Agencies still fail to take steps to secure information systems

Computer systems and networks at nearly all major federal agencies are vulnerable to cyberattacks, a panel of government oversight officials and industry security professionals told a House subcommittee on Tuesday. Agencies need to implement comprehensive security programs to better protect sensitive information, they said.

Despite growing concern about cyber threats and an increasing number of reported breaches, agencies fail to take the potential for widespread attacks on systems and networks seriously enough, James Lewis, director of the technology and public policy program at the Center for Strategic and International Studies, told the House Oversight and Government Reform Subcommittee on Government Management, Organization and Procurement.

"My fear is that when we predict the end of the world and it does not happen, people lose interest or think the problem is not serious yet," he said. "[There's] an unwillingness to recognize our own vulnerabilities or admit how deeply we have been penetrated, and a certain belief in our own superiority over our opponents ...We may still be first among equals, but on bad days, I am not even sure about that."

According to the Government Accountability Office, weaknesses in security controls to detect, limit or prevent access to computer systems were detected at 23 of 24 major agencies in fiscal 2008. Agencies did not consistently identify and authenticate users; ensure that access was necessary and appropriate; apply encryption to protect sensitive data; or log, audit and monitor security-related events, said Gregory Wilshusen, director of information security issues at GAO.

"An underlying cause for information security weaknesses at federal agencies is that they have not yet fully or effectively implemented key elements for an agencywide information security program," as required under the 2002 Federal Information Security Management Act, said Wilshusen.

John Streufert, chief information security officer at the State Department, touted the agency's Cyber Threat Analysis Program, under which a team of technical analysts assesses network intrusions and helps coordinate responses. The team also works with law enforcement and network defense organizations to detect and resolve significant threat issues.

The department's Cyber Security Incident Program holds individual users accountable for acts of misuse or abuse of systems. Since the program was established in 2007, nearly 100 users have been cited for various offenses. Consequences range from a letter of warning to suspension of network access -- and in rare cases, referral for criminal prosecution.

Members of the subcommittee accused the Homeland Security Department of failing to adequately enforce cybersecurity standards at agencies.

"DHS has thus far failed miserably in its charge to manage cyber response and coordination efforts," said subcommittee chair Diane Watson, D-Calif. "Until there are uniform principles [and] polices, our patchwork approach will have a minimum effect in securing our information infrastructure."