Computer system abuse soars

More than half of federal agencies report they have been victims of unauthorized use of computer systems, and agencies' financial losses have risen by more than 3,000 percent from last year, according to a report issued this month.

The report, conducted jointly by the San Francisco-based Computer Security Institute (CSI) and the FBI, covered such unauthorized-use incidents as unauthorized access, insider abuse, system penetration, laptop theft, viruses, financial fraud and denial-of-service attacks. The cost of unauthorized use of computers totaled $52.5 million in the past 12 months compared with a total cost of $1.5 million in the previous 12-month period, according to the report.

Of 57 federal agencies that responded to the survey, 61 percent reported unauthorized computer system use in the past 12 months. In addition, more than 18 percent reported that they did not know if unauthorized use had occurred.

Patrice Rapalus, CSI's director, said the percentage of federal agencies reporting unauthorized computer system use closely matches the percentage of private-sector entities reporting security system exploitation. Rapalus said the growing number of Internet connections and an overreliance on security technology account for the increasing number of organizations experiencing system abuse.

"Every network is now connected to dozens and dozens of other networks," she said. "Our concern is that people are looking to technology as a silver bullet— that they put in a firewall and think they're protected."

However, many organizations fail to install and update firewalls properly, and they do not inform administrators who maintain the firewalls about newly discovered vulnerabilities, Rapalus said.

The financial losses reported by the 520 organizations in the study— federal government agencies, universities, corporations and financial institutions— topped $136 million. Total reported losses from all sectors increased 36 percent compared with the previous 12 months. Most of the agency respondents reported that the Internet was the most frequent point of attack.

Federal agencies believe foreign governments, hackers and disgruntled employees are the most likely sources of computer system abuse, the study showed. Of 45 agency respondents, 58 percent cited foreign governments as likely sources of attack.

Barry Collin, senior research fellow at the Institute for Security and Intelligence in Stanford, Calif., said the capability of foreign governments to launch state-sponsored electronic attacks directed toward U.S. government computers has grown significantly in the past 12 months. Although the list of countries with this capability is classified, Collin said these countries have a history of lobbing industrial espionage efforts toward the United States. "These capabilities are very new," he said. "Historically, the interest is mostly gathering information. Now, it's doing damage."

While agencies reported the use of various types of security technologies— such as access control, encryption, anti-virus software, firewalls and intrusion protection— 41 percent of 48 respondents reported that their agencies did not have a written policy for network intrusion.

"How are you going to monitor compliance for your employees if they don't have any guidance to go by?" Rapalus said. "Unless there are policies and procedures in place...you cannot monitor your employees' behavior, [and] you can't consider yourself sufficiently prepared for an intrusion."

In addition, half of 58 government respondents said their agencies did not have a policy for preserving evidence after unauthorized computer systems use, and 69 percent of 55 federal respondents said their agency had not performed a risk analysis of computer systems.