Agency officials say info security law falls short

The federal law governing agency information security practices took a beating Thursday in congressional testimony from government cybersecurity officials.

Donald Reid, senior coordinator for security infrastructure at the State Department's Bureau of Diplomatic Security, told a congressional subcommittee that the 2002 Federal Information Security Management Act does not "tell the whole story" when it comes to agencies' information security practices.

Earlier this month, State received a failing grade on the fiscal 2006 cybersecurity report card for the third time in the four years the grades have been handed out. But Reid said that even if the department had received an A+ on the report card, it would not have been able to prevent a June 2006 cyber attack on the department's networks.

"Our ability to detect and respond to intrusions … nowhere is that measured in FISMA," Reid said. "It's a great baseline log, but we clearly have more work to do."

The June 2006 attack was initiated when an employee of the department opened a Microsoft Word e-mail attachment that contained an exploit code, which is a piece of software or data often used to gain control of a computer.

Doubts have been raised about the effectiveness of FISMA for more than a year, with critics stating that it is little more than a paperwork exercise. But OMB officials have said the law needs more time before it can be judged.

Rep. James Langevin, D-R.I., chairman of the House Homeland Security Subcommittee on Emerging Threats, Cybersecurity and Science and Technology, which held the hearing, said incidents at State are just the tip of the iceberg.

"These are not the only agencies experiencing problems," Langevin said. "They are simply the only attacks that have been made public."

According to information provided by Langevin, hackers using Chinese Internet servers launched an attack on the computer systems at the Commerce Department's Bureau of Industry and Security in October 2006. The hackers used a "rootkit" program that allowed them to mask their presence to gain access to the system.

"I think these incidents have opened a lot of eyes in the halls of Congress," Langevin said. "We don't know the scope of our networks. We don't know who's inside our networks. We don't know what information has been stolen. We need to get serious about this threat to our national security."

Dave Jarrell, manager of the Commerce Department's critical infrastructure protection program, said the department focuses a significant amount of attention on FISMA, which primarily centers on certifying and accrediting an agency's information technology systems.

Any rating of an agency's systems under FISMA is merely a snapshot in time, Jarrell said. A change to a system, such as an introduction of new technology or a new user, changes the security variables that an agency looks at, Jarrell said. While FISMA is a good tool, an agency also has to look at other capabilities and vulnerabilities.

"Having the ability to put more technology in place so that we can secure that system is also a great issue," Jarrell said. "It seems that there needs to be more of a balance of FISMA and the introduction of new technology."

Greg Wilshusen, director of the Government Accountability Office's information security issues division, said if the performance measures established by the Office of Management and Budget do not spotlight the effectiveness of security activities, FISMA cannot be not fully effective.

"Just performing certain activities doesn't mean they are being performed effectively," Wilshusen said. "Just because a system is certified and accredited does not make it necessarily secure."

He said receiving a higher grade on the FISMA score card is more an indication of the measures used to assess security implementation rather than of the actual state of government information security.

Rep. Tom Davis, R-Va., who issues an annual report card on FISMA compliance, said last week that while the law could be improved, criticism of it has come "mainly from failing agencies." He also said he wants "to take FISMA to the next level."

Davis introduced legislation in the last session of Congress that would have amended FISMA to require all government chief information offices to enforce rules accounting for and securing IT equipment containing sensitive information.

The legislation, which would have required agencies to inform the public when data breaches involving sensitive information occur, passed the House but never made it out of the Senate.

David Marin, Davis' staff director, said FISMA is "clearly working" by forcing agencies to think about information security, but "Davis is always on the lookout for ways to improve" it.