Fed systems still too vulnerable


Despite government mandates, agencies are still far too vulnerable to cyberattack, federal experts testified Thursday in the first of many hearings a House subcommittee promises to hold on the security of the federal government.

The Federal Computer Incident Response Center, the organization tasked with coordinating civilian agencies' warnings and responses to cyberattacks, has tracked a clear increase in the number of incidents, rising from 376 in 1998 to 586 in 2000.

But those numbers just skim the surface of the problem because about 80 percent of incidents are not reported - usually because the agencies involved don't know about them — said Sallie McDonald, assistant commissioner for the Office of Information Assurance and Critical Infrastructure Protection at the General Services Administration, the parent agency for FedCIRC.

Agencies do not know about incidents because in many cases they are not following basic security practices such as carefully configuring their commercial systems and applying software patches for known vulnerabilities, said Ronald Dick, the new director of the National Infrastructure Protection Center. According to studies, almost 95 percent of security incidents occur when attackers exploit known vulnerabilities that have patches available.

"It's continual vigilance and implementation of security, and unless you do that, you are vulnerable," Dick said.

Under Presidential Decision Directive 63, signed by President Clinton in May 1998, agencies are required to secure the information systems that support the nation's critical infrastructure by 2003. But agencies are clearly having trouble with this mandate, said Rep. James Greenwood (R-Pa.), chairman of the House Energy and Commerce Committee's Oversight and Investigations Subcommittee.

"Three years later, most agencies are still in the process of identifying those critical assets.... It appears that we will not meet this deadline unless we focus our efforts in the near term," he said.

Greenwood and other subcommittee members recognized that Congress has a role to play in providing agencies with the resources needed to maintain that security vigilance.

"[Agencies] will not meet the 2003 deadline without significant resources.and this body has not been particularly responsive to requests for funding for computer security," said Rep. Ted Strickland (D-Ohio), a subcommittee member.


    pentagon cloud

    Court orders temporary block on JEDI

    JEDI, the Defense Department’s multi-billion-dollar cloud procurement, is officially on hold, according to a federal court announcement Feb. 13.

  • Defense
    mock-up of the shore-based Aegis Combat Information Center

    Pentagon focuses on research, cyber in 2021 budget request

    The Defense Department wants to significantly increase funds for research, cyber, and cloud.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.