By Zachary A. Goldfarb
Special to The Washington Post
July 18, 2006
Every day, an electronic wall guarding the Agriculture Department's
servers is probed for holes 2,000 times by potential hackers and data
The probes usually can't get through that wall. But on the first weekend
in June, a hacker made it deep into one server, prompting an announcement
late last month that personal information on 26,000 Washington area
employees, contractors and retirees may have been compromised.
To government officials responsible for information security and to
outside experts, the intrusion -- and several recent security incidents at
other agencies -- was no surprise. For the past five years, the department
had received failing grades on a congressional report card for its
information-security practices. The overall grade for federal agencies in
2005 was D-plus.
In the past few weeks, the Agriculture incident was joined by cases of
potentially compromised data at Veterans Affairs, Health and Human
Services, the Federal Trade Commission, the Government Accountability
Office, Housing and Urban Development, the Navy, and the Energy
Department. The State Department also suffered a series of hacking
The VA incident, with a loss of data on 26.5 million veterans and military
personnel, drew the sharpest public attention. The data were later
recovered. But officials and experts say that the frequency of the recent
security incidents is not unusual, and that much more work needs to be
done in the federal government to implement effective cybersecurity
"We believe the number of breaches are at the same level as we have
experienced them," said Clay Johnson III, deputy director for management
in the Office of Management and Budget. "We have been very demanding of
agencies to improve the IT security of their systems. We still have a long
way to go."
In fiscal 2005, major federal agencies reported about 3,600 incidents that
were serious enough to warrant alerting the government's cybersecurity
center at the Department of Homeland Security, including 304 instances of
unauthorized access and 1,806 cases of malicious computer code, according
to a yearly OMB report.
But that does not present a full picture. Despite requirements to do so,
agencies are "not consistently reporting incidents of emerging
cybersecurity threats," government auditors said last year.
The grades that agencies receive on the congressional report card --
compiled by the House Government Reform Committee -- reflect their level
of compliance with the 2002 Federal Information Security Management Act,
which outlines security procedures for agencies.
In 2005, in addition to Agriculture, the departments of Defense, Energy,
Health and Human Services, Homeland Security, Interior, State and Veterans
Affairs received F's.
Department technology officials said in interviews that whatever the past
weaknesses, they have taken steps in recent months to improve the
"It's not something that happens overnight. It's not something that
happens in a year," said Robert West, DHS's chief information-security
officer. "We are walking toward an effective program. We're not chasing
But it is agencies with low grades that have recently been hacked.
Last fall, an intruder gained access to a computer at the National Nuclear
Security Administration in Albuquerque -- part of the Energy Department --
and took a file with personal identifying information for 1,500 employees
Rather than alerting those whose data were compromised and senior Energy
officials, the administration filed the episode away with about 830 other
incidents the department experienced last year. The Albuquerque breach
came to light only after the VA incident. In congressional testimony last
month, the department's inspector general, Gregory H. Friedman, said
"significant weaknesses continue to exist."
Rep. Thomas M. Davis III (R-Va.), chairman of the House Government Reform
Committee, explained why he thinks the government doesn't pay enough
attention to cybersecurity: "If you don't accomplish your current mission,
you know you're going to get dinged. If you don't accomplish this security
thing, there's only an outside chance you'll have a data security breach"
that garners attention.
Davis said he worries about a kind of cyber Pearl Harbor, and the Pentagon
noted in a statement that potential adversaries, realizing the United
States's overbearing military might, "see cyber attacks as an inexpensive
means of leveling that battlefield." It added, "These asymmetrical threats
are real and the results of insecurity are potentially catastrophic."
Davis and OMB's Johnson said federal overseers need to hold accountable
federal officials who fail to take the necessary steps to safeguard
systems. Davis suggested that criminal penalties may be necessary.
One problem, experts say, is that almost all agencies lack department-wide
security programs. Such programs provide "a framework and continuing cycle
of activities for managing risk, developing security policies, assigning
responsibilities, and monitoring the adequacy of the entity's
computer-related control," Gregory Wilshusen, GAO director of information
security, told Congress in March.
Bruce Brody, a former VA and Energy chief information-security officer who
now works in the private sector, said agencies cherish decentralization,
which has "contributed to effective delivery of services to taxpayers. But
in the case of information technology, it creates fragmentation. It
Experts also said departments must close the wide gulf between senior
leadership and information-security personnel.
Paul Kurtz, who worked in the White House on cybersecurity and now is the
security-software industry's trade group president, said that senior
agency officials had the attitude that they "had much better things to do
with my job" than work on information security.
The VA's chief information-security officer, who announced his resignation
June 29, said he had been unable to implement security changes during his
more than three years on the job. He told Government Executive magazine
that he had met VA Secretary Jim Nicholson only once, at a social event.
"The department has no interest in doing the right thing," Pedro Cadenas
Jr. told the magazine. "I am having personal difficulty looking veterans
in the eye and telling them that things will be OK."
VA spokesman Matt Burns said Nicholson issued a memorandum empowering
security officials to do what is necessary to beef up security, a move he
called "a significant step in the right direction."
Copyright 2006 The Washington Post Company
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.