AOH :: ISN-2736.HTM

To Agency Insiders,




To Agency Insiders,
To Agency Insiders,



http://www.washingtonpost.com/wp-dyn/content/article/2006/07/17/AR2006071701170.html 

By Zachary A. Goldfarb
Special to The Washington Post
July 18, 2006

Every day, an electronic wall guarding the Agriculture Department's 
servers is probed for holes 2,000 times by potential hackers and data 
thieves.

The probes usually can't get through that wall. But on the first weekend 
in June, a hacker made it deep into one server, prompting an announcement 
late last month that personal information on 26,000 Washington area 
employees, contractors and retirees may have been compromised.

To government officials responsible for information security and to 
outside experts, the intrusion -- and several recent security incidents at 
other agencies -- was no surprise. For the past five years, the department 
had received failing grades on a congressional report card for its 
information-security practices. The overall grade for federal agencies in 
2005 was D-plus.

In the past few weeks, the Agriculture incident was joined by cases of 
potentially compromised data at Veterans Affairs, Health and Human 
Services, the Federal Trade Commission, the Government Accountability 
Office, Housing and Urban Development, the Navy, and the Energy 
Department. The State Department also suffered a series of hacking 
attacks.

The VA incident, with a loss of data on 26.5 million veterans and military 
personnel, drew the sharpest public attention. The data were later 
recovered. But officials and experts say that the frequency of the recent 
security incidents is not unusual, and that much more work needs to be 
done in the federal government to implement effective cybersecurity 
policies.

"We believe the number of breaches are at the same level as we have 
experienced them," said Clay Johnson III, deputy director for management 
in the Office of Management and Budget. "We have been very demanding of 
agencies to improve the IT security of their systems. We still have a long 
way to go."

In fiscal 2005, major federal agencies reported about 3,600 incidents that 
were serious enough to warrant alerting the government's cybersecurity 
center at the Department of Homeland Security, including 304 instances of 
unauthorized access and 1,806 cases of malicious computer code, according 
to a yearly OMB report.

But that does not present a full picture. Despite requirements to do so, 
agencies are "not consistently reporting incidents of emerging 
cybersecurity threats," government auditors said last year.

The grades that agencies receive on the congressional report card -- 
compiled by the House Government Reform Committee -- reflect their level 
of compliance with the 2002 Federal Information Security Management Act, 
which outlines security procedures for agencies.

In 2005, in addition to Agriculture, the departments of Defense, Energy, 
Health and Human Services, Homeland Security, Interior, State and Veterans 
Affairs received F's.

Department technology officials said in interviews that whatever the past 
weaknesses, they have taken steps in recent months to improve the 
situation significantly.

"It's not something that happens overnight. It's not something that 
happens in a year," said Robert West, DHS's chief information-security 
officer. "We are walking toward an effective program. We're not chasing 
grades."

But it is agencies with low grades that have recently been hacked.

Last fall, an intruder gained access to a computer at the National Nuclear 
Security Administration in Albuquerque -- part of the Energy Department -- 
and took a file with personal identifying information for 1,500 employees 
and contractors.

Rather than alerting those whose data were compromised and senior Energy 
officials, the administration filed the episode away with about 830 other 
incidents the department experienced last year. The Albuquerque breach 
came to light only after the VA incident. In congressional testimony last 
month, the department's inspector general, Gregory H. Friedman, said 
"significant weaknesses continue to exist."

Rep. Thomas M. Davis III (R-Va.), chairman of the House Government Reform 
Committee, explained why he thinks the government doesn't pay enough 
attention to cybersecurity: "If you don't accomplish your current mission, 
you know you're going to get dinged. If you don't accomplish this security 
thing, there's only an outside chance you'll have a data security breach" 
that garners attention.

Davis said he worries about a kind of cyber Pearl Harbor, and the Pentagon 
noted in a statement that potential adversaries, realizing the United 
States's overbearing military might, "see cyber attacks as an inexpensive 
means of leveling that battlefield." It added, "These asymmetrical threats 
are real and the results of insecurity are potentially catastrophic."

Davis and OMB's Johnson said federal overseers need to hold accountable 
federal officials who fail to take the necessary steps to safeguard 
systems. Davis suggested that criminal penalties may be necessary.

One problem, experts say, is that almost all agencies lack department-wide 
security programs. Such programs provide "a framework and continuing cycle 
of activities for managing risk, developing security policies, assigning 
responsibilities, and monitoring the adequacy of the entity's 
computer-related control," Gregory Wilshusen, GAO director of information 
security, told Congress in March.

Bruce Brody, a former VA and Energy chief information-security officer who 
now works in the private sector, said agencies cherish decentralization, 
which has "contributed to effective delivery of services to taxpayers. But 
in the case of information technology, it creates fragmentation. It 
creates inefficiencies."

Experts also said departments must close the wide gulf between senior 
leadership and information-security personnel.

Paul Kurtz, who worked in the White House on cybersecurity and now is the 
security-software industry's trade group president, said that senior 
agency officials had the attitude that they "had much better things to do 
with my job" than work on information security.

The VA's chief information-security officer, who announced his resignation 
June 29, said he had been unable to implement security changes during his 
more than three years on the job. He told Government Executive magazine 
that he had met VA Secretary Jim Nicholson only once, at a social event.

"The department has no interest in doing the right thing," Pedro Cadenas 
Jr. told the magazine. "I am having personal difficulty looking veterans 
in the eye and telling them that things will be OK."

VA spokesman Matt Burns said Nicholson issued a memorandum empowering 
security officials to do what is necessary to beef up security, a move he 
called "a significant step in the right direction."

Copyright 2006 The Washington Post Company


_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com 

Site design & layout copyright © 1986-2014 CodeGods