Lack of systems security skills reaching critical mass for feds

A leading national security expert on Wednesday told Congress that the shortage of skilled information systems security personnel throughout the government has reached crisis proportions and has contributed to the recent spate of intrusions into federal networks.

Testifying before the Senate Judiciary Committee's Technology, Terrorism and Government Information Subcommittee, John Tritak, director of the Critical Infrastructure Assurance Office, tied the government's inability to adequately protect its information systems directly to the shortage of trained systems security personnel.

"One of the nation's important shortcomings in our efforts to protect our critical infrastructures is a shortage of skilled information technology personnel," Tritak told committee members. "Within the subset of information systems security personnel, the shortage is acute," he said, adding that the governmentwide shortage "amounts to a crisis."

Jack Brock Jr., director of governmentwide and defense information systems at the General Accounting Office, said the underlying problem throughout government is poor security program management, adding that agency managers are not ensuring on an ongoing basis that risks are addressed. "Similar weaknesses continue to surface because agencies have not implemented a management framework for overseeing information security on an agencywide and ongoing basis," Brock said. "Instead, there is a tendency to react to individual audit findings as they are reported, with little ongoing attention to the systematic causes of control weaknesses."

Following Tritak's testimony, Michael Vatis, director of the FBI's National Infrastructure Protection Center, confirmed for lawmakers that during the past few years intruders have successfully penetrated Defense Department networks and other federal agencies and have managed to steal "unclassified but sensitive information." However, Vatis stopped short of commenting directly on numerous, unconfirmed press reports that have linked the Russian government to any of the hacker attacks [FCW, Sept. 27].

"The FBI's caseload for computer hacking and network-intrusion cases has doubled each of the last two years," Vatis said. "Currently we have over 800 pending investigations."

According to Vatis, the greatest potential threat comes from the prospect of foreign nations waging sustained information warfare attacks against the United States. He added that individuals from Russia and Serbia already have shown their willingness to do so during the crisis in Kosovo and that Chinese military leaders have published official papers advocating the use of computer viruses to counterbalance U.S. military might.