Feds get ‘F’ in computer security

Federal agencies are failing in their efforts to make computers safe from malicious attacks, Rep. Stephen Horn, R-Calif., said at a hearing Friday. In his second annual report card on computer security, Horn, who is chairman of the House Government Reform Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations, assigned federal agencies grades based on Office of Management and Budget reports and General Accounting Office audits. This year agencies received an overall grade of F, dropping from the overall 2000 grade of D minus. "Two-thirds of the agencies failed completely in their computer security efforts," Horn said. "[The] nation cannot afford to ignore the risks associated with cyberattacks." The National Science Foundation received the highest grade, a B plus. Only two other agencies scored above a D: the Social Security Administration, with a C plus, and NASA, with a C minus. Sixteen out of the 24 largest federal agencies graded got F's. "Federal agencies rely on computer systems to support critical operations that are essential to the health and well-being of millions of Americans," Horn said. "National defense, emergency services, tax collection and benefit payments all rely on automated systems and electronically stored information. Without proper protection, the vast amount of sensitive information stored on executive branch computers could be compromised and the systems themselves [could be] subject to malicious attack." Horn pointed to damage caused by the Code Red and Nimda Internet worms, perpetrated in the summer and early fall, as evidence of what can happen to computers without patched vulnerabilities and appropriate safeguards such as firewalls and antivirus software. "Cyberattacks have the potential to cause great damage to the nation," he said. Robert Dacey, director for information security issues at the General Accounting Office said that international terrorists and criminals are developing the capability to launch cyberattacks. "No responsible parent would stand for this kind of performance," said Harris N. Miller, president of the Information Technology Association of America. Miller said that protecting federal information systems will require money. "Federal agencies simply do not have the funding available in their current budgets," he said. Nonetheless, the administration contends that the $2.7 billion it spends on computer security each year is adequate. Mark Forman, associate director for information technology and e-government at OMB, told the subcommittee that spending more money on security does not always give agencies their desired results. OMB's goals, he said, are to ensure that senior managers devote greater attention to security and include security in all new business cases and budget plans. Forman said that while a recent restructuring of the federal Chief Information Officers Council is still not complete, OMB has decided to eliminate the council's subcommittee on Security, Privacy and Critical Infrastructure Protection. That subcommittee's duties are now being split among the council's IT Workforce and Architecture subcommittees. With no part of the CIO Council now totally focused on IT security, Forman said that OMB would be paying extra attention to the security aspects of agencies' 2003 budget requests. OMB is "not fully satisfied" with the work that went into agency reports required under the Government Information Security Reform Act, Forman said. Forman said the subcommittee's grades were too lenient on some agencies, but he declined to name which ones. He also said the subcommittee was too harsh with the Defense Department's grade.

(INC means incomplete.)