President Bushs successful drive for a department of Homeland Security is groundbreaking on many levels, not the least of which is the scope of the undertaking. Creation of the new department has been described as the largest overhaul of the federal government in 50 years, producing a new organization with a $38 billion budget and an estimated 170,000 employees assembled from 22 agencies, all focused on stopping terrorism, including attacks of the cyber variety.
So why do we not feel suddenly more secure?
The same week Congress was haggling over the details of the new department, another agency, the General Accounting Office, reported that for the second year in a row, most major branches of the federal government had earned failing marks for their efforts to secure internal systems. Nearly two-thirds of the agencies—including the Justice Department, Treasury Department, Department of Defense and Federal Emergency Management Agency—had failed to put even basic security processes in place. Many of the same agencies failed the same GAO review a year ago, including the Interior Department, which, last December, suffered the indignity of having a federal judge order its Web site temporarily offline.
The lesson is obvious: Reshuffling the massive federal bureaucracy and declaring war on cyber-terrorists wont plug the holes in persistently insecure government systems. Nor, apparently, will a regular diet of public embarrassment. One of the first orders of business for the Department of Homeland Security must be to ensure that government agencies protect themselves.
Newly appointed federal security watchdogs can learn whats needed in these very pages, where eWeek Labs experts dissect the lessons learned from our recently completed OpenHack 4 security test (see Page 47). The test reinforced the need for basic, often-overlooked security practices such as code reviews, penetration tests, the use of HTTP filtering, structured Web programming techniques, and the use of server- and network-based firewalls.
The Department of Homeland Security must make sure federal departments embrace these techniques. With governmental systems secure, the agency will have the credibility to persuade the rest of us to make the sacrifices needed to make our nation safe.