Federal agencies aren’t doing enough to secure their network systems, even as documented cyber-attacks against the U.S. government continue to dramatically rise, U.S. Rep. Adam Putnam (R-FL) said Thursday.
Putnam pointed to the federal agencies’ overall security grade of “D” issued in December and a General Accounting Office (GAO) study released Thursday reporting 1.4 million cyber-security attacks launched against government agencies and departments in 2003. The report said there were 489,890 attacks in 2002.
“Our government has taken very dramatic steps to increase our physical security, but protecting our information networks has not progressed commensurately either in the public or private sector,” said Putnam, chairman of the House Government Reform Subcommittee on Technology.
In the annual report card issued by the subcommittee, the Nuclear Regulatory Commission and the National Science Foundation each scored an “A” in cyber-security, but eight other federal agencies, including the Department of Homeland Defense, received “F’s”. Of the 24 agencies graded, 14 scored below a “C.”
It was the fourth consecutive year the government has received low to failing marks for its cyber-security efforts. Most troubling for Putnam is that only five agencies completed reliable inventories of their critical IT assets.
“How can you secure what you don’t know you have?” Putnam asked. “How can you claim to have completed a certification and accreditation process absent a reliable inventory of your assets.”
Robert C. Dacey, the GAO’s director of information security issues, told Putnam’s subcommittee the federal government had made progress in network security, but much work remains.
“For the past several years, we have analyzed audit results for 24 of the largest federal agencies and we have found that all 24 had significant information security weaknesses,” Dacey said.
The GAO report said the underlying cause of federal network security problems is the lack of an effective information security management program.
“No matter how sophisticated technology becomes, it will never solve management issues,” the report states. “Furthermore, because of the vast differences of federal systems and the variety of risks associated with each of them, there is no single approach to security that will be effective for all systems.”
The report adds, “The old thinking of IT security as the responsibility of a single agency official or the agency’s IT security office is out of date, contrary to law and policy, and significantly endangers the ability of agencies to safeguard their IT investments.”
Putnam agreed with the GAO report and said “one of the continuing impediments to progress is that too many people view information security as a technology issue.”
The Department of Treasury, one of the agencies that has failed to compile all of its IT assets, partially blamed the transfer of approximately 70 percent of its staff to the Department of Homeland Security.
“Our audit staff was reduced from 165 to 62 during the last six months of the fiscal year,” Treasury Inspector General Jeffrey Rush told the subcommittee. “Our annual audit plan had to be completely revised. This divestiture and subsequent attrition reduced our IT audit group from 14 to 5.”
Rush said Treasury’s plans of actions and milestones for “fixing serious security weaknesses were not always complete or consistently reported on.”
He added most of Treasury’s systems have not been certified and accredited and the agency does not have a “fully functioning computer security incident response capability.”
Putnam closed the hearing by saying his subcommittee will seek accountability of the “highest agency official responsible for information technology investments to insure that IT security is baked into the investment decision making process.”