http://www.washingtonpost.com/wp-dyn/content/article/2006/07/17/AR2006071701170.html By Zachary A. Goldfarb Special to The Washington Post July 18, 2006 Every day, an electronic wall guarding the Agriculture Department's servers is probed for holes 2,000 times by potential hackers and data thieves. The probes usually can't get through that wall. But on the first weekend in June, a hacker made it deep into one server, prompting an announcement late last month that personal information on 26,000 Washington area employees, contractors and retirees may have been compromised. To government officials responsible for information security and to outside experts, the intrusion -- and several recent security incidents at other agencies -- was no surprise. For the past five years, the department had received failing grades on a congressional report card for its information-security practices. The overall grade for federal agencies in 2005 was D-plus. In the past few weeks, the Agriculture incident was joined by cases of potentially compromised data at Veterans Affairs, Health and Human Services, the Federal Trade Commission, the Government Accountability Office, Housing and Urban Development, the Navy, and the Energy Department. The State Department also suffered a series of hacking attacks. The VA incident, with a loss of data on 26.5 million veterans and military personnel, drew the sharpest public attention. The data were later recovered. But officials and experts say that the frequency of the recent security incidents is not unusual, and that much more work needs to be done in the federal government to implement effective cybersecurity policies. "We believe the number of breaches are at the same level as we have experienced them," said Clay Johnson III, deputy director for management in the Office of Management and Budget. "We have been very demanding of agencies to improve the IT security of their systems. We still have a long way to go." In fiscal 2005, major federal agencies reported about 3,600 incidents that were serious enough to warrant alerting the government's cybersecurity center at the Department of Homeland Security, including 304 instances of unauthorized access and 1,806 cases of malicious computer code, according to a yearly OMB report. But that does not present a full picture. Despite requirements to do so, agencies are "not consistently reporting incidents of emerging cybersecurity threats," government auditors said last year. The grades that agencies receive on the congressional report card -- compiled by the House Government Reform Committee -- reflect their level of compliance with the 2002 Federal Information Security Management Act, which outlines security procedures for agencies. In 2005, in addition to Agriculture, the departments of Defense, Energy, Health and Human Services, Homeland Security, Interior, State and Veterans Affairs received F's. Department technology officials said in interviews that whatever the past weaknesses, they have taken steps in recent months to improve the situation significantly. "It's not something that happens overnight. It's not something that happens in a year," said Robert West, DHS's chief information-security officer. "We are walking toward an effective program. We're not chasing grades." But it is agencies with low grades that have recently been hacked. Last fall, an intruder gained access to a computer at the National Nuclear Security Administration in Albuquerque -- part of the Energy Department -- and took a file with personal identifying information for 1,500 employees and contractors. Rather than alerting those whose data were compromised and senior Energy officials, the administration filed the episode away with about 830 other incidents the department experienced last year. The Albuquerque breach came to light only after the VA incident. In congressional testimony last month, the department's inspector general, Gregory H. Friedman, said "significant weaknesses continue to exist." Rep. Thomas M. Davis III (R-Va.), chairman of the House Government Reform Committee, explained why he thinks the government doesn't pay enough attention to cybersecurity: "If you don't accomplish your current mission, you know you're going to get dinged. If you don't accomplish this security thing, there's only an outside chance you'll have a data security breach" that garners attention. Davis said he worries about a kind of cyber Pearl Harbor, and the Pentagon noted in a statement that potential adversaries, realizing the United States's overbearing military might, "see cyber attacks as an inexpensive means of leveling that battlefield." It added, "These asymmetrical threats are real and the results of insecurity are potentially catastrophic." Davis and OMB's Johnson said federal overseers need to hold accountable federal officials who fail to take the necessary steps to safeguard systems. Davis suggested that criminal penalties may be necessary. One problem, experts say, is that almost all agencies lack department-wide security programs. Such programs provide "a framework and continuing cycle of activities for managing risk, developing security policies, assigning responsibilities, and monitoring the adequacy of the entity's computer-related control," Gregory Wilshusen, GAO director of information security, told Congress in March. Bruce Brody, a former VA and Energy chief information-security officer who now works in the private sector, said agencies cherish decentralization, which has "contributed to effective delivery of services to taxpayers. But in the case of information technology, it creates fragmentation. It creates inefficiencies." Experts also said departments must close the wide gulf between senior leadership and information-security personnel. Paul Kurtz, who worked in the White House on cybersecurity and now is the security-software industry's trade group president, said that senior agency officials had the attitude that they "had much better things to do with my job" than work on information security. The VA's chief information-security officer, who announced his resignation June 29, said he had been unable to implement security changes during his more than three years on the job. He told Government Executive magazine that he had met VA Secretary Jim Nicholson only once, at a social event. "The department has no interest in doing the right thing," Pedro Cadenas Jr. told the magazine. "I am having personal difficulty looking veterans in the eye and telling them that things will be OK." VA spokesman Matt Burns said Nicholson issued a memorandum empowering security officials to do what is necessary to beef up security, a move he called "a significant step in the right direction." Copyright 2006 The Washington Post Company _________________________________ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
This archive was generated by hypermail 2.1.3 : Mon Jul 17 2006 - 22:54:56 PDT