Senator: No laws can fix careless computer security

As members of the Senate Governmental Affairs Committee heard testimony about the government's vulnerability to cyberterrorists, hackers and information thieves Thursday, they wondered out loud whether anyone can do much to protect federal computer systems.

"You've [already] got a dozen pieces of legislation that in some ways deal with this problem," mused the committee chairman, Sen. Fred Thompson, R-Tenn. He suggested that it would take firing employees, documenting monetary losses or suffering a major embarrassment to get the attention of federal managers.

"It really is outrageous that the federal government in an area of this sensitivity cannot do more faster," Thompson added.

One of the witnesses was the renowned hacker Kevin Mitnick, who was released in January after serving almost five years in federal prison. He said the only system that had ever defeated his efforts to break in was in England. "If someone has the resources-the time, money and motivation-they can get into any computer," Mitnick said.

Kenneth Watson, manager of critical infrastructure protection for the Internet technology company Cisco Systems Inc., agreed with the thrust of Mitnick's comment. He said Cisco security teams can break into 75 percent of the systems they test.

Another witness, James Adams, chief executive officer of an Alexandria, Va., security company called Infrastructure Defense Inc., castigated "the current culture of lethargy and inertia gripping the federal government" and said the government can't hope to fight back against cybercriminals unless it moves faster and more boldly.

Roberta L. Gross, inspector general at NASA, also mentioned "a culture of I don't care." She testified that "the agency heads have to make clear that the current agency cultures, which permit very simple and avoidable vulernabilities to occur and reoccur, are no longer acceptable."

Information technology "security will not happen without appropriate funding and a core capability of skilled personnel," Gross said, observing that "investment in IT security is very difficult for agencies to make."

The witnesses generally agreed that a computer security bill introduced last year by Thompson and Sen. Joe Lieberman, D-Conn., would be a step in the right direction. But in the end, most said, better management is what's really needed.

"Security program management is totally inadequate," Thompson said. "Obviously OMB [the Office of Management and Budget] has not been doing its job" of monitoring and managing federal IT security programs, he added.

Jack Brock, a General Accounting Office IT specialist, agreed that more high-level management attention would help. "In some agencies," he said, "accountability [for IT security problems] is always at the technical level," when in fact management may be at fault for failing to fund security programs or creating a culture of carelessness.

Brock applauded the pending bill, the Government Information Security Act, for its approach, which does not distinguish between national security-related systems and other systems. Sometimes vulnerabilities in civilian agencies' systems have been dismissed as not serious because the agencies handle no classified information, he said.

Thompson, meanwhile, mused about whether a new law would make much difference. Recalling all the GAO reports, IG audits and other recurring accounts of poor federal agency security, he said, "it makes you wonder what in the world it takes" to get the attention of federal managers."

Lieberman likewise blamed the situation on poor management and "cultural" deficiencies. He said "the bill would put every government agency on notice that it must implement a computer security plan subject to annual independent audits; report unauthorized intrusions; and provide security awareness training for all its workers."