must become a model for cybersecurity, and it must start by securing our networks and information as quickly as possible,” Raduege said. “Improving the security of our federal networks and nation’s digital infrastructures will be a long-term effort, but immediate focused attention on this significant challenge is absolutely critical.”
Wilshusen cited widespread shortcomings in current information security programs. “Federal systems are not sufficiently protected to consistently thwart cyber threats,” he said. “Serious and widespread information security control deficiencies continue to place federal assets at risk of inadvertent or deliberate misuse, financial information at risk of unauthorized modification or destruction, sensitive information at risk of inappropriate disclosure, and critical operations at risk of disruption.”
He said that for years, most agencies have not implemented the security controls necessary to detect or prevent unauthorized access to IT resources. In fiscal 2008, weaknesses were reported in those controls at 23 of 24 major agencies.
“Over the past several years, we and the IGs have made hundreds of recommendations to agencies for actions necessary to resolve prior significant control deficiencies and information security program shortfalls,” Wilshusen said.
Auditors found deficiencies in user identification and authentication, authorization, boundary protections, cryptography, auditing and monitoring, physical security, configuration management, segregation of duties, and contingency planning.
“We have also recommended that agencies fully implement comprehensive, agencywide information security programs by correcting shortcomings in risk assessments, information security policies and procedures, security planning, security training, system tests and evaluations, and remedial actions,” he said.
He also cited efforts such as the Comprehensive National Cybersecurity Initiative, the Information Systems Security Line of Business the Office of Management and Budget established, OMB’s Federal Desktop Core Configuration, and the General Services Administration’s SmartBuy program as opportunities for improving security.
“Until such opportunities are seized and fully exploited and GAO recommendations to mitigate identified control deficiencies and implement agencywide information security programs are fully and effectively implemented, federal information and systems will remain vulnerable,” Wilshusen said.
William Jackson is a Maryland-based freelance writer.