How Secure is Federal 'Cybersecurity'?

The term "cybersecurity" took on serious urgency since the Sept. 11, 2001, terror attacks but official reports and industry experts say the government remains critically vulnerable to viruses, hackers and even electronic terrorist attacks.

The primary problem, say observers, seems to be a lack of leadership or vision, and an inability to keep up with the rapid emergence of new threats.

"They are ignoring cybersecurity and it poses an enormous vulnerability," Edward Lazowska (search), professor of computer science and engineering at the University of Washington (search) and co-chairman of the President's Information Technology Advisory Committee, told in an interview last month.

The panel released a grim report in February called "Cybersecurity: A Crisis of Prioritization," which basically says the federal government is applying short-term remedies to evolving threats that require long-term vision. The report blames a lack of funding for research and development, an unwillingness to share federally-generated technologies with the private sector and simple disinterest in Washington.

Five months after the report, critics and even the study's author say little has been done.

"We are applying Band-aids," Lazowska said, noting that gaping holes in Internet security put many public and private information systems and critical infrastructure at risk. "We need to think about new designs rather than these patches … it's something people don't often understand."

Two years ago, the Department of Homeland Security (search) was put in control of protecting the computer systems that support critical infrastructure, like telecommunications, commercial and government facilities, emergency services and information technology for both the private and public sectors.

Despite alarm bells, threats to these systems have become more sophisticated and frequent, say critics, and the administration has not put its muscle behind making security a priority or working closely with private interests to develop new security technologies that will benefit everyone.

"Unfortunately we have not had the attention and the leadership," said Harris Miller, president of the Information Technology Association of America, which has worked with the government over the years to design what has become numerous plans for implementing cybersecurity for the private and public sectors.

"Unfortunately, when DHS was created two years ago, they thought they could solve the cybersecurity problem with guard dogs, badges and bullets," he said.

A May Government Accountability Office report, "Critical Infrastructure Protection: Department of Homeland Security Faces Challenges in Fulfilling Cybersecurity Responsibilities," says DHS has failed to fulfill 13 goals identified by the GAO as being integral to implementing security protocols.

"DHS has not yet developed national cyberthreat and vulnerability assessments or government-industry contingency recovery plans for cybersecurity, including a plan for recovering key Internet functions," said the report.

Despite 11 major federal government actions in developing cybersecurity policy since 1996 — including a National Plan for Information Systems Protection in 2000, three executive orders and a National Strategy to Secure Cyberspace in 2003 — implementation seems to be the greatest sticking point, reads the GAO report.

Challenges include organizational stability, information-sharing within and between the government and private sector, and demonstration that it can prevent attacks before they happen.

"Until it confronts and resolves these underlying challenges and implements its plans, DHS will have difficulty achieving significant results in strengthening the cybersecurity of our critical infrastructures," the report reads.

Computer experts and interested lawmakers say the threats are getting more sophisticated every day. Everyone from hackers, criminal groups, terrorists, spyware authors and even foreign intelligence services are operating with state of the art tools and daring the government to keep up with them.

"This is unacceptable as so much of our daily lives — from our banking to our water and electricity supplies — rely on cyber infrastructure," said Rep. Bennie Thompson, D-Miss., ranking member of the House Homeland Security Committee, several members of which requested the report.

In December, a DHS Inspector General's Office report found a series of vulnerabilities in several DHS agencies, including the Bureau of Immigration and Customs Enforcement (search) and DHS's Emergency Preparedness and Response Directorate. Hackers hired by the government were able to crack passwords easily and found in some cases, no passwords were used to protect accounts at all.

The report also found that remote access to DHS networks for employees was vulnerable to attacks.

"We agree that strengthening cybersecurity is central to protecting the nation's crucial infrastructure and concur that much remains to be done," DHS said in May in response to the report. "We do not agree, however, with the report's implication that the challenges experienced to date have prevented us from achieving significant results in improving the nation's cybersecurity posture."

DHS pointed out several areas in which it's working with the public and private sector to develop new strategies and strengthen response efforts through the National Cyber Response Coordination Group.

The Office of Budget and Management oversees the security implementation for each of the agency's information systems. In her April testimony before Congress, Karen Evens, administrator for the OMB's Electronic Government and Information Technology Office, acknowledged that inconsistencies in implementation among the agencies remain.

"While notable progress has been made … problems continue and new threats and vulnerabilities continue to materialize," Evans said, nonetheless assuring the committee that it has the tools and the will to follow through.

OMB Spokeswoman Sarah Hawkins said the agency most certainly makes cybersecurity a priority, as does the administration. "We're implementing multiple initiatives and programs to ensure that the government's information is protected, all along with the president strategy to secure cyberspace," she said.

Nonetheless, ongoing problems with information technology plague government. And increased and more sophisticated attacks on security systems have made the problem of cybersecurity more serious, while research and development lags behind, say experts.

"One thing is for sure," said Lazowska, "we will never catch up if our entire focus is on Band-aids."