Security threats Toolkit

US Government failing on cybersecurity

Tags:
Cybersecurity,
Report Card,
Threats,
Cyberterror

Anne Broache CNET News

Published: 17 Mar 2006 10:40 GMT

The US Department of Homeland Security earned failing marks in an annual computer security report card released on Thursday by a congressional oversight committee.

That means the federal agency tasked with principal responsibility for the nation's cybersecurity has now received a grade of F from the US House of Representatives Committee on Government Reform for three straight years — in other words, every year of its young existence.

It's not alone. Of the 24 departments on the scorecard, seven others, including Energy, Agriculture, Veterans Affairs, State, and Defense, also received failing marks for 2005. The scores for both Defense and State had hovered above passing — at D and D+, respectively — in 2004. The overall grade across all government agencies was D+, unchanged from last year.

The shortcomings were little surprise but are nonetheless "appalling", said Gene Spafford, a Purdue University computer science professor who has long been urging greater investement in cybersecurity research. He served on a presidential advisory committee that released a scathing report last year called The Cyber Security Crisis: A Failure of Prioritization.

"Despite all the rhetoric from government officials about preparedness and defence against those who would harm the US, it is clear that they still don't 'get it' about IT security," he told ZDNet UK sister site CNET News.com in an email interview.

The report cards are based on reports from agencies about their compliance with the Federal Information Security Management Act of 2002. That law sets a broad framework of requirements, including devising an information security programme, keeping an inventory of its systems, training personnel and contractors in security "awareness", evaluating the effectiveness of its programme periodically, and flagging and developing plans to root out weaknesses.

To be sure, the news wasn't all bad. Seven agencies, including the Department of Labor, the Social Security Administration, and the National Science Foundation, received grades in the A range, in some cases pulling their scores up from the C range over the past year. But progress has been "uneven" on a government-wide scale, concluded the Government Accountability Office in a presentation delivered Thursday before the House committee.

The Department of Homeland Security has proven itself a particular magnet for criticism and had been chided for its failure to develop a cybercrisis contingency plan, prompting experts to question its ability to handle a massive attack. The agency recently modelled such a scenario, drawing praise from tech companies that participated, but it doesn't expect to release an analysis of its outcome until the summer.

A high-level cybersecurity czar post proposed by the department also remains vacant, though perhaps through no fault of the agency's own. A congressional bill consenting to its creation remains bottled up in committee.

DHS chief information officer Scott Charbo told politicians in prepared testimony for Thursday's hearing that the department is committed to making improvements. It launched three major new tools in 2005, he said, including monthly information security scorecards for department leaders to review. By February, it had also brought 60 percent of its 700 systems into full compliance with federal security standards, up from 26 percent before launching a special Remediation Project in October 2005.