another f in computer security

Another F in Computer Security

An article by Brian Krebs in the Washington Post discusses a report by

the House Government Reform Committee.

Most federal agencies that play key roles in the war on terror are

doing a dismal job of protecting their computers and information

networks from hackers and viruses, according to portions of a

report to be released by a key congressional oversight committee

Thursday.

The Department of Homeland Security, which is charged with setting

the government's cyber security agenda, earned a grade of F for the

third straight year from the House Government Reform Committee.

Other agencies whose failing marks went unchanged from 2004 include

the departments of Agriculture, Defense, Energy, State, Health and

Human Services, Transportation, and Veterans Affairs.

The House Government Reform Committee is expected to award the

federal government an overall grade of D-plus for computer security

in 2005, a score that remains virtually unchanged from 2004...

The scores are "unacceptably low," committee Chairman Tom Davis

(R-Va.) said in a statement. "DHS must have its house in order and

should become a security leader among agencies. What's holding them

up?" ...

As online attacks against consumers and businesses have

skyrocketed, so have assaults against government information

systems. Alan Paller, director of research for the SANS Institute,

a group in Bethesda, Md., that trains and certifies computer

security professionals, said a number of federal computer systems

have been badly penetrated by hackers and viruses over the past

several years, in part because many agencies do not adequately

monitor their systems or apply software security updates in a

timely manner.

But Paller argues that the yearly FISMA grades force agencies to

apply scarce funding and employee time toward the wrong priorities.

"It turns out that the vast bulk of the federal information

security money is spent on documenting these systems, not on

securing or testing them against attacks," Paller said. "Most

[agencies] are spending so much on the paperwork exercises that

they don't have a lot of money left over to fix the problems

they've identified" ...

The National Science Foundation and the General Services

Administration each saw their scores rise from a C-plus in 2004 to

an A last year. The Environmental Protection Agency and the

Department of Labor earned A-plus grades in 2005, up from B and

B-minus respectively.

[bold face mine]

Your Tax Dollars at Work (somewhere...)

See also "Is the Government Ready for a Digital Pearl Harbor?"