Pentagon gets bad grades
in computer security reportBy
Sandra Jontz
Washington bureau
The Pentagon has received a near failing grade on computer security, according to a U.S. congressional subcommittee and a report by the General Accounting Office, the investigative arm of Congress.
GAO auditors tested computer systems of 24 federal agencies for security weaknesses and to determine if information might be vulnerable to spies and hackers.
The Department of Defense received a "D+" for its computer security systems, according to a report card released Monday by the House Subcommittee on Government Management, Information and Technology of the Committee on Government Reform.
The subcommittee commissioned the GAO study and released its report card of federal agency computer security the same day the agency’s report was given to Congress.
"Weaknesses at the Department of Defense increase the vulnerability of various military operations that support the department’s war-fighting capability," reads a portion of the 36-page report.
Auditors were able to gain access to sensitive DOD information through a file that was publicly available over the Internet, states the report.
Auditors managed to gain access to employees’ Social Security numbers, addresses and pay information, as well as budget, expenditure and procurement information on projects, according to the report.
"Evaluations of computer security ... continue to show that federal computer security is fraught with weaknesses and that, as a result, critical operations and assets continue to be at risk," the report states.
According to the report, the security weaknesses impaired DOD’s ability to:
control physical and electronic access to its systems and data.
ensure that software running on its systems is properly authorized, tested and functioning as intended.
limit employees’ ability to perform incompatible functions.
resume operations in the event of a disaster.
The GAO’s latest report doesn’t tell DOD officials anything new, however, said Maj. Perry Nouis, spokesman for the U.S. Space Command at Peterson Air Force Base in Colorado Springs, which manages the DOD’s Joint Task Force on Computer Network Defense.
"It’s not telling us anything we don’t know," Nouis said. "We knew that significant problems and threats existed, and that’s why the decision to establish this joint task force was made. It shows a top-level concern that we do this right."
The report briefly acknowledged that DOD has plans to improve information security, and cited by name the Defensewide Information Assurance Program and DOD’s Joint Task Force on Computer Network Defense.
On Oct. 1, 1999, after nearly a year of preparation, the Pentagon set up the task force, which includes representation from every service, Nouis said.
About 40 computer and communication specialists make up the task force and monitor the defense computer systems 24 hours a day, he said.
"They’re looking for unauthorized intrusions, responding to viruses and directing actions needed to protect the system," Nouis said.
He wouldn’t comment directly on the report card because he had not seen it, but said: "We take computer network defense very seriously. Any observations or recommendations that seek to improve our operation are welcomed."
DOD’s vast and complex computerized information infrastructure supports virtually all aspects of its operations, from strategic and tactical operations to weaponry, intelligence and security.
"Evaluations of the security of DOD systems since July 1999 have continued to identify weaknesses that could seriously jeopardize operations and compromise the confidentiality, integrity or availability of sensitive information," the report states.
"In August 1999, [the GAO] reported that serious weaknesses in DOD information security continued to provide both hackers and hundreds of thousands of authorized users the opportunity to modify, steal, inappropriately disclose and destroy sensitive DOD data."
The GAO reported in August 1999 that DOD had taken some corrective action; however, "progress in correcting specific control weaknesses identified in 1996 and in previous reviews had been inconsistent across the various DOD components," the report states.
"Although many factors contribute to these weaknesses, audits by us and the DOD [inspector general] have found that an underlying cause of weak information security is poor management of security programs," it states.
In May 1996, the GAO reported to Congress that attackers had stolen, modified and destroyed both data and software at DOD, and installed "back doors" that circumvented normal system protection and allowed attackers unauthorized future access, the report states.
The attackers also had shut down and crashed entire systems and networks, the report states.
The congressional committee that commissioned the study doled out the grades and gave seven of 24 agencies "Fs," including the Justice Department, which prosecutes hackers, the Department of Interior, the Department of Agriculture, the Department of Labor and the Department of Health and Human Services.
Two agencies fared much better. The Social Security Administration was given a "B," and the National Science Foundation received a "B-."
The government as a whole earned a "D-."
"Obviously, there is a great deal of work ahead," Rep. Stephen Horn, R-Ca., the subcommittee chairman, said Monday at a hearing about the reports.
"And regardless of grade, each agency must recognize that the daily challenges to their computer systems will continue to grow in number and sophistication. They must take the necessary steps to mitigate those threats. There is no room for complacency, for the stakes are simply too high."
In August, the House Subcommittee on Government Management, Information and Technology sent out a six-page questionnaire to each of the 24 agencies, and used the surveys to dole out the grades, spokeswoman Bonnie Heald said.
"These grades were scored on the departments’ own evaluation and the answers to the questionnaires," Heald said.
The release of the report card and the GAO report has had the desired effect, Heald said.
"The purpose was to draw attention to a very serious problem," she said. "We hope this is going to be the start of a congressional oversight process that will continue."
Overall, the GAO recommended that the responsibility of securing computers remain with the individual agencies because officials there are familiar with their own programs and data.
But a centrally-directed, governmentwide effort also would help, it stated, citing as an example the National Plan for Information Systems Protection that President Clinton issued in January.
The plan calls for initiatives to strengthen the nation’s defenses against threats in both public and private sector.
The GAO supports Congress in meeting
constitutional responsibilities and helps improve the performance and accountability of
the federal government. The agency examines the use of public funds, evaluates federal
programs and activities and provides analyses, options, recommendations and other
assistance to help the Congress make effective oversight, policy and funding decisions.