Federal Government Cybersecurity Is Inadequate, GAO Reports

Published December 1, 2008

The federal cybersecurity team with primary responsibility for protecting government computer networks isn’t up to the task, according to a new report by the Government Accountability Office and testimony before a U.S. House subcommittee.

The U.S. Computer Emergency Readiness Team (US-CERT) is responsible for manning the front line in any cyberattack, monitoring computer networks for hacker threats. US-CERT also investigates suspicious activity online and is supposed to issue timely alerts to information technology security professionals from the White House to corporations and electric utilities.

But the GAO draft report, first reported in Business Week, describes US-CERT as bedeviled by frequent management turnover, bureaucratic challenges preventing timely sounding of alarms, a lack of access to networks across wide swaths of critical terrain, and an inability to fill large numbers of positions with qualified workers.

‘A Huge Problem’

“This is a huge problem, one of the greatest national security threats of our time,” said Gary McAlum, a retired Air Force colonel who previously headed the U.S. Defense Department’s (DoD) Joint Task Force for Global Operations, which monitors the DoD’s computer networks. McAlum is currently a senior manager in enterprise risk services for Deloitte & Touche LLC.

“Most Americans do not realize the size of the problem,” McAlum said. “Computer networks are more interconnected than ever before.”

McAlum and other experts recommend government agencies and the private sector work more closely together on security solutions and strategies.

In a mid-September hearing before the House Homeland Security Committee’s Subcommittee on Emerging Threats, members of the Commission on Cybersecurity for the 44th Presidency testified U.S. computer networks are in grave danger because hackers can enter and extract data from many government computer systems without being detected.

Full Danger Unknown

Upon gaining access, an attacker theoretically can obtain any information on that computer—and through connections, on the network, according to McAlum. To date, he adds, none of those attacks has been successful—as far as anyone knows. However, he noted, hackers tend to keep quiet about successful intrusions.

The attackers tend to look for where computers or networks communicate with one another, because those points tend to have the most potential vulnerabilities, said Bill Johnson, president and CEO of Plano, Texas-based Tecys Development, Inc., a company that manages technical infrastructures.

Fighting Back

To fight the problem, McAlum recommends all government computers be monitored for intrusions and that access be controlled with passwords and access cards. That would help keep out unauthorized users, he said.

McAlum and others point out cyberattackers continue to upgrade and refine their methods, so network protection must likewise be improved on an ongoing basis.

“Right now, there’s no coherent strategy in the government,” McAlum said.

Johnson recommends tougher laws and penalties against cyber criminals. However, many of the attacks come from areas where the United States has no jurisdiction or extradition treaties.

The federal Department of Homeland Security (DHS) is charged with protecting against cyberattacks, but that might have to change, some experts say, because the department is too large to combat the problem effectively.

“Any time a government agency gets that big, it can’t get anything done,” Johnson said.

DHS Not Prepared

Government databases are vulnerable because DHS is staffed by many people who “don’t know anything about cybersecurity,” said Tom Kellermann, vice president of security awareness for Boston-based Core Security Technologies.

“Those who are in executive levels don’t know anything about it,” Kellermann said. “They’re overly focused on 1990s strategies.”

Back then, the most dangerous hackers were primarily people working on their own, hacking systems to prove they could do it. Now, however, rings of criminals are constantly trying to break into private and government networks.

“The Department of Homeland Security is working hard,” McAlum said. “But the nature of this problem is so vast that it will take a leap ahead to get a handle on it. You need to have significant resources and authority in order to fight it.”

Along with enlisting help from the private sector, McAlum suggested the authority to combat cyberattacks should be taken out of DHS to a position where the head of the cybersecurity department has direct access to the president.

Phil Britt ([email protected]) writes from South Holland, Illinois.