Fed systems still too vulnerable

Agencies struggling with mandate to protect critical networks, House panel told

FedCIRC

Despite government mandates, agencies are still far too vulnerable to cyberattack, federal experts testified Thursday in the first of many hearings a House subcommittee promises to hold on the security of the federal government.

The Federal Computer Incident Response Center, the organization tasked with coordinating civilian agencies' warnings and responses to cyberattacks, has tracked a clear increase in the number of incidents, rising from 376 in 1998 to 586 in 2000.

But those numbers just skim the surface of the problem because about 80 percent of incidents are not reported - usually because the agencies involved don't know about them — said Sallie McDonald, assistant commissioner for the Office of Information Assurance and Critical Infrastructure Protection at the General Services Administration, the parent agency for FedCIRC.

Agencies do not know about incidents because in many cases they are not following basic security practices such as carefully configuring their commercial systems and applying software patches for known vulnerabilities, said Ronald Dick, the new director of the National Infrastructure Protection Center. According to studies, almost 95 percent of security incidents occur when attackers exploit known vulnerabilities that have patches available.

"It's continual vigilance and implementation of security, and unless you do that, you are vulnerable," Dick said.

Under Presidential Decision Directive 63, signed by President Clinton in May 1998, agencies are required to secure the information systems that support the nation's critical infrastructure by 2003. But agencies are clearly having trouble with this mandate, said Rep. James Greenwood (R-Pa.), chairman of the House Energy and Commerce Committee's Oversight and Investigations Subcommittee.

"Three years later, most agencies are still in the process of identifying those critical assets.... It appears that we will not meet this deadline unless we focus our efforts in the near term," he said.

Greenwood and other subcommittee members recognized that Congress has a role to play in providing agencies with the resources needed to maintain that security vigilance.

"[Agencies] will not meet the 2003 deadline without significant resources.and this body has not been particularly responsive to requests for funding for computer security," said Rep. Ted Strickland (D-Ohio), a subcommittee member.

NEXT STORY: Companies taking over cyberalerts