TOPICS
TOPICS
Government computers top target for cyberattacks
Cyberattacks on computer systems escalated in the first half of 2005 and government agencies were targeted more than any other business sector, according to a new report.
Attacks on the government, financial services, manufacturing and health care industries have risen 50 percent since the beginning of the year, according to IBM's Global Business Security Index Report.
In the first half of 2005, there were more than 237 million security attacks worldwide, with 54 million directed at the U.S. government. The manufacturing sector received about 36 million attacks, followed by the financial services industry with 34 million and health care with 17 million.
Attacks considered to be relatively harmless - such as spam or basic computer viruses - declined. IBM analysts concluded that for-profit attacks are becoming dominant, particularly those involving phishing - the use of e-mail to try to fraudulently obtain personal information.
The percentage of spam in total e-mail traffic dropped from 83 percent in January to 67 percent in June, but e-mails containing viruses increased by 50 percent during the same period, the report stated.
In December 2004, one in every 52 e-mails contained a malicious security threat, such as a virus. By January 2005, the ratio had jumped to one of every 35 e-emails. By June, the number reached one in every 28 e-emails.
IBM analysts believe the majority of cyberattacks now are carried out by criminal gangs, which have become smarter. In the first half of 2005, MessageLabs, a security and management firm that partnered with IBM in writing the report, recorded more than 35 million phishing attempts. In 2004, MessageLabs recorded about 25 million such efforts.
One type of phishing, known as spear phishing--which involves coordinated attacks on specific organizations or individuals for the purposes of getting important data--has grown more than tenfold since the beginning of the year, the report stated.
Alan Paller, director of research at the security group SANS Institute, said that spear phishing is turning into an epidemic. But despite the growing extent of the problem, Paller says that the federal government has been ineffective in responding to the threat.
"This is a huge problem," Paller said. "They need to have a strategy for dealing with it, and I don't mean a go-to-meetings strategy, but an actual action strategy that they can undertake."
Paller criticized the 2002 Federal Information Security Management Act, which requires agencies to publish reports certifying and accrediting major systems and applications for security risks--a time- and resource-consuming process.
"Agencies are spending significantly more [time and money] writing reports and less protecting their networks," Paller said. "Let's stop writing reports and get the stuff fixed."
The United States was the source of the most attacks in the period studied, with 12 million, followed by New Zealand with 1.2 million and China with 1 million. Attacks were most likely to occur on Fridays and Sundays and between 1 a.m. and 6 a.m.
COMMENTS
- The federal government computer systems are attacked often because they have some of the most poorly implemented software with some of the worst firewalls imaginable. This is because of internal bureaucracy. I worked for DOD for many years. I started when they were entering data into a mainframe from dumb terminals. Instead of keeping up with the industry, the agency I worked for was always years behind in computer technology and software. When industry was storing data on hard drives, they were still using large platters. Instead of using one reliable and secure software, every branch had to have it's own. Because data bases were not compatible with each other and not networked properly there was a huge redundancy of data and many back doors. The DOD was supposed to be switching to electronic forms and reducing the amount of paperwork that had to be stored. Instead the agencies created more forms than ever. A person wouldn't even have to be very good at hacking to get into databases at many DOD depots and laboratories. Someone working at a DOD facility could reck havoc on local data bases in other agencies before anybody would even realize it. DOD data bases are still extremely vulnerable. Agencies, facilities, directorates and branch will not cooperate to establish a secure system. It's politics as usual. Robert M. Posted August 11, 2005 6:30 PM
GovExec Live!
Earlier this year, Defense personnel officials proposed replacing the General Schedule system, implementing a performance pay framework, streamlining the employee appeals process and scaling back collective bargaining. The new system would affect more than 700,000 employees. On June 7 Pentagon officials announced they would delay implementation of the National Security Personnel System and union officials say they plan to take legal action to block the new system as soon as the final regulations are sent to Congress.
At noon on Wed., Aug. 10, Don Hale, president of the American Federation of Government Employees' Defense Conference, also known as DEFCON, and a civilian defense worker at the U.S. Military Academy at West Point, will respond to your questions and comments about the changes at the Defense Department, as well as the Bush administration's governmentwide personnel reform proposal. Submit your questions early or during the chat.
