Agencies again flunk lawmaker’s computer security test

The federal government has received a failing grade for its computer security efforts in the third annual report card issued Rep. Stephen Horn, R-Calif., who has advocated better security measures.

In what may be his final appearance as chairman of the Government Reform Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations, Horn, who is retiring from Congress, released his findings at a hearing Tuesday. "I am disheartened to announce that again this year, the government has earned an overall grade of 'F'…despite the administration's welcomed focus on this important problem," Horn said.

Horn compiled the grades for two dozen agencies based on reports they submitted to the Office of Management and Budget. Weighted point values were assigned based on OMB criteria, with 100 points equaling a perfect score.

The Social Security Administration earned the top grade, a B-. Horn praised the agency, which improved from a grade of C+ the year before, as "a shining example of sound leadership."

The Transportation Department scored lowest in the report. Horn called the department's 28-point total "appalling." Transportation Inspector General Kenneth Mead told the panel that his office will soon issue a report concluding that Transportation's information security program is a "material weakness" in the department's management. Mead made the same assessment last year.

Mead called on Transportation officials to appoint a chief information officer, as required by the 1996 Clinger-Cohen Act. Since the passage of that law, Transportation has had a CIO for only 18 months, and the position has been vacant since January 2001, Mead said.

Mead added that Transportation has improved the security of its information networks, but said they were still vulnerable to intrusion because they are full of "back-door" unsecured points of entry, such as dial-up modem connections.

Reported incidences of cyberattacks in both the public and private sectors have increased dramatically over the past four years. In 1998, the Computer Emergency Response Team Coordination Center, a federally funded organization at Carnegie Mellon University in Pittsburgh, received about 3,700 such reports, said Richard Pethia, the center's director, in his testimony before the subcommittee. In 2001, that number jumped to 52,000, and by the end of this year, Pethia said the center expects to have received about 100,000 reports.

Security experts note that while individuals and organizations are reporting cyberattacks more frequently, the private sector as a whole still vastly underreports the number of intrusions, because companies are fearful of publicizing their systems' vulnerabilities.

Pethia said the federal government should utilize its massive buying power to force technology companies to manufacture products with fewer vulnerabilities. Also, he said universities need federal funding to create programs to train security professionals to analyze and combat cyber threats.

The release of Horn's report card follows by one week the federal indictment of an unemployed British computer administrator who allegedly hacked into nearly 100 U.S. government computers networks, including some operated by the Navy, Air Force, Defense Department and NASA. Defense received an F from Horn, and NASA scored a D+.