Report: Cyberattacks, computer abuse still rising

Federal information technology officials reported a significant increase in cyberattacks and unauthorized use of computers by federal employees last year, according to a report on computer security released this month.

Seventy percent of federal agencies responding to a survey compiled by the San Francisco-based Computer Security Institute and the FBI said they had been victims of unauthorized use of computer systems in 1998, up from 61 percent in 1997.

The survey included more than 500 private-sector and public-sector organizations. Although only 40 of the participants represented federal agencies, CSI officials view the results as a fair cross-

section of federal security problems. "It's just a snapshot of some of the kinds of problems that the federal government agencies are facing," said Richard Power, editorial director for CSI.

More than half of the federal agencies surveyed said independent hackers and disgruntled federal employees were the most likely sources of computer attacks and abuses. Data or network sabotage is one type of attack becoming more common, according to the report. In 1998, 23 percent of the federal agencies surveyed said they had been the victims of data or network sabotage, up from 10 percent in 1997. For the entire survey, only 17 percent of organizations reported sabotage.

Also, insider abuse of Internet access remains a pervasive problem for agencies, according to the survey. Specifically, 78 percent of federal respondents said federal employees used the Internet in an unauthorized manner.

Some agencies may not have considered insider abuse of Internet access an "unauthorized use of computer systems," Power said, explaining why the percentage reporting Internet abuse exceeds the 70 percent who reported unauthorized systems use.

As far as intrusions of agencies' World Wide Web sites, 30 percent of agencies surveyed said they did not know whether their sites had been attacked or misused in 1998. "That's a very troublesome figure," Power said. "But to say you don't know means you don't have adequate staff and adequate tools" to find out.

The survey also showed that federal agencies are more likely to report computer intrusions to law enforcement agencies, such as the FBI, than are their private-sector counterparts. While only 32 percent of all organizations surveyed said they reported intrusions to law enforcement, 43 percent of federal agencies surveyed said they had reported attacks to authorities. Last year, only 34 percent of federal respondents said they had contacted law enforcement after a computer intrusion.

Federal IT security officials believe government agencies are more likely to report cyberattacks and computer misuse because IT security in the federal arena has received significant attention.

"We believe that it's the heightened awareness of the federal agencies that has resulted in an increase of reports," said Judith Spencer, director of the Center for Governmentwide Security at the General Services Administration and manager of the Federal Computer Incident Response Capability program.

But determining when a computer intrusion has occurred still remains a challenge for many agencies.

"We do feel pretty confident that lots of incidents happen that don't get reported, that don't even get noticed," said Shawn Hernan, leader of CERT Coordination Center's Vulnerability Handling Team at the Software Engineering Institute, a Defense Department-funded organization at Carnegie Mellon University.