"I believe the infiltration by foreign nationals of federal government networks is one of the most critical issues confronting our nation," Rep. James Langevin, D-R.I., said at a hearing of the House Subcommittee on Emerging Threats, Cybersecurity, Science and Technology on Thursday. "Over time, the theft of critical information from government servers could cost the United States our advantage over our adversaries."
Of particular concern is the latest attack on government computers to be disclosed officially—an infiltration of the Department of State's networks in Washington and east Asia last summer. In May 2006, a department employee opened a malicious email that contained an attachment that installed a Trojan Horse, Donald Reid, senior coordinator for Security Infrastructure at the State Department's Bureau of Diplomatic Security, said at the hearing. When officials discovered that data was being stolen, they cut off Internet connectivity to the department's East Asia Pacific region. Because Microsoft Corp. couldn't deploy a patch quickly, the State Department implemented a temporary security fix for the vulnerability. Microsoft released the patch in August.
Langevin, chairman of the subcommittee, took State to task for implementing a temporary fix rather than taking the entire system offline for a complete inspection while waiting for Microsoft to release the patch.
"I believe they made the determination that accessibility to data is more important than confidentiality and integrity," Langevin said.
Defending the agency's actions, Reid said officials felt "pretty confident" that the recommended wrapper was the best course of action, although it was a difficult decision.
"There's a business case here in terms of taking an entire system offline," Reid said, noting that the visa application process and other diplomatic services would come to a halt if the system had been taken down. "We felt that the risks were worth it, that we had a solution that was going to work."
Dave Jarrell, manager of the Critical Infrastructure Protection Program at the Department of Commerce, testified that hackers using a rootkit attacked the department's Bureau of Industry and Security in October. Jarrell said he has no evidence to indicate any BIS data was taken during the incident, but Langevin said he was troubled that the department didn't know exactly when the infiltration took place.
The network intrusions at State and Commerce follow years of documented failure to comply with the Federal Information Security Management Act (FISMA), which requires agencies to maintain a complete inventory of network devices and systems. Government and industry officials at the hearing acknowledged a disconnect between FISMA's intent and effecting improved network security.
"The current system that provides letter grades seems to have no connection to actual security," said Rep. Zoe Lofgren, D-Calif.
Some lawmakers are considering whether the Department of Homeland Security should be given primary responsibility for overseeing federal network security, but officials at DHS and elsewhere suggested that wouldn't be the best idea. Noting that DHS has not performed well on the annual FISMA report card and has not implemented all of the recommendations put forth for improved analysis and warning capabilities for attacks, Greg Wilshusen, director of information security issues at the Government Accountability Office, said it would be problematic from an organizational standpoint to put DHS in the position of compelling other agencies to comply.