Poor government security makes industry wary

By Stephen Barlas, Contributor 20 Mar 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

WASHINGTON -- The latest disquieting congressional scorecard -- once again flunking key national security agencies on their cybersecurity efforts -- doesn't bode well for companies willing to share security data with the Department of Homeland Security or other government agencies.

To the extent that the report issued last week by the House Government Reform Committee heightens congressional and perhaps White House concern about a gaping hole in the defense against the war on terror, there may be some pressure on the Departments of Defense (DOD), Homeland Security (DHS), State and Justice to pay more attention to computer and IT security.

According to the annual report card on government computer security efforts (.pdf), which was issued during a Thursday hearing by committee Chairman Rep. Tom Davis (R-Va.), all of those organizations received Ds or Fs for 2005.

At the same time, those dismal grades may encourage many in the private sector to think twice about sharing information with DHS. John Sabo, director of security and privacy initiatives for Islandia, N.Y.-based CA Inc., said IT companies met as recently as three weeks ago with DHS officials about specific data security measures it must implement before the industry would be willing to share proprietary corporate IT infrastructure information.

"It is less likely that any significant volume of sensitive IT information sharing will go on if we believe that information cannot be protected," Sabo said.

More on national cybersecurity Federal budget for 2007 to boost cybersecurity Scientists band together for TRUST-worthy research DHS: Time to outlaw rootkits

The annual security scorecard is mandated by the Federal Information Security Management Act of 2002 (FISMA). It rates 24 agencies and departments based on information submitted by agency CIOs and inspectors general. Those reports use metrics related to such things as the percentage of information security systems reviewed, how many have been accredited and certified and how many have plans of action and milestones to address system weaknesses.

For the third year in a row, Davis gave the overall federal government a grade of D+. "None of us would accept D+ grades on our children's report Cards," he said. "We can't accept these either."

However, the DHS grade actually increased from 20.5 out of 100 in 2004 to 33.5 in 2005. But that was still an F and the department's poor showing can be attributed, according to a committee staffer, to poor configuration management, inadequate certification and accreditation and deficient annual testing of systems.

Paul Kurtz, executive director of the Cyber Security Industry Alliance (CSIA) and a former DHS official, said the failing grades for national security agencies "doesn't bode well for the future." He said the White House Office of Management and Budget (OMB), which is responsible for ensuring FISMA compliance, lacks the necessary resources to do the job.

Drew Crockett, a spokesman for Davis, said OMB's capabilities will be evaluated, adding that Davis is not unsympathetic to the IT security challenges faced by DOD and DHS.

"These are massive agencies with complex problems," Crockett said. "DHS inherited old computer systems from the agencies it incorporated. But they must move forward. They are on the front lines in the war against terror."

At the hearing, Scott Charbo, CIO for DHS, insisted his agency was moving forward. For example, he said last year just 26% of systems were properly accredited for security, but now -- following the remediation project instituted last fall by DHS Secretary Michael Chertoff -- over 60% are accredited. The department has also started a new program to bring all legacy IT infrastructures under a single management program. "I am confident that the DHS Information Security Program is moving in the right direction," Charbo concluded.

Alan Paller, director of research at SANS Institute, said the results of the report card aren't as important as how the systems perform under more pointed analyses.

"How ready are government systems? Are they configured correctly? Do they have the latest patches? Are the filters in front of them up to date? Each of those questions can be answered in real-time without paying millions to consultants to write reports that will never be read" Paller said via e-mail.

CA's Sabo explained others have voiced similar criticisms of FISMA in the past. But he emphasized that the transparency provided by the FISMA reports is very important. He gave Davis considerable credit for holding the federal government's feet to the fire on IT security.

Stephen Barlas is a freelance writer based in Washington D.C.

Sound Off! -   Post your comments |  See others' comments (1)

Tags: Information Security Laws, Investigations and Ethics,  Creating and Managing Information Security Policies,  Risk Assessment and Analysis,  Device Security Policy,  Remote Access Policy,  Security Audit,  FISMA,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us