U.S. Gov’t Computers Get Barely Passing Grade

Acknowledging that there is considerable work to be done, Adam H. Putnam (R-Fl), chairman of the U.S. House of Representatives Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, reported that the federal government’s computer security has improved from a failing grade in 2002 to a passing grade in 2003.

“The Federal Government should be the standard bearer when it comes to information security. Unfortunately, today’s report card indicates anything but that. The Federal Government — overall — scored a D. While that’s an improvement over last year’s F, it’s nothing to be proud of and much more must be done to secure our government computer networks,” said Putnam.

The Subcommittee’s computer security grades were based on performance metrics and evaluations outlined by the Inspector General’s (IG) Federal Information Security Management Act reports to the Office of Management and Budget (OMB) for fiscal year 2003. The OMB instructed the agencies to submit reports summarizing the results of IT security reviews of systems and programs; agency progress on correcting identified weaknesses; and the results of IG independent evaluations. 2003 marks the 4th consecutive year that the scorecard process has been in effect.

Using a system whereby the perfect score is 100, the Subcomittee assigned grades to the numerical values and found that 14 of the 24 agencies that were evaluated improved their year-over-year scores, while 7 remained the same.

For the first time, two agencies received scores of A: The Nuclear Regulatory Commission received the highest grade of A — marking considerable improvement over last year’s score of C — followed by The National Science Foundation’s A- — improving from a D-.

While 13 of the 23 agencies that were evaluated last year scored failing grades, only 8 of the 24 that were rated in 2003 scored an F. The Department of Homeland Security was among the agencies that scored a failing grade in 2003 — the first year it was evaluated. The Justice Department, State Department, and Department of Energy also received failing grades.

The report found that only 5 agencies completed reliable inventories of their critical IT assets, and that the IGs of the Department of Defense (D score), Department of Veteran’s Affairs (C score), and Department of the Treasury (D score) did not submit independent evaluation reports.

Chairman Putnam noted, “One of the most disturbing findings is that 19 of the 24 agencies reviewed had not completed an inventory of their mission critical systems. Obviously, an agency can’t ensure its systems are secure if it can’t account for all of its mission critical systems. Everything starts with the inventory, and this aspect must improve — and improve quickly.”

Federal Computer Security Report Card for 2003
Agency 2003 2002
Nucelar Regulatory Comm A C
Nat’l Science Foundation A- D-
Social Security Admin B+ B-
Dept of Labor B C+
Dept of Education C+ D
Dept of Veterans Affairs C F
Environmental Protection Agency C D-
Dept of Commerce C- D+
Small Busines Admin C- F
Agency for Int’l Development C- F
Dept of Transportation D+ F
Dept of Defense D F
General Services Admin D D
Dept of the Treasury D F
Office of Personnel Mgmt D- F
Nat’l Aeronautics & Space Admin D- D+
Dept of Energy F F
Dept of Justice F F
Dept of Health & Human Services F D-
Dept of the Interior F F
Dept of Agriculture F F
Dept of Housing & Urban Development F F
Dept of State F F
Dept of Homeland Security F
Source: Subcomittee TIPRC

The Subcommittee was formed to closely monitor the progress of the implementation of e-government initiatives, and aggressively pursue the progress of the federal government’s effort to address weaknesses in security of its computer systems and particularly the protection of information and data from the threat of cyber attacks and security breaches.

Government security breaches can hamper the adoption of e-government initiatives, and TNS estimates that 44 percent of U.S. citizens use online governmental services — compared to the global average of 31 percent.

Scandinavian countries still lead the field in e-government use, with 63 percent of adults in Denmark and 62 percent in Norway using government services online. Canada’s usage was 51 percent, followed by France (35 percent), Germany (26 percent), and the UK (18 percent).

Beefing up federal computer systems will be important in the coming year as mi2g predicts that the U.S. will be among the most targeted countries for overt digital hacker attacks worldwide, and government computer networks will be increasingly successful breached, especially those of China, South Korea, Brazil and Scandinavian countries.

Government computer systems are prime targets for hackers, and according to mi2g, there have been 93 successful attacks on U.S. government computer networks in 2003 thus far, with the most occurring during March (17), followed by January and February with 15 each.

Successful Attacks on U.S. Gov’t Systems
Year Attacks
2003 93
2002 141
2001 270
2000 188
1999 183
1998 7
1997 2
1996 4
Source: mi2g

mi2g found that in the worldwide government computing environment, the main victims have been Microsoft Windows servers registering a record high of 84.1 percent of all successful digital attacks, followed by Linux at 10.1 percent.

News Around the Web