Horn: Feds still fail security

The professor has given his final exam on computer security, and the results are miserable.

Overall, federal agencies earned a failing grade on Rep. Stephen Horn's latest report card on government security. The grades issued Nov. 19 were Horn's last. The California Republican, a former professor and university president, is retiring after a decade in Congress.

Of the 24 federal agencies Horn graded, 14 flunked.

The latest dismal evaluation was without argument from the government's information technology chief, Mark Forman.

"The more IT systems that agencies and inspectors general review, the more security weaknesses they are likely to find," Forman told the House Government Reform Committee's Government Efficiency, Financial Management and Intergovernmental Relations Subcommittee.

Forman, associate director of IT and e-government at the Office of Management and Budget, said his own analysis "reveals that while progress has been made, there remain significant weaknesses."

One problem is that "many agencies are not adequately prioritizing their IT investments." They ask for money to develop new systems but have largely failed to improve the security of those they already operate, he said.

Forman vowed to change that. OMB has warned agencies that they will not get funding for new computer projects until they make progress on improving the security of existing systems, he said.

"OMB will assist agencies in reprioritizing their resources through the budget process," he said.

At some agencies, the lack of progress on computer security can be attributed to the absence of a chief information officer, Horn said.

The Transportation Department, which received a failing grade on Horn's report card, has had a senior IT executive for only 18 months out of the past six years. Despite recruiting efforts, the agency has been unable to attract a suitable CIO candidate, said Kenneth Mead, DOT's inspector general.

The Social Security Administration, which scored highest, has both a CIO and a chief security officer (CSO) and, in a recent reorganization, elevated the rank of the CSO, said James Lockhart, deputy commissioner of SSA.

Poor security performance continues as agencies use the Internet more and increase their interconnections with computer systems. That combination "poses significant risks to the government's and our nation's computer systems," according to the General Accounting Office, which evaluated agency performance for Horn.

Security weaknesses in government systems could permit hackers to steal personal information, eavesdrop or interfere with telecommunications, power distribution, water supplies, public health services, law enforcement and national defense, said Robert Dacey, GAO's director of information security.

"Reports of attacks and disruptions are growing, and they are becoming more complex and harder to trace," Horn said.