Poor government security makes industry wary

By Stephen Barlas, Contributor 20 Mar 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

WASHINGTON -- The latest disquieting congressional scorecard -- once again flunking key national security agencies on their cybersecurity efforts -- doesn't bode well for companies willing to share security data with the Department of Homeland Security or other government agencies.

To the extent that the report issued last week by the House Government Reform Committee heightens congressional and perhaps White House concern about a gaping hole in the defense against the war on terror, there may be some pressure on the Departments of Defense (DOD), Homeland Security (DHS), State and Justice to pay more attention to computer and IT security.

According to the annual report card on government computer security efforts (.pdf), which was issued during a Thursday hearing by committee Chairman Rep. Tom Davis (R-Va.), all of those organizations received Ds or Fs for 2005.

At the same time, those dismal grades may encourage many in the private sector to think twice about sharing information with DHS. John Sabo, director of security and privacy initiatives for Islandia, N.Y.-based CA Inc., said IT companies met as recently as three weeks ago with DHS officials about specific data security measures it must implement before the industry would be willing to share proprietary corporate IT infrastructure information.

"It is less likely that any significant volume of sensitive IT information sharing will go on if we believe that information cannot be protected," Sabo said.

More on national cybersecurity Federal budget for 2007 to boost cybersecurity Scientists band together for TRUST-worthy research DHS: Time to outlaw rootkits

The annual security scorecard is mandated by the Federal Information Security Management Act of 2002 (FISMA). It rates 24 agencies and departments based on information submitted by agency CIOs and inspectors general. Those reports use metrics related to such things as the percentage of information security systems reviewed, how many have been accredited and certified and how many have plans of action and milestones to address system weaknesses.

For the third year in a row, Davis gave the overall federal government a grade of D+. "None of us would accept D+ grades on our children's report Cards," he said. "We can't accept these either."

However, the DHS grade actually increased from 20.5 out of 100 in 2004 to 33.5 in 2005. But that was still an F and the department's poor showing can be attributed, according to a committee staffer, to poor configuration management, inadequate certification and accreditation and deficient annual testing of systems.

Paul Kurtz, executive director of the Cyber Security Industry Alliance (CSIA) and a former DHS official, said the failing grades for national security agencies "doesn't bode well for the future." He said the White House Office of Management and Budget (OMB), which is responsible for ensuring FISMA compliance, lacks the necessary resources to do the job.

Drew Crockett, a spokesman for Davis, said OMB's capabilities will be evaluated, adding that Davis is not unsympathetic to the IT security challenges faced by DOD and DHS.

"These are massive agencies with complex problems," Crockett said. "DHS inherited old computer systems from the agencies it incorporated. But they must move forward. They are on the front lines in the war against terror."

At the hearing, Scott Charbo, CIO for DHS, insisted his agency was moving forward. For example, he said last year just 26% of systems were properly accredited for security, but now -- following the remediation project instituted last fall by DHS Secretary Michael Chertoff -- over 60% are accredited. The department has also started a new program to bring all legacy IT infrastructures under a single management program. "I am confident that the DHS Information Security Program is moving in the right direction," Charbo concluded.

Alan Paller, director of research at SANS Institute, said the results of the report card aren't as important as how the systems perform under more pointed analyses.

"How ready are government systems? Are they configured correctly? Do they have the latest patches? Are the filters in front of them up to date? Each of those questions can be answered in real-time without paying millions to consultants to write reports that will never be read" Paller said via e-mail.

CA's Sabo explained others have voiced similar criticisms of FISMA in the past. But he emphasized that the transparency provided by the FISMA reports is very important. He gave Davis considerable credit for holding the federal government's feet to the fire on IT security.

Stephen Barlas is a freelance writer based in Washington D.C.

Tags: Information Security Laws, Investigations and Ethics,  IT Security Audits,  Enterprise Risk Management: Metrics and Assessments,  Information Security Policies, Procedures and Guidelines,  FISMA,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Information Security Laws, Investigations and Ethics Cybersecurity czar candidate questions clout of new position DHS fills National Cybersecurity Center post FTC shutters rogue ISP for hosting malicious content, botnets Experts optimistic of Obama cybersecurity plan WH cybersecurity plan needs private sector guidance Obama announces creation of cybersecurity coordinator position Cybersecurity Act of 2009: Power grab, or necessary step? Face-off: Who should be in charge of cybersecurity? Feds should get private sector advice on cybersecurity Federal efforts to secure cyberinfrastrucure IT Security Audits MasterCard increases PCI compliance requirements for some merchants How to write a risk methodology that blends business, security needs PCI compliance requirement 11: Testing Using IAM tools to improve compliance Forensic accounting success depends on information security support HIPAA compliance: New regulations change the game PCI DSS Q&A: Answering your questions Maltego demo: Identifying a website's trust relationships PCI QSA assurance program penalizes assessors Strategies for email archiving and meeting compliance regulations Enterprise Risk Management: Metrics and Assessments Align your data protection efforts with GRC The basics of enterprise GRC project management RSA council addresses growing security risks in the cloud How to write a risk methodology that blends business, security needs Mature SIMs do more than log aggregation and correlation Risk management must include physical-logical security convergence New partnerships, creative thinking help security bust recession Security budgets take hit in media, tech industry, survey finds Service-focused security offers best value to organization Ease the compliance burden with automation Enterprise Risk Management: Metrics and Assessments Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary CALEA  (SearchSecurity.com) cyberstalking  (SearchSecurity.com) cypherpunk  (SearchSecurity.com) HSPD-7  (SearchSecurity.com) I-SPY Act  (SearchSecurity.com) Information Awareness Office  (SearchSecurity.com) intelligence community  (SearchSecurity.com) lawful interception  (SearchSecurity.com) lifestyle polygraph  (SearchSecurity.com) vulnerability disclosure  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary