Study pans fed security role as attack hits Justice site

Federal Information Technology officials caught off-guard as hackers broke into the Justice Department's home page received a second wake-up call last week as an independent study was released showing how the majority of federal state and local agencies are wide open to electronic attack.Only days after the invasion of DOJ's Web site the Computer Security Institute in San Francisco reported that 57 percent of government agencies surveyed had not developed policies to secure computer systems or that showed what to do when systems were attacked. Another 6 percent did not even know if policies existed.

"If you don't have a policy you're nowhere " said Richard Power a CSI analyst and author of the study. "This just shows that no one knows what's going on."

Bruce McConnell chief of the Information Policy Branch at the Office of Management and Budget disagreed and said the federal government's A-130 guidelines for computer security are "at the level of detail for a one-size-fits-all management directive." The National Institute of Standards and Technology "has a comprehensive set of materials that deals with almost every eventuality " McConnell said.

"The problem is there may not be enough awareness [among agencies] of what's out there " he added.While the CSI study could serve as a call to arms for government agencies many IT officials last week acknowledged a renewed concern over security following the DOJ intrusion with some contacting DOJ to learn what they could do to prevent a similar break-in. But many of those officials declined to be interviewed for this article for fear of attracting hackers' unwanted attention.

A top DOJ IT official speaking on condition of anonymity said computer security at the agency traditionally has been given minimal attention because it is not "something that solves cases processes business or seizes assets so it gets the short shrift of dollars and people."

But that attitude is likely to change after last week's attack the official admitted in which hackers broke into DOJ's Web site on Aug. 16 and replaced the home page with one that displayed swastikas pornographic photos and criticism of the Communications Decency Act a law passed in February that makes it illegal to transmit sexually explicit material in a way that children could see it.

As of late last week DOJ officials had not determined how hackers broke into their home page."As more government agencies move to passing sensitive information over the Net they'll increasingly become targets of hackers " said Chris Klaus chief executive officer of Internet Security Systems Inc. which has worked with several federal agencies in securing Internet sites. "I think you're going to see security become much more of a top issue at agencies."

Government has certainly been aware of the dangers for some time. In a report on security in cyberspace a Senate subcommittee recently lamented the "lack of a security culture within government and private industry" and the "failure of most government agencies to detect intrusions [and] to report intrusions that are detected." The report recommended making reports of break-ins to federal sites mandatory."Yes this [DOJ break-in] heightens our awareness and forces us to look at our steps to secure our systems " said John Sabo head of the Program Coordination and Planning Staff at the Social Security Administration.

In addition to tight budgets agencies' quick embrace of the Internet has contributed to a lax oversight of security management security consultants and analysts said."In all the rush to get on the Internet to get on the Web people haven't thought about the security issues ...or what the exposures are " said Lynn McNulty a former computer security expert at NIST and now president of McNulty & Associates. "This is just the beginning and it will happen again."

The Targets

All federal pages are potential targets of hackers but some by their nature have a higher probability of being hacked. Agencies or government officials involved in controversial policies or unpopular services are prime targets experts said.

These sites include the Internal Revenue Service which receives 1.5 million to 2 million hits a week and congressional offices. IRS officials declined to comment on the security systems they use on their Web site but a spokeswoman said the agency's decision to put off a program that would allow individuals to electronically file tax returns was made primarily because technology was not available that would secure the system sufficiently.

The report released last week found that the increasing use of the Internet networks and the growing global economy has given hackers and computer criminals greater access to government systems.Unauthorized Usage

Of the 77 government agencies surveyed for the study nearly 39 percent said they had unauthorized use of their computers which excludes the benign use of systems to play computer games or to access pornography on the Internet CSI's Power said.

Nearly one-quarter of the unauthorized use was "denial of service " break-ins that would shut programs or computers down.

The findings were part of the "Current and Future Danger" report CSI publishes to inform agency heads and chief executive officers about the nature of the global threat to computer security.