Feds losing war on information security, senators told
Experts testify that preventing cyberattacks is getting harder.
The federal government is losing the battle to keep its information systems secure, according to expert testimony at a Senate hearing on Wednesday.
Officials from the Government Accountability Office, Office of Management and Budget and industry groups testified that the number and intensity of attacks on the government's networks increased significantly during 2007. They spoke at a hearing of the Senate Homeland Security and Governmental Affairs Subcommittee on Federal Financial Management.
"Quite frankly, the bad guys are winning," said Tim Bennett, president of the Cyber Security Industry Alliance. He added that attacks on federal networks were now occurring on a daily basis, and are now backed by large criminal enterprises and enemy states with tremendous financial resources. "This is warfare, and it needs to be stopped," Bennett said.
The hearing's focus was on the effectiveness of the 2002 Federal Information Security Management Act. Sen. Tom Coburn, R-Okla., pressed the panel on whether, six years later, agencies are focused on real security issues or simply trying to comply with the law's provisions. "How much of FISMA is paperwork vs. actual security?" asked Coburn.
"That depends on how an agency goes about doing its work," said Karen Evans, administrator of e-government and information technology at OMB. "FISMA has put together a framework, but if [an agency] does it just for compliance, then it's purely a paperwork exercise."
Responding to the same question, Gregory Wilshusen, director of information security issues at GAO, said that FISMA measures the implementation of control activities, not the actual effectiveness in preventing cyber attacks.
"Despite the progress reported by agencies, they continue to confront longstanding information security control deficiencies that limit the effectiveness of their efforts in protecting the confidentiality, integrity and availability of their information and information systems," Wilshusen said. He noted that 20 of 24 agency inspector generals have identified significant weaknesses in the financial management systems of their agencies.
When asked about the dramatic jump in attacks in both the private and public sectors, Evans acknowledged that OMB found a 60 percent rise in the number of reported incidents from 2006 to 2007. But she attributed the increase in large part to improved reporting. Bennett had a different take.
The increase "is real, and the federal government is not immune to it," he said. He blamed the increase on a shift from attacks by lone hackers to those launched by organized crime and state-sponsored organizations, noting that the ability to stage attacks offshore made this both easier and less risky.
Bennett noted the increasing sophistication of hacker attacks and said that the market for personally identifiable information is "thriving, profit-driven and very entrepreneurial."