News

Report: Federal Agencies Struggle with Computer Security

• By Matthew Weigelt
• 04/13/2010

Despite the frequency in cyberattacks against government networks, no major agency has fully secured its computers to the specifications in two major White House protection initiatives, a pair of new reports said.

No agency has met all of the requirements of the Trusted Internet Connection (TIC) or the Federal Desktop Core Configuration (FDCC) initiatives, the Government Accountability Office reported this week. As a result, senators are drafting legislation to deal with many of the lessons learned in starting these key cybersecurity initiatives, Homeland Security and Governmental Affairs Committee Chairman Sen. Joe Lieberman (I-Conn.) said Monday after GAO's reports were released.

Lieberman and Sen. Susan Collins of Maine, the committee's ranking Republican, also sent letters this week to Office of Management and Budget Director Peter Orszag and Homeland Security Secretary Janet Napolitano asking them to report on how they will carry out GAO's recommendations.

In light of the cyberattacks, the FDCC's objectives are to improve information security and reduce overall information technology operating costs. The initiative provides a baseline level of security standards that agencies can apply to their government-owned desktop and laptop computers. The initiative can potentially increase agencies' information security by requiring stricter security settings on computers. By standardizing agencies' computer management, the government can apply updates or patches more easily.

Similarly, the TIC's goals are to secure agencies' external network connections, such as Internet connections. In carrying out the initiative, agencies could either provide their own access points by becoming an access provider or seek service from these providers or a select set of vendors.

None of the 24 agencies that are required to make the FDCC changes made all of the prescribed configuration settings on their computers as of September 2009. However, several met agency-defined subsets of the initiative's settings, GAO reported.

None of the 23 agencies under the TIC's rules had met all the requirements as of September 2009 and most agencies have had delays in dealing with TIC. For example, the 16 agencies that chose to become access providers reported that they had reduced their number of external connections from 3,286 to approximately 1,753. That is 225 more than they had planned, according to GAO.

Meanwhile.  agency officials said they have made progress in reducing their external connections to the Web, according to the report.

It isn't easy to implement all those changes, GAO conceded. For the FDCC, agencies must retrofit applications and systems in their existing states. They must assess the risks associated with the deviations and make sure computers work properly after the making the changes, GAO states.

Despite the rigorous standards, the government has to protect its information and systems because of the frequency of information security incidents at federal agencies, the wide availability of hacking tools, and steady advances in the sophistication of attack technology, according to GAO.

"Unfortunately, these key initiatives, which have been underway for years, have faced challenges, particularly the lack of communication and follow through from the Office of Management and Budget and the Department of Homeland Security," Lieberman said.

Sen. Tom Carper (D-Del.), chairman of the committee's Federal Financial Management, Government Information, Federal Services, and International Security Subcommittee, said he hopes the president will sign by the end of the year the U.S. Information and Communications Enhancement Act, which includes major system security reforms.

Agencies officials generally agreed with the GAO's assessment.

In one response to GAO, Linda Cureton, chief information officer at NASA, wrote that the future guidance for FDCC standards must keep pace with industry updates in common operating systems and applications.

"The FDCC technical guidance and policy releases tend to lag behind software releases," she wrote, adding that pace is important if the initiatives are to remain relevant.