Malicious software takes up time, resources

Spyware -- malicious computer software often downloaded unintentionally -- is a growing problem in government, officials told members of two House Oversight and Government Reform subcommittees Thursday.

Identification and removal of spyware imposes significant costs in time and resources on agencies, said Gregory Wilshusen, director of the Government Accountability Office's information security division.

The House passed legislation Wednesday (H.R.1525) that would require companies that distribute software to notify and obtain consent from users before the applications are installed. Separate legislation (H.R. 964) that also passed the House would establish penalties for malicious use of the software.

Agencies also face the challenge of keeping software up-to-date, officials testified. "One of the critical causes of the security weaknesses we identify is the fact that operating systems are not configured and security patches are not installed in a timely manner," Wilshusen said.

Karen Evans, administrator of electronic government and information technology at the Office of Management and Budget, said she does not know how much time and what level of resources agencies spend dealing with spyware. But IT security budgets have been increasing every year, she said, noting that OMB proposed $6 billion in security-related IT spending for fiscal 2008.

Vance Hitch, chief information officer at the Justice Department, said malicious or inadvertent computer software bugs are a large problem requiring "a tremendous amount of money" for patch management.

Asked if the law governing agency information security -- the 2002 Federal Information Security Management Act -- is effective, Evans said she is working to help agencies move beyond minimum compliance.

"If an agency chooses to just comply, if they view it as a paperwork exercise … the agency will not be secure," Evans said. "If you just look at the letter of the law, you could generate an environment where an agency is cranking out reports. That would not be a secure program."

Evans said she is working with agency inspectors general to review the quality of FISMA reports.

Rep. Tom Davis, R-Va., the original sponsor of the FISMA law, asked if Congress should increase funding for information security since managers are being asked to do more work.

But Evans said security costs are built into agency investments. "We've got the basic foundation in place, but we have to get agencies focused on what's intended in the law," she said. "I think we need to improve the execution of what is intended by the law."

Davis said the government needs to avoid the "check the box" mentality to security. He advocated the creation of incentives to encourage strong information protection policies.

"Our biggest fear is that we pass these laws, and everyone is sitting here fat, dumb and happy . . . but the minute you get something approaching a cyber Pearl Harbor, people start pointing fingers," Davis said.

Last month, federal officials told the House Homeland Security Subcommittee on Emerging Threats, Cybersecurity and Science and Technology that FISMA fails to "tell the whole story" when it comes to agencies' information security practices.