When Gregory Wilshusen Talks, People Listen
In the past three fiscal years, the number of attacks on federal systems reported to the U.S. Computer Emergency Readiness Team by departments and agencies has increased five fold, and part of that increase could be from better reporting and improved abilities to detect attacks, Wilshusen said in an interview with GovInfoSecurity.com (transcript below).
"But, it could also mean that our opponents and our adversaries are exploiting vulnerabilities and actually increasing the incidents into agency systems by deploying malicious software, which is one of the key types of attacks that have occurred on federal systems, gaining unauthorized access," said Wilshusen, who's considered one of the top experts in government on identifying security weaknesses in federal IT.
Wilshusen said it's understandable why agencies always seem to be playing catch up in securing their IT systems and networks. "There is a large number and growing number of vulnerabilities that they have to contend with as well as, of course, the threat is evolving and changing and growing more sophisticated," he said. "Those factors make securing federal system very challenging."
In the first of a three-part interview, Wilshusen discusses:
- Overall security of federal computer systems.
- Progress federal agencies are making in securing their IT systems.
- New GAO audits on the Federal Desktop Core Configuration and Trusted Internet Connection initiatives.
As GAO's information security issues director, the investigative arm of Congress, Wilshusen knows more about the challenges government agencies face in securing their IT systems. Wilshusen is a familiar face on Capitol Hill, testifying numerous times a year about government IT security.
Wilshusen, who was interviewed in his Washington office by GovInfoSecurity.com's Eric Chabrow, leads information security-related studies and audits of the federal government. He has more than 27 years of auditing, financial management and information systems experience. Before joining GAO in 1997, Wilshusen served as a senior systems analyst at the Department of Education as well as the controller for the North Carolina Department of Environment, Health and Natural Resources.
ERIC CHABROW: How secure are our government security information systems?
GREGORY WILSHUSEN: They are not as secure as they need to be, but what we have reported over the years is a number of vulnerabilities in information systems throughout the federal government. It is not just GAO but agency IGs (inspectors general) and the agencies themselves recognize and acknowledge that they have issues that they need to correct on their information systems.
We have been reporting information security as a high-risk area, government-wide, since 1997. This is a long-standing issue and will be for quite some time and there are a number of reasons for that.
First, the threats to federal systems and networks are growing and evolving. No longer is it just merely hackers out there trying to gain bragging rights, but we have nations, organizations, and criminal organizations that are organizing in order to break into systems for either political gain, economic gain or other advantage to their benefit.
Similarly, the vulnerabilities to systems continue to increase too. The national vulnerability database has over 41,000 vulnerabilities or misconfigurations that can place systems at risk. There is a huge volume of potential vulnerabilities that agencies have to contend with to be able to mitigate as well as with the threat.
And, the other impact that is really important is the fact that agencies rely on information systems to just an extraordinary degree in order to deliver their services and perform their missions.
The impact of a potential threat or vulnerability that is exploited can be quite significant and it is not just within the federal systems too but it is within our critical infrastructures, and that is one of the areas where the federal government has a number of challenges.
CHABROW: You speak of high risk. Define high risk.
WILSHUSEN: High risk is one that can have a severe or catastrophic impact. We define risk as composed of three elements: Threat, vulnerability and impact. What are the threats out there? The types of attacks? The sources of those attacks and their ability, motivations and capabilities to actually exploit an attack.
Second are the vulnerabilities. How vulnerable is an organization? Are their systems to those attacks and to those vulnerabilities? If they are vulnerable, that could allow an attacker to come in, or it could even be an insider, you know we have to consider both internal threats and external threats. The vulnerabilities are key to that because that is the avenue, or attack venue, which someone can gain unauthorized access to the data.
And then the third element of that is the impact. What is the impact to the organization should a threat come in and exploit a vulnerability and gain access to data or manipulate it or disrupt service? If the impact isn't that great, well then it is not that particularly high risk, but if the impact is significant and it could have a severe or catastrophic impact on the agency's ability to conduct its operations, then that would be a high risk.
CHABROW: How alarmed should citizens, when as you reported U.S. CERT showed a marked increase in security incidence reports, or as you just described, some of the high risks that they are facing?
WILSHUSEN: It is one thing that recorded incidents to U.S. CERT show is that over the years the number of attacks that have been reported to U.S. CERT, and that may not include some of the reports to incidents that aren't reported but that is another issue, the number of attacks have grown significantly over the last three years from about 5,500 up to nearly 30,000 in fiscal year 2009, and that could be the result of a couple of things.
One is better reporting on the part of agencies and their ability to detect these attacks and incidents and then reporting them, but it could also mean two, that our opponents and our adversaries are exploiting vulnerabilities and actually increasing the incidents into agency systems by deploying malicious software, which is one of the key types of attacks that have occurred on federal systems, gaining unauthorized access. And there is improper use of the citizens by internal employees and contractors. Those that have been reported have been increasing over the last three to four years.
CHABROW: Nearly every GAO audit I have read begins with a statement such as. "There has been improvement in certain measures to secure IT, but much more needs to be done." What does that say about the difficulty for agencies to take the right measures to secure IT?
WILSHUSEN: Agencies face significant challenges in securing their systems. The complexity of the computing environment is really significant. They are highly dynamic. There are changes to the computing environments on almost an ongoing basis. They are increasingly being interconnected with other networks and systems both within the organization and external to the organizations, including through the Internet.
Diversity of the environments in many federal agencies is quite significant. We have multiple operating systems, multiple types of networks, some are decentralized and some are centralized, and all of these elements, including the geographic disbursal of these systems. Some agencies like State and the Department of Defense have operations that span the globe. It is a very challenging environment in which to secure.
As we mentioned in the previous question, there is also a large number and growing number of vulnerabilities that they have to contend with, as well as of course the threat is evolving and changing and growing more sophisticated. Those factors make securing federal system very challenging.
Agencies are working very diligently, most of them to try to improve their security. And indeed there have been a number of government-wide initiatives in trying to improve their security. These include the Comprehensive National Cyber Security Initiative, which is an initiative consisting of 12 projects that address various different aspects of improving, that overall have the intent of trying to improve federal security.
Other initiatives include the Trusted Internet Connection's initiative, which is intended to reduce and consolidate the number of external access points to the Internet and other external connections and by reducing them also then to strengthen the security around those particular access points that remain.
Another initiative in which agencies are making process is securing their Windows operating systems. Historically, there have been a number of vulnerabilities associated with Windows operating systems. On our audits we often find vulnerabilities in how agencies configure their Windows systems. What this Federal Desktop Core Configuration Initiative is intended to do is to set secure configurations for Windows systems. We currently have ongoing work looking at that particular initiative as we do with the trusted internet connections. We expect our report to come out and be released publicly next month.
They are efforts underway, agencies are trying and they are making progress, but because of just the highly dynamic nature of the federal computing environment it remains a big challenge.
CHABROW: To make sure I am clear, you are going to be coming out with the Federal Desktop Core Configuration and a separate report on TIC?
WILSHUSEN: That is correct.
CHABROW: Anything you can tell us now about that?
WILSHUSEN: Just that we are doing the work for Sens. Lieberman, Collins, and Carper of the Homeland Security Governmental Affairs Committee. Our objectives on those engagements was to identify the goals and objectives of those initiatives, the extent to which they have been implemented within the federal government, and any challenges and lessons learned in the benefits that agencies are reporting as they implement those initiatives.
(Editor's Note: The interview occurred shortly before GAO released its audits on the Trusted Internet Connection and Federal Desktop Core Configuration initiatives.)