Fed IT Security Seen as WeakHouse Panel Urged to Take Steps
"It's inexcusable that in 2009 we seem to be unable to prevent our adversaries from breaking into our computer networks," Marcus Sachs, director of SANS Internet Storm Center, testified before the House Oversight and Government Reform Committee's Subcommittee on Management, Organization, and Procurement. "It's also inexcusable that we continue to run our computer networks as though they are some magical enterprise only understandable by geeks and nerds. Cyberspace belongs to all of us, and we are all part of the solution to making it more secure."
Indeed, the former director of the Defense Information Systems Agency told the panel that the government should institute an IT security awareness program to educate its workforce about the security vulnerabilities posed by the Internet. "An aggressive outreach and awareness campaign is needed in creating a cybersecurity mindset to raise the level of knowledge of federal leaders and the workforce that our nation is constantly under cyber attack," said retired Air Force Gen. Harry Raduege, who chaired the highly regarded Commission on Cybersecurity for the 44th Presidency. "We need to ensure that every person who logs onto a system connected to the federal enterprise is properly educated and trained to protect the information in which they have been entrusted."
Sachs called on the federal government to lead by example by securing its corner of the Internet. Congress should enact legislation to require the government to use its purchasing muscle to get vendors to provide technology preconfigured for IT security, said Sachs, who heads a program that monitors the level of malicious activity on the Internet.
If Congress requires the government to purchase preconfigured IT, then the industry that manufactures and sells those technologies must be engaged in helping develop those standards, testified Liesyl Franz, vice president for information security and global public policy at TechAmerica, the industry trade group once known as the Information Technology Association of America.
Franz said the industry wasn't adequately consulted when the White House Office of Management and Budget developed its guidance on the Federal Desktop Core Configuration, which requires agencies to buy desktops preconfigured with specific security settings. Later, the National Institute for Standards and Technology invited vendors to participate in NIST's development of security standards. "For any future engagement," Franz said, "we strongly encourage collaboration with industry partners from the beginning of the process to help articulate the problem and identify solutions. Such a collaborative process may require additional resources for NIST, which we believe should be considered and supported."
Gregory Wilshusen, director of information security issues for the Government Accountability Office, the investigative arm of Congress, told the panel that deficiencies in federal IT security threaten inappropriate disclosure of sensitive information and places critical national operations at risk.
Wilshusen pointed out that most agencies have failed to implement controls to sufficiently prevent, limit or detect access to computer networks, systems and information over the past few years. Indeed, he said, weaknesses were reported in such controls at 23 of 24 major agencies for fiscal year 2008, which ended last Sept. 30.
"An underlying cause for these weaknesses is that agencies have not yet fully or effectively implemented key elements of their agency-wide information security programs," he said in his prepared testimony. "To improve information security, efforts have been initiated that are intended to strengthen the protection of federal information and information systems."
He cited the Comprehensive National Cybersecurity Initiative launched in January 2008 by President Bush as a program intended to improve federal efforts to protect against intrusion attempts and future threats. Still, he said, "until such opportunities are seized and fully exploited and GAO recommendations to mitigate identified control deficiencies and implement agency-wide information security programs are fully and effectively implemented, federal information and systems will remain vulnerable."