Federal Agencies Get Low Marks on Cyber Security

A congressional lawmaker plans to meet with the chief information officer of two dozen federal agencies in the coming weeks to discuss how they can improve the security of their computer networks.

Rep. Adam Putnam (search), R-Fla., said the meetings will take place in the wake of a congressional report that showed the federal government earned an overall "D" grade for its efforts in the past year to secure agencies' information systems.

"For too long now, information security has taken a back seat in the collective conscience of our nation," Putnam said Tuesday. "We must do more and do it quicker if we are going to protect ourselves from a potential digital disaster."

Putnam chairs the House Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, which Tuesday released its fourth annual federal computer security report card.

The report card showed improvement from the "F" grade the government earned in the previous year, but several agencies are still failing to protect their networks.

• Raw Data: Computer Security Report Card 2003 (pdf)
• Raw Data: Federal Computer Grade and Bar Graph (pdf)

Among the 24 agencies surveyed, 14 improved their grades. Still, eight agencies earned "F" grades, six received "D"s, six earned "C"s, two got "B"s and only the Nuclear Regulatory Commission (search) and National Science Foundation (search) earned "A" marks.

Some agencies — notably the Office of Personnel Management, the Departments of Treasury, Education, and Defense and the Agency for International Development — did make gains in computer security within the past year, industry experts said, but more needs to be done.

"Government has made some progress, but still has a lot of work to do. It must lead by example with execution at a faster pace," said Bill Conner, CEO of computer security company Entrust Inc. "Federal agencies have the money, legislation, process and metrics necessary to make progress. They must treat computer security as a priority governance issue and insist on continuous improvement."

The subcommittee determined its grades based on surveys the agencies sent to the Office of Management and Budget in accordance with the Federal Information Security Management Act (search), passed by Congress last year. Under FISMA, agencies are supposed to update regularly their security systems, maintain an inventory of their systems, pinpoint risks and deficiencies, develop remediation efforts to improve security and develop failsafe plans to continue operating in case of interruptions.

"The overarching goal of FISMA was to force the federal government to put its house in order and become a reliable partner in the protection of our information highways," said Rep. Tom Davis (search), R-Va., chairman of the full committee and author of FISMA. "The grades we released today indicate that while some rooms in that house are tidier, too many others are not."

According to the report, only five agencies completed reliable inventories of their critical information technology assets, while 19 did not. The inspectors general from the Defense, Veterans Affairs and Treasury Departments did not submit independent evaluations as required by the law.

Speaking at the National Cyber Security Summit in California last week — a meeting of 350 government, industry and academia representatives, Homeland Security Secretary Tom Ridge, whose agency earned an "F" grade, said he recognized that more needs to be done.

"The sheer reality is that we rely on computers," Ridge said. "We must be as diligent and determined at finding ways to strengthen our cyberspace, as the terrorists are in trying to find ways to attack it. For every hacker or terrorist that tries to throw a worm or virus in our way, we must have effective roadblocks and tough barricades to throw in theirs."

Private Sector Claims Edge Over Government

According to the National Institute of Standards and Technology, software bugs and errors cost the U.S. economy about $59.5 billion per year. More than 76,000 errors and bugs occurred in just the first six months of this year, NIST reports. The recent SoBig-F (search) virus is estimated to have caused more than $10 billion in economic losses.

A recent Business Software Alliance study reported that information security professionals say they believe their organizations are at risk for a major cyber attack, but 78 percent also say they think they are prepared to defend against intrusions.

BSA was one of several groups at the cyber security summit that identified five areas that needed work: consumer and small business awareness, early warning systems, corporate governance, technical standards, and security across the software development lifecycle.

BSA, along with the Information Technology Association of America, TechNet and the U.S. Chamber of Commerce and other groups, drafted a rough plan to harden the nation’s critical information infrastructure.

Industry representatives have asked Congress to give the private sector a chance to work out on its own measures to get its house in order, seeking a hands-off policy for now.

"While enormous challenges and threats remain, industry is making great strides in making cyber security a priority," said BSA President Robert Holleyman. "Through greater executive and employee awareness, resource allocation and public-private partnerships such as the summit here today in Silicon Valley, we can meet our national and global security objectives."

Putnam said he will reinforce to the House Appropriations Committee the need to fund adequately information security efforts at the government level. He also recently circulated draft legislation that would require — through the Securities and Exchange Commission — publicly traded companies to report on their computer security, but has since amended his position.

"The goal is to come up with a set of information security best practices and guiding principles that would be adopted — voluntarily — by the private sector," Putnam said.