Forwarded from: Elyn Wollensky <elynat_private> http://www.washingtonpost.com/wp-dyn/articles/A9496-2002Nov19.html By Brian Krebs washingtonpost.com Staff Writer Tuesday, November 19, 2002 The U.S. government has earned failing marks for computer security for the second year in a row, according to a report released today by a congressional oversight committee. Nearly two-thirds of the federal government's 24 major agencies flunked the General Accounting Office's (GAO) latest "computer security report card," according to a House Government Reform subcommittee. The Departments of Justice, Defense, Energy and Treasury earned flunking grades, with the Department of Transportation earning the lowest score. The Social Security Administration won the highest mark, with a "B minus." The report comes at a time when the Bush administration worries that international terrorist groups like Al Qaeda not are planning attacks against U.S. citizens, but intend to disrupt or disable the Internet and other global communications networks. Former Sen. Gary Hart (D), now co-chairman of the U.S. Commission on National Security/21st Century, has said that the government has not paid as much attention to "cyber-threats" as it should. Rep. Stephen Horn (R-Calif.), who commissioned the GAO report, said he was "disappointed" in its results. "Sept. 11 taught us that we must be prepared for attack. We cannot allow government operations to be compromised or crippled because we failed to heed that lesson," said Horn, who chairs the House Government Reform subcommittee on government efficiency, financial management and intergovernmental relations. The grades were based on data the agencies gave to the White House Office of Management and Budget as required under a law passed two years ago. Congressional investigators from the GAO used the information to determine whether agencies met network security standards, such as limiting access to privileged data and eliminating easily-guessed passwords. The GAO noted marginal improvement in computer security at a few agencies, but said all 24 agencies continue to have "significant information security weaknesses that place a broad array of federal operations and assets at risk of fraud, misuse, and disruption." The GAO based its assessment on the results of penetration testing and assessments of how well agencies met standard network security measures, such as limiting access to privileged data and eliminating easily-guessed passwords. In February, the GAO reported that the Internal Revenue Service (IRS) failed to restrict access to sensitive computers on its network and exposed confidential taxpayer information to the public. GAO Information Security Director Robert Dacey said the finding of additional areas of weakness at some agencies does not necessarily mean that information security at federal agencies is getting worse, but may instead reflect a growing awareness of security holes. Nevertheless, "the results leave no doubt that serious, pervasive weaknesses persist," Dacey said in the GAO report. Alan Paller, research director for the SANS Institute, a nonprofit security consortium based in Bethesda, Md., said the GAO's annual review process reinforces the wrong behavior. "There is a huge amount of money being spent on consultants for these thick, agency-specific reports. But the fact that these scores aren't getting better shows that while the law has impacted the reporting process, it hasn't really affected security," Paller said. "This simply measures how well agencies write reports - not the actual security of their systems." Here is a list of what grades the GAO assigned to the agencies: B minus: Social Security Administration C plus: Labor Dept. C: Nuclear Regulatory Commission D plus: Commerce Dept., NASA D: Education Dept., General Services Administration D minus: Environmental Protection Agency, National Science Foundation, Dept. of Health and Human Services F: Justice Dept., State Dept., U.S. Agency for International Development, Office of Personnel Management, Veterans' Administration, Dept. of Housing and Urban Development, the Small Business Administration, the Treasury Dept., Energy Dept., Defense Dept., Interior Dept., Agriculture Dept., the Federal Emergency Management Agency, Transportation Dept. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Nov 20 2002 - 02:24:00 PST