WASHINGTON The Department of Defense (DOD) has implemented an information assurance program to promote consistent practices across all departments, but it still does not have mechanisms in place for comprehensively measuring compliance with federal security policies, according to the General Accounting Office (GAO).
Concerned that federal systems had weaknesses that made them vulnerable to cyber attacks, Congress passed in 2000 the Government Information Security Reform (GISRA) to establish information security program, evaluation and reporting requirements for federal agencies. Since then, the GAO has annually reported on the progress of federal agencies complying with the law.
"Although there have been some individual agency improvements, our most recent analysis of audit and evaluation reports for the 24 major departments and agencies continued to highlight significant information security weaknesses that place a broad array of federal operations and assets at risk of fraud, misuse and disruption," Robert F. Dacey, director of the GAO Information Technology Team, testified Thursday at a House Armed Services subcommittee meeting.
Dacey said the DOD has an "aggressive information assurance (IA)" program, but, "a number of challenges remain for the department in implementing both its policies and procedures and statutory information security requirements."
The need for federal IA programs has increased dramatically as the number of individuals with computer skills has increased and more intrusion or "hacking" tools become available. While an individual can literally download tools from the Internet and "point and click" to start an attack, experts agree there has been a steady advance in the sophistication and effectiveness of attack technology.
Along with these increasing threats, the number of computer security incidents reported to the CERT Coordination Center at Carnegie Mellon University has risen from 9,859 in 1999 to 82,094 in 2002 and 76,404 for the just the first half of this year.
In addition, according to the National Security Agency, foreign governments already have or are developing computer attack capabilities, and "potential adversaries are developing a body of knowledge about U.S. systems and methods to attack these systems."
"To better understand the risks facing DOD systems, it is useful to consider the overall status of information security for the federal government," Dacey said. "Our analyses of information security at major federal agencies have shown that federal systems were not being adequately protected from computer-based threats, even though these systems process, store and transmit enormous amounts of sensitive data and are indispensable to many federal agency operations."