For the second year running, the federal government has flunked Computer Security 101. The 24 major agencies of the U.S. government performed so poorly this year that lawmakers charged with overseeing government efficiency said they want to tie agencies funding to network security procedures and force them to buy software only from a list of qualified products.
Despite the redoubled attention to security since the terrorist attacks of Sept. 11, 2001, 14 of 24 federal agencies flunked in their efforts to improve network safety, according to the Computer Security Report Card, released last month by the House Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations. This fall, the subcommittee concluded that every major agency in the federal government houses significant network security weaknesses.
Perhaps most worrisome, some agencies—including some that conduct highly confidential activity—fared even worse than they did a year ago.
The Department of State bottomed out with an F after receiving a D-plus last year. NASAs score fell to a D-plus from a C-minus, but NASA officials view their network security as on the rise.
“From our point of view, NASA has improved its focus on IT programs over the last year,” said Paul Shawcross, executive officer in NASAs inspector generals office, in Washington. “I get the feeling the grade standards have been increasing. Weve seen an improvement in attitude.”
Government officials also said network security can be measured in different ways, and the subcommittees measurements are not necessarily consistent with other government measurements.
Earlier this fall, the U.S. General Services Administration held up NASA as a model for other federal agencies to follow in their efforts to reduce computer attacks.
NASAs 10 centers collaborated to identify the most exploited network weaknesses and then used the same scanning tools on 80,000 computer systems.
Federal Agencies: SECURITY REPORT CARD
At a GSA forum in October, security officials said approximately one in 200 attacks penetrates NASAs systems, down from approximately one in 10 when the collaborative effort began in early 2000.
The subcommittees report card is based on numerous criteria, including employee training, access controls, incident reporting procedures, system software, mechanisms to ensure the security of contractor services and the use of performance measures, among other things. The data comes from reports that the agencies send to the White Houses Office of Management and Budget and audits conducted by inspectors general and the General Accounting Office.
Demonstrating the paradox of trying to promote improved security via public disclosure, the subcommittee declined to release detailed evaluations of each agency.
“With computer security, it is not necessarily in the best interest of everybody to identify specific problems,” an aide on the subcommittee said. “The agencies know, and they are the people who need to get going on this.”
The Social Security Administration made the highest grade this year, rising to a B-minus from last years C-plus. “The Social Security Administration continues to be a shining example of sound leadership and focused attention toward solving this important problem,” said the subcommittee chairman, Stephen Horn, R-Calif., upon disclosing the grades.
The Nuclear Regulatory Commission earned the third-highest grade this year with a C, which does not appear remarkable until viewed in comparison with last years failing grade.
In addition to tying funding to computer security, the government should set minimum security standards for commercial off-the-shelf software purchased by federal agencies, the subcommittee recommended in the report “Making Federal Computers Secure: Overseeing Effective Information Security Management.”
The panel suggested that agencies be given a list of qualified software products, based on tests by developers or by an independent government agency, such as the National Institute of Standards and Technology or the National Security Agency. “The current practice of releasing software without adequate security testing and then developing patches to fix vulnerabilities creates an untenable burden on government systems administrators,” the subcommittee said in the report.
Lawmakers noted that the OMB began using funding to try to improve computer security last year. OMB, which is requiring agencies to identify weaknesses and submit plans for addressing them, intends to end funding for IT projects that dont include security requirements.
In the past year, there have been significant attacks on computers at the White House, Pentagon and Department of the Treasury, among other agencies. Lawmakers advised senior managers to pay more attention to network security and promote better education within the ranks. They also suggested that all departments implement performance measures and integrate security into budget planning.
Horn plans to retire at the end of this congressional session. It remains unknown whether there will be a Computer Security Report Card next year.