Fed agencies' networks at risk

Network security weaknesses in the 24 largest U.S. government agencies, including the Internal Revenue Service and the Defense Department, put critical government operations and data at "great risk of fraud, misuse, and disruption," according to the investigative arm of Congress.

Security weaknesses at the Defense Department could jeopardize the nation's military capabilities, while vulnerabilities at the Treasury Department increase the risk of fraud in billions of dollars' worth of federal payments and receipts.

In addition, sensitive tax, medical, and other personal records on file with the government are at risk of disclosure, according to a report issued this week by the General Accounting Office.

The report details progress in some areas since the GAO's September 1996 effort on the same topic. The current report calls for additional action, however. "The need for improved federal information security has received increased visibility and attention, but more effective actions are needed both at the individual agency level and the government-wide level," it says.

The GAO calls for coordinated activities between new and existing agencies to avoid duplication of effort. One of those new agencies is the Critical Infrastructure Assurance Office, created in May with much fanfare and a major speech by President Clinton.

"[The report] does pan the federal government a little bit," conceded Gordy Bendick, the CIAO's deputy director of external affairs.

"We are working to do exactly what this report recommends, which is to improve and enhance computer security in the U.S. government and to serve as a leader to the private sector at the same time," Bendick said, adding that his agency is still early in implementing security measures.

The report's executive summary offers little detail on break-ins or losses because of poor network security. It cited a March 1998 survey of both public and private sectors by the Computer Security Institute and the FBI that found a 16 percent increase in security breaches over the previous year. It also cited a October 1997 government report noting the interactions among public and private infrastructures are so complex that potential harm could not be estimated.

The GAO recommended both action by individual agencies and coordination by central oversight groups.

"Agency officials have not instituted procedures for ensuring that risks are fully understood and that controls implemented to mitigate risks are effective," the report states. "Poor security program planning and management continue to be fundamental problems."

The report added that it is too early to evaluate the effectiveness of Clinton's May directives on computer security in the federal government.

The most common security weakness was poor control over access to sensitive data and systems, the report found.

In February, Attorney General Janet Reno outlined a plan for an FBI-run National Infrastructure Protection Center to counter hackers, crackers, and others who commit computer crimes.

CNET News.com's Courtney Macavinta contributed to this report.