By Jay Lyman TechNewsWorld Part of the ECT News Network
12/10/03 10:08 AM PT
Among the federal agencies that brought home failing grades for network security was the Department of Homeland Security. The agency was not graded last year, but it has been the focus of much criticism since national security efforts were folded into the agency during the past two years.
A U.S. House of Representatives subcommittee confirmed this week the concerns of security experts and Washington insiders by grading most federal agencies with a D or F in terms of IT security.
There was improvement from last year's federal computer-security progress report as the Nuclear Regulatory Commission and National Science Foundation each earned an A and the overall grade was boosted from an F to a D. However, 14 of 24 agencies got Fs or Ds, and lawmakers recognized the bad grades could signify danger.
"The federal government should be the standard bearer when it comes to information security," said Government Reform Subcommittee Chairman Adam Putnam (R-Florida). "Unfortunately, today's report card indicates anything but that."
Government Goals
This year's report card, which includes new reporting requirements under the Federal Information Security Management Act (FISMA), marks the fourth consecutive year of the grading. The process repeatedly has found serious security holes and lapses in the computer systems administered and used by federal government agencies.
Many of the agencies, such as the Social Security Administration and departments of Labor and Education, improved their grades from last year. However, other key departments -- State, Interior, Justice, Energy, Health and Human Services and NASA -- failed to improve or, in some cases, slipped from a D to an F.
"The overarching goal of FISMA was to force the federal government to put its house in order and become a reliable partner in the protection of our information highways," said Rep. Tom Davis (R-Virginia), FISMA author and Chairman of the Government Reform Committee. "The grades we released today indicate that while some rooms in that house are tidier, too many others are not."
Homeland Hammered
Among the federal agencies that brought home failing grades was the Department of Homeland Security. The agency was not graded last year, but it has been the focus of criticism since national cyber security efforts were folded into it over the past two years.
Ronn Bailey -- founder and chief executive of Vanguard Integrity Professionals, an industry group intended to counter lagging government efforts on cyber security -- told TechNewsWorld that the Department of Homeland Security killed the previous security momentum.
"When they got rolled up inside the Department of Homeland Security, people were now reporting four or five levels down," Bailey said. "Virtually all the people involved were no longer there."
Referring to the report card, Bailey likened the government's performance on IT security to "playing hooky."
"There is no grade to be made," he said.
Unable To Audit
On top of the disappointing -- but not unexpected -- government-wide grade of D, U.S. officials expressed concern that several of the agencies required to report to the subcommittee failed to audit their systems successfully.
"One of the most disturbing findings is that 19 of the 24 agencies reviewed had not completed an inventory of their mission-critical systems," Putnam said. "Obviously, an agency can't ensure its systems are secure if it can't account for all of its mission-critical systems."
Davis added that 79 percent of the agencies don't have accurate system inventories, which "casts doubt over the entire reporting process."
Culture and Capitalism
Putnam, who blamed the private sector and unsecure software as well as government foot-dragging for the security dilemma, said the corporate culture of top CEOs and government executives must change.
"While some burden is on the shoulders of the user, I feel strongly that a significant burden falls on the shoulders of the hardware, software, operating system manufacturers and ISPs," Putnam said. "These entities, until recently, have paid insufficient attention to educating consumers as to the importance of security."
While he agreed about the need to change thinking among company managers, CyberGuard federal division vice president Matt Mosher told TechNewsWorld that until consumers demand a more secure cyber infrastructure, businesses will neglect it.
"I think [companies] are all talking about security, but at the end of the day these are public companies that are motivated by money," he said.
Windows Cash-Machine Worm Generates Concern December 09, 2003
Diebold spokesperson Tiffini Bloniarz could not say whether the company's current strategies are the result of the August infection of ATMs by Nachi, but she told TechNewsWorld that the company is working with Sygate to protect its cash machines with firewalls.
Reactions Mixed as U.S. Congress Passes Sweeping Spam Law December 09, 2003
"This bill does not stop a single spam from being sent," Coalition Against Unsolicited Commercial E-Mail chairman Scott Mueller told the E-Commerce Times. "It also gives a federal stamp of approval for every legitimate marketer in the U.S. to start using unsolicited e-mail as a marketing tool."
Linux, China, HP, Apple and Other 'Outside the Box' Stories December 08, 2003
The impression that Apple is out to lunch is enhanced by Steve Jobs publicly saying that the Tablet PC is a niche product. This is sadly ironic, given that Apple gave up the PDA market to Palm and Microsoft as a result of one of his decisions. Like a lot of CEOs, Jobs seems to think it is more important not to admit he was wrong than to correct a mistake.
Outsourcing Network Protection: An Interview with MessageLabs CTO Mark Sunner December 08, 2003
"Often seen as two different groups, the line between spammers and virus writers is beginning to blur as each makes use of tactics usually employed by the other," MessageLabs CTO Mark Sunner told TechNewsWorld. "SoBig.F, which hit in August, was the first widely successful example of a converged threat."
WiFi Security, Complexity and Future Debated December 05, 2003
In response to concerns over complexity and security, wireless industry experts promised new standards that should begin appearing in products throughout next year.
Related News Alerts
More by Jay Lyman
Open Source Developer Dumps Novell Over Microsoft Deal December 26, 2006
A key open source developer, Jeremy Allison, who cofounded the Samba project, has resigned from Novell in protest over the company's recent agreement to enter a collaborative arrangement with Microsoft. The deal has created an uproar in the open source community because it does not treat all recipients of the GPL equally and thus violates the spirit of the license, critics say.
Financial Firms Tap Microsoft for Linux December 22, 2006
Three major financial institutions are among the first companies to go to Microsoft for Linux services, provided through an agreement the software giant struck with Novell. Although a recent survey showed customer approval of the collaboration, many members of the open source community view Novell's move as sleeping with the devil.
Mozilla Beefs Up Security in Firefox 2.0 December 21, 2006
Mozilla's latest update to its open source Firefox browser includes security measures targeting phishers. Phishing scams that use social engineering techniques to dupe Web surfers into revealing personal financial information have become an effective way for cybercriminals to conduct their nefarious activities on the Internet.
Headline Feeds
Talkback: 
