[ISN] OMB: Modest Gains in Federal Cyber Security

InfoSec News isn at c4i.org
Wed Mar 8 02:10:21 EST 2006


By Brian Krebs 
March 7, 2006

Federal government agencies have improved their overall computer and
network security over the past year, but many agencies are still not
doing enough to secure their systems against viruses and other cyber
attacks, according to an annual report released by The White House
last week.

The White House's Office of Management and Budget issued the findings
as part of its yearly review of how well agencies are meeting the
standards set forth in the Federal Information Security Management Act
(FISMA), which establishes specific requirements for information
security programs at federal agencies. Lawmakers in the U.S. House
have used OMB's findings for the past several years to issue "computer
security report cards" to federal agencies. Last year, the House
Government Reform Committee awarded federal agencies a combined grade
of "D-plus" for security in 2004, up from a "D" in 2003. Another round
of report cards are likely to be issued later this month.

Among the improvements in 2005, the OMB cited a 32 percent increase in
the number of federal systems that were certified and accredited as
secure, a 28 percent increase in the number of systems tested with
cyber attack contingency plans, and "modest" increases in the
development of agencywide plans to address persistent computer
security problems.

However, the OMB also pointed to continued weaknesses in several key
areas, including the oversight of work done by outside contractors.
According to the report, at least six of the 24 agencies reviewed said
they only "rarely" or "sometimes" reviewed whether work done by
contractors met the government's minimum security requirements. The
report also cited a 4 percent drop in the number of systems tested
annually for computer security weaknesses.

The OMB found that federal agencies spent $5 billion securing
government systems -- or 8 percent of the total federal
information-technology budget of $62 billion. During this period, the
total number of reported computer systems increased by 19 percent to

The Department of Homeland Security, which is trying to keep track of
digital attacks against federal civilian systems, tracked 3,569
reported security "incidents" in 2005. These ranged from infections by
computer viruses and worms to distributed denial-of-service attacks,
which use thousands of hacked PCs to overwhelm a Web site with so much
traffic that legitimate users are shut out. Of those incidents, 1,806
involved some type of malware and 31 were distinct DDOS attacks.
Another 304 were related to some form of unauthorized access.

But according to OMB, those numbers almost surely mask a much larger
number of attacks: "DHS continues to find sporadic reporting by some
agencies and unusually low levels of reporting by others. Less than
full reporting hampers the government's ability to know whether an
incident is isolated at one agency or is part of a larger event, e.g.,
the widespread propagation of an Internet worm."

OMB said that in an effort to address this problem, DHS has installed
at three agencies (and has funding to install at six others) an
automated tool that "monitors network flow information and ...
transmits data to DHS." The White House didn't elaborate on what kind
of monitoring that "tool" does exactly, but it probably warrants
closer scrutiny.

More information about the ISN mailing list