U.S. agencies flunking in tech security

A House subcommittee issues a set of grades to government agencies on how well they're protected from hackers, terrorists and others. Things aren't looking good.

Margaret Kane
Margaret Kane Former Staff writer, CNET News
Margaret is a former news editor for CNET News, based in the Boston bureau.
Government agencies have some chronic problems with their computer security, according to testimony at a congressional hearing Friday.

A subcommittee of the House Committee on Government Reform issued a set of grades--mostly failing--to government agencies regarding how well they are protected against hackers, terrorists and other miscreants.

"There's no significant relationship between the percent of (an agency's) IT spending on security and the security performance of that agency," Mark Forman, associate director for information technology and e-government at the Office of Management and Budget, said at the hearing.

Many problems could be addressed through basic procedures such as installing upgrade patches and making sure agencies are complying with existing policies and procedures, Forman said.

"What needs to be incorporated is an acknowledgment that computer security is really part of your operations," said Robert Dacey, director of information security for the General Accounting Office, the investigative arm of Congress. "It's very important for management to have some regular analysis of their systems as well."

Two-thirds of federal agencies--including the departments of Defense, Commerce, Energy, Justice and Treasury--are not making the grade, according to information from the OMB, the Associated Press reported. Federal agencies are required to regularly update the OMB on computer security efforts.

This year's testimony echoes the findings of GAO reports from just more than a year ago, which found that U.S. government Web sites and computer systems routinely failed to ensure adequate privacy and security.