Another F in Computer Security

An article by Brian Krebs in the Washington Post discusses a report by the House Government Reform Committee.

Most federal agencies that play key roles in the war on terror are doing a dismal job of protecting their computers and information networks from hackers and viruses, according to portions of a report to be released by a key congressional oversight committee Thursday.

The Department of Homeland Security, which is charged with setting the government's cyber security agenda, earned a grade of F for the third straight year from the House Government Reform Committee. Other agencies whose failing marks went unchanged from 2004 include the departments of Agriculture, Defense, Energy, State, Health and Human Services, Transportation, and Veterans Affairs.

The House Government Reform Committee is expected to award the federal government an overall grade of D-plus for computer security in 2005, a score that remains virtually unchanged from 2004...

The scores are "unacceptably low," committee Chairman Tom Davis (R-Va.) said in a statement. "DHS must have its house in order and should become a security leader among agencies. What's holding them up?" ...

As online attacks against consumers and businesses have skyrocketed, so have assaults against government information systems. Alan Paller, director of research for the SANS Institute, a group in Bethesda, Md., that trains and certifies computer security professionals, said a number of federal computer systems have been badly penetrated by hackers and viruses over the past several years, in part because many agencies do not adequately monitor their systems or apply software security updates in a timely manner.

But Paller argues that the yearly FISMA grades force agencies to apply scarce funding and employee time toward the wrong priorities.

"It turns out that the vast bulk of the federal information security money is spent on documenting these systems, not on securing or testing them against attacks," Paller said. "Most [agencies] are spending so much on the paperwork exercises that they don't have a lot of money left over to fix the problems they've identified" ...

The National Science Foundation and the General Services Administration each saw their scores rise from a C-plus in 2004 to an A last year. The Environmental Protection Agency and the Department of Labor earned A-plus grades in 2005, up from B and B-minus respectively.

[bold face mine]

Your Tax Dollars at Work (somewhere...)

See also "Is the Government Ready for a Digital Pearl Harbor?"