Feds urged to tighten cybersecurity

U.S. government agencies get a "D+" for computer security as experts warn that attacks will come.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
3 min read
SAN FRANCISCO--As experts warned that major cyberattacks could be brewing, a government report gave U.S. federal systems a "D+" for computer security.

While the overall mark is an improvement on last year's "D" average, seven of the 24 agencies surveyed did not provide enough protection on their networks to get a passing grade on the computer security report card, which was released on Wednesday in Washington by the House Committee on Government Reform and here at the RSA Conference 2005.

Poor grades
A report card from the House Committee on Government Reform shows that some key federal agencies need to do a lot better with computer security. The overall grade: D+.

• F Department of Homeland Security, Department of Commerce and Department of Energy
• D Department of Defense
• B- Department of Justice
• B+ Nuclear Regulatory Commission
• A- Department of Transportation
• A+ Agency for International Development

"Several agencies continue to receive failing grades, and that's unacceptable," Rep. Tom Davis, the Virginia Republican who chairs the committee, said in a statement. The committee oversees the annual audit, which is required by the Federal Information Security Management Act.

Key agencies in charge of critical components of the U.S. infrastructure got grades of "D" and lower, with the Department of Homeland Security, the Department of Commerce and the Department of Energy all receiving an "F."

The continued poor performance of U.S. efforts to protect federal systems underscores warnings from experts that an incident in cyberspace could have national consequences.

If the government does not start focusing on cybersecurity soon, a major national disaster in cyberspace is likely, former U.S. counterterrorism chief Richard Clarke said during a panel discussion at the RSA security show on Wednesday.

"It's never happened, and therefore, people believe it never will happen. Because to believe it might happen would be to require a massive effort--new laws and regulations, billions of dollars spent--to improve our cyberspace," Clarke said.

Clarke's comments mirrored those made by other government officials this week.

During testimony before the Senate Select Committee on Intelligence, FBI Director Robert Mueller told members that other nations, as well as terrorists, are focusing on attacking U.S. information systems.

"The greatest cyberthreat is posed by countries that continue to openly conduct computer network attacks and exploitations on American systems," Mueller said Wednesday.

Despite its failing grade, the Department of Homeland Security is focusing heavily on computer security, Andy Purdy, acting director of the agency's National Cyber Security Division (NCSD), said at the RSA panel discussion.

The department has created two groups to improve the United States' ability to detect and respond to cyberattacks, Purdy said. It has teamed with the Department of Defense and the Department of Justice to form the National Cyber Response Coordination Group to watch out for and respond to threats. In addition, it has formed the National Infrastructure Protection Center, which brings together representatives from the companies responsible for the estimated 85 percent of critical infrastructure not owned by the government.

To repair a weak point in U.S. defenses, the agency will make it a priority this year to increase security on the control systems used by several industries against attack from the Internet.

"Our vulnerabilities in the control systems area require vigilance and concerted efforts," Purdy said in an interview, adding that it will take significant funding to upgrade key systems.

Cybersecurity efforts at the Department of Homeland Security have had to deal with the resignation of several top officials there, including the former assistant secretary of infrastructure protection, Robert Liscouski, and the former director of the NCSD, Amit Yoran.

To improve data protection on national IT systems, chief information security officers at federal agencies will work with private-sector security executives under the CISO Exchange, an initiative launched Wednesday by the U.S. Chief Information Officers Council and Committee on Government Reform Chairman Davis.

The theme of private-public cooperation was also a popular one at a Thursday panel at the RSA show on how to stem the rising tide of cybercrime.

"No single federal entity, however well-funded, however well-organized, can successfully protect our nation's vast financial networks and critical infrastructure on its own," Ralph Basham, director of the Secret Service, said in a statement preceding the panel. "We depend on the expertise of our partners in private industry. We are all part of a national effort to make our country safe from those who seek to weaken or destroy us."