Dept. of Homeland IT Insecurity
You think you've got password woes? Folks who work for the U.S. Citizenship and Immigration Information Services have to remember as many as 17 passwords to get into their networks. One poor soul at the agency, part of the U.S. Dept. of Homeland Security, had to use four different passwords just to check e-mail, according to a recent report by the DHS Office of Inspector General.
Besides being a hassle, the trouble with so many different passwords is that they expire and have to be reset. Too often, they get written down. And so a tool for protecting computer security actually can make information-technology systems less secure.
It's just that type of potential breach that earned the Dept. of Homeland Security a big fat "F" in computer-system security. For the third year running, the agency entrusted with protecting the U.S. from security threats of all forms received the lowest grade possible from a congressional oversight committee.
The report card, issued Mar. 16 by the House Government Reform Committee, covers fiscal 2005 and measures government compliance with the Federal Information Security Management Act (FISMA), which requires agencies to protect themselves against cyber threats. The grades are aimed at giving a sense of how well federal agencies are doing in such areas as training employees in computer security, and testing and certifying computer systems.
DHS is by no means alone in its underperformance. Health and Human Services, Agriculture, Veterans Affairs, and Energy all got Fs, as they had in 2004. The Justice Dept. received a D, down from B- the previous year. Over at Defense, things looked up, but from a low base. Its grade rose to a D. (Click here for a complete list of grades.). On the whole, government agencies scored a dismal D+, the same as in 2004.
A COMPLEX AMALGAM.
During a hearing on the day the scorecards were issued, Rep. Tom Davis, who chairs the committee, said, "We can't accept these." He noted that government agencies are prime targets for hackers, terrorists, hostile foreign governments, and identity thieves. The results show that the government is falling down in several areas, such as implementing security-management policies, reporting security threats, and testing security controls, Davis said.
Several agencies clearly have much room for improvement. But some observers say it’s especially important that the DHS right its security ship. "One big thing they have to do is set an example, so it's not only that they preach security, but that they have to be secure themselves," says Marcus Sachs, who formerly worked in the National Cyber Security division of DHS, and is now a deputy director of the Computer Science Laboratory at the nonprofit SRI International in Silicon Valley.
Why isn't DHS making the grade? In part, the failings are a result of the department's size and complexity. DHS is an amalgam of 22 different federal agencies that were rolled into one by the Homeland Security Act of 2002. As recently as July, the DHS Inspector General noted that the department "still faces challenges related to the merging of numerous entities that have had their own IT functions, controls, processes, and overall organizational shortages."
Those struggles persist. The DHS is in a "challenging environment," Karen S. Evans, the administrator of the Office of E-Government and Information Technology in the Office of Management and Budget (OMB), said at the hearing. She points to overly complex computing environments. Interconnectivity means that a vulnerability in one area can affect a whole network, she noted.
Flaws in the government's systems come in spite of a big and growing IT budget. The federal government's IT budget rose to $62.2 billion in the year ended September, 2005, from $50.4 billion in 2002. Of that, $4.8 billion was for IT at the DHS, including $2.35 billion specifically for IT security, according to the OMB. The entire DHS IT budget was $1.8 billion in 2002, the year it was created.
DHS is taking steps to get its IT security in order. Last May, it created a center for handling instances of cyber security breaches. The center received 3,569 reports about people obtaining unauthorized access, experiencing denial of service, finding malicious code, and other incidents during fiscal year 2005.
LONG WAY TO GO.
The department in 2005 also installed a tool that automatically transmits information about its network from three of its agencies, and plans to put similar processes in place at other agencies. Such developments have "paved the way for real and measurable cyber security improvements in the near future," said DHS Chief Information Security Officer Scott Charbo during the hearing.
"DHS is moving forward," Evans said. But it's got a long way to go, and it's not clear that getting a bad grade on a report card is making any difference. "The agencies have gotten a low score since FISMA came into place, and nothing bad has happened yet," says James Lewis, senior fellow and director of technology and public policy at the Center for Strategic and International Studies. "It'd be nice if they could get their act together. I don't think it'll happen soon."