Security team in money crunch

Faced with a dwindling budget officials with the only governmentwide computer emergency response team (CERT) for civilian agencies are considering floating a proposal to levy a tax on agencies to fund security services for information technology systems. As the Federal Computer Incident Response Capability (FedCIRC) reported last month the number of security attacks on civilian agencies is increasing as the Internet expands. FedCIRC handled more than 244 federal agency security incidents between October 1996 and October 1997 many of which affected thousands of sites and host computers.

FedCIRC evaluates agency systems to pinpoint potential threats offers technical support to recover from unauthorized intrusions and offers training guidelines for agencies to improve security control. The Government Information Technology Services Board (GITSB) last year launched FedCIRC on $3.6 million which will last until September 1998. After that GITSB planned for FedCIRC to become self-sufficient by collecting subscription fees from federal agencies. Because many agencies remain unaware of the potential threat and impact of computer security incidents only six agencies have signed up for the service according to FedCIRC officials.

FedCIRC is evaluating several proposals to obtain funding to enable it to continue operations. One option is to propose to the Chief Information Officers Council that agencies be required to set aside a portion of their annual IT budgets to fund security response services said Patricia Edfors former GITSB champion for computer security and privacy. The proposal she said would be based upon the insurance model that businesses and citizens use to insure various assets. "This is identifying what your assets are figuring out how to calculate a percentage " Edfors said at FedCIRC's annual meeting last month. "How do we get the money to insure these assets? We are insuring these assets against destruction in a lot of cases."

FedCIRC program manager Marianne Swanson said the group has forwarded its updated business plan to the Office of Management and Budget with several options including the agency tax option and its plans to increase agency awareness of security threats.

Agencies may not be aware of potential security threats to their systems because many of those that experience a security breach to their systems never know the attacks occurred.

Of the 92 intrusion incidents to federal agency systems handled by FedCIRC less than 5 percent were recognized by the victims said FedCIRC's Richard Pethia manager of the networked systems survivability program of the CERT at Carnegie-Mellon University which handles FedCIRC incidents in the eastern United States. Those incidents involved 1 841 sites and 18 751 hosts according to FedCIRC statistics.

"Almost none of these things were detected by the federal civilian agencies themselves " Pethia said. "We need to do a lot of work to improve intrusion detection." Pethia said the rate of the incidents that are reported is increasing at the same rate the Internet is growing and officials are seeing increased damage from system attacks. In addition he said there is little evidence of improved security fixes to IT products that may contain security vulnerabilities. "The bugs continue to be there " he said.

"The vendors are interested in time to market. It's very hard for anyone to go to a vendor and get a comprehensive solution to the security problem. The emphasis on ease of use has not been matched by improvements in ease of security implementation." Civilian agencies are not the only ones targeted.

The Defense Department continues to be targeted by unauthorized users attempting to gather data from military systems said Brian Dunphy an intrusion analyst with DOD's emergency response team. Intruders will launch vulnerability sweeps designed to probe tens of thousands of systems around the world to find several that are vulnerable to unauthorized access he said.


  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.