Government officials and information security experts discussed the federal government's ability to protect its sensitive information from data breaches and cyberattacks at a congressional hearing yesterday.
"The American people need to trust that the information they are submitting to or receiving from the government is accurate, reliable, and secure," said Vivek Kundra, the federal chief information officer at the Office of Management and Budget (OMB), before a House Committee on Oversight and Government Reform subcommittee.
In 2002, Congress passed the Federal Information Security Management Act (FISMA) to better protect information on federal networks. The law created a risk management framework for an agency's leadership to assess how protected their data is and create information security programs to address vulnerabilities. OMB then makes the final decision to approve or reject the agency's information security program.
So far, the results have been far from encouraging.
"Over the past few years," Gregory C. Wilshusen, director of information security issues at the Government Accountability Office (GAO), told lawmakers, "the 24 major federal agencies have reported numerous security incidents in which sensitive information has been lost or stolen, including personally identifiable information, which has exposed millions of Americans to the loss of privacy, identity theft, and other financial crimes."
The reason, he said, is that 23 of the 24 federal agencies have not developed agencywide information security programs required by FISMA.
At the same time, security incidents have exploded in number.
When a cybersecurity incident occurs, agencies are required to report it to the U.S. Computer Emergency Readiness Team (US-CERT), a component of the Department of Homeland Security. In 2006, the team received 5,503 incident reports. That ballooned to 16,843 incident reports by 2008, a 206 percent increase in two years.
One witness said FISMA reforms were needed. Samuel Chun, director of cybersecurity practice for EDS, a company that provides the government with technology services, told lawmakers
many agencies complain that FISMA compliance drowns them in paper reports that distract from the mission of securing their systems.
And despite the considerable time taken to prepare the reports, many agencies are unclear how good or poor compliance affects them. Chun told lawmakers that agencies want to know "how that information is used for the purposes of budgeting, rewards, and assigning accountability."
Other criticisms included report cards that give well-defended agencies poor marks, lack of real-time reporting to gauge a system's security performance, and the inability of compliance standards to keep pace with the evolution and emergence of cyberthreats.
According to Chun, the government should create a powerful new position to coordinate the government's cybersecurity posture, consolidate the government's sprawling networks into a tighter operation, layer defenses, and hire and train more cybersecurity experts.
Security, he said, should be embedded in every technology the government uses.
♦ This article was written based off of the written testimonies submitted by the witnesses. You can find all the testimonies, here.
♦ Photo by Cliff1066/Flickr