Witnesses Call for Better Information Security from Federal Government

By Matthew Harwood

Government officials and information security experts discussed the federal government's ability to protect its sensitive information from data breaches and cyberattacks at a congressional hearing yesterday.

"The American people need to trust that the information they are submitting to or receiving from the government is accurate, reliable, and secure," said Vivek Kundra, the federal chief information officer at the Office of Management and Budget (OMB), before a House Committee on Oversight and Government Reform subcommittee.

In 2002, Congress passed the Federal Information Security Management Act (FISMA) to better protect information on federal networks. The law created a risk management framework for an agency's leadership to assess how protected their data is and create information security programs to address vulnerabilities. OMB then makes the final decision to approve or reject the agency's information security program.

So far, the results have been far from encouraging.

"Over the past few years," Gregory C. Wilshusen, director of information security issues at the Government Accountability Office (GAO), told lawmakers, "the 24 major federal agencies have reported numerous security incidents in which sensitive information has been lost or stolen, including personally identifiable information, which has exposed millions of Americans to the loss of privacy, identity theft, and other financial crimes."

The reason, he said, is that 23 of the 24 federal agencies have not developed agencywide information security programs required by FISMA.
At the same time, security incidents have exploded in number.
When a cybersecurity incident occurs, agencies are required to report it to the U.S. Computer Emergency Readiness Team (US-CERT), a component of the Department of Homeland Security. In 2006, the team received 5,503 incident reports. That ballooned to 16,843 incident reports by 2008, a 206 percent increase in two years.
The past two months has brought knowledge of high-profile cyberintrusions against government networks. Two weeks ago, the Department of Transportation notified the Federal Aviation Administration that hackers had breached its networks multiple times over the past few years. In early April, intelligence agencies confirmed for The Wall Street Journal that the U.S. electrical grid has been penetrated by Chinese and Russian hackers.
One witness said FISMA reforms were needed. Samuel Chun, director of cybersecurity practice for EDS, a company that provides the government with technology services, told lawmakers many agencies complain that FISMA compliance drowns them in paper reports that distract from the mission of securing their systems.
And despite the considerable time taken to prepare the reports, many agencies are unclear how good or poor compliance affects them. Chun told lawmakers that agencies want to know "how that information is used for the purposes of budgeting, rewards, and assigning accountability."
Other criticisms included report cards that give well-defended agencies poor marks, lack of real-time reporting to gauge a system's security performance, and the inability of compliance standards to keep pace with the evolution and emergence of cyberthreats.
According to Chun, the government should create a powerful new position to coordinate the government's cybersecurity posture, consolidate the government's sprawling networks into a tighter operation, layer defenses, and hire and train more cybersecurity experts.
Security, he said, should be embedded in every technology the government uses.

This article was written based off of the written testimonies submitted by the witnesses. You can find all the testimonies, here.

♦ Photo by Cliff1066/Flickr


cyber security

     After reading John Rollin's CYBER THREAT INITIATIVE from the Congressional Research Service, it is clear that the government lacks the ability to track down cyber intrusions and is ambiguous about how to prosecute them. Gary McKinnon exemplifies this in that he is still awaiting extradition from  the UK for hacking into NSA, CIA and DoD computer systems. It's no wonder so many people are complaining of satellite surveillance and directed-energy attacks with anyone having the ability to hack into our government INTRANET systems without fear of being caught. I recently published a book about a woman in Texas who was victimized by a former FBI agent using advanced surveilance technology that he is not supposed to be accessing. The woman was a mortgage broker for World Savings Bank. She began to get stalked by this FBI agent turned private investigator with satellite technology and was eventually drugged and raped. One of the employees of the PI also worked at World Savings where he was compiling people's financial data for electronic fraud. SEE for the book!

View Recent News (by day)


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.