GovernmentExecutive.com

The federal government is losing the battle to keep its information systems secure, according to expert testimony at a Senate hearing on Wednesday.

Officials from the Government Accountability Office, Office of Management and Budget and industry groups testified that the number and intensity of attacks on the government's networks increased significantly during 2007. They spoke at a hearing of the Senate Homeland Security and Governmental Affairs Subcommittee on Federal Financial Management.

"Quite frankly, the bad guys are winning," said Tim Bennett, president of the Cyber Security Industry Alliance. He added that attacks on federal networks were now occurring on a daily basis, and are now backed by large criminal enterprises and enemy states with tremendous financial resources. "This is warfare, and it needs to be stopped," Bennett said.

The hearing's focus was on the effectiveness of the 2002 Federal Information Security Management Act. Sen. Tom Coburn, R-Okla., pressed the panel on whether, six years later, agencies are focused on real security issues or simply trying to comply with the law's provisions. "How much of FISMA is paperwork vs. actual security?" asked Coburn.

"That depends on how an agency goes about doing its work," said Karen Evans, administrator of e-government and information technology at OMB. "FISMA has put together a framework, but if [an agency] does it just for compliance, then it's purely a paperwork exercise."

Responding to the same question, Gregory Wilshusen, director of information security issues at GAO, said that FISMA measures the implementation of control activities, not the actual effectiveness in preventing cyber attacks.

"Despite the progress reported by agencies, they continue to confront longstanding information security control deficiencies that limit the effectiveness of their efforts in protecting the confidentiality, integrity and availability of their information and information systems," Wilshusen said. He noted that 20 of 24 agency inspector generals have identified significant weaknesses in the financial management systems of their agencies.

When asked about the dramatic jump in attacks in both the private and public sectors, Evans acknowledged that OMB found a 60 percent rise in the number of reported incidents from 2006 to 2007. But she attributed the increase in large part to improved reporting. Bennett had a different take.

The increase "is real, and the federal government is not immune to it," he said. He blamed the increase on a shift from attacks by lone hackers to those launched by organized crime and state-sponsored organizations, noting that the ability to stage attacks offshore made this both easier and less risky.

Bennett noted the increasing sophistication of hacker attacks and said that the market for personally identifiable information is "thriving, profit-driven and very entrepreneurial."

COMMENTS

• Why is the Air Force now looking for 1 Security Contractor to do the same work that DOD Civilians are still doing in house. It is a known fact that Contractors are more costly, and with recent break in of Security information of the State Dept. Computer leak. Air Force reports they are in the red for spending so why are they going to take out 2-3 year old system so they can have another contractor Air Force wide install another new system. Air Force had bld. Security as Real Property and now they state it is not(flip flopping) so they can get a contractor to replace civilians. Contractors have cost more money and then the civilians and military have to correct. QA inspectors are over looking jobs that they are not trained, certified on. Paul Delacot, AFGE Local 2356 President Paul Delacot Posted March 25, 2008 8:34 AM
• "losing war" Wrong title. How about citizens "winning war" on government accountability. cyber_rigger Posted March 19, 2008 10:30 AM
• Our security is also threatened by the major replacement of gov't workers with contractors. We had our long time IT support person replaced with a contractor position 2 years ago. The position is like a revolving door - 5 different people in 2 years, one of who was escorted out in handcuffs due to a criminal record that was accidentally uncovered by an employee. ritgar Posted March 14, 2008 3:21 PM