The U.S. House Committee on Government Reform this week issued its most recent grades for IT security among government agencies, and once again, the division charged with ensuring cyber security for the nation got an F.
The Committee said despite investment and improvement efforts, the Department of Homeland Security (DHS) was not passing the test of IT security policy and program, inventory, training and subcontracting as required by the 2002 Federal Information Security Management Act. The bad mark is the third in a row for DHS, which was joined by the departments of State, Defense, Interior, Health and Human Services, Veterans Affairs and Energy in receiving failing marks.
Departments that scored well included the Department of Labor, Social Security Administration, Environmental Protection Agency, and National Science Foundation, which all received A grades. NASA came in with a B minus.
Homeland Hiring Difficulties
The DHS has been criticized for its bureaucracy and changeover of leaders and staff. There was some hope in the security community that former Symantec executive Amit Yoran would be able to steer the department in the right direction when he filled the post of IT Security Czar in 2003.
However, Yoran left the department, reportedly out of frustration, a year later, and the post remains vacant today.
“Congress established an assistant secretary position, but they’re having trouble finding someone for it because people from the security industry don’t want to get immersed in that quagmire,” IT-Harvest Founder and Chief Research Analyst Richard Stiennon told TechNewsWorld. “I think it’s indicative of a bigger problem that they can’t hire a security professional at the level they need to.”
Mitigating Risk
The latest Committee on Government Reform report card indicates DHS and other failing or near-failing departments, including the Nuclear Regulatory Commission, are not complying with federal law that requires them to enact and follow a solid security program.
Stiennon said although the poor grades might mean government sites and services could be impacted by a cyber attack or event, the more critical infrastructure in terms of military and first responders is better protected.
While much of the Internet infrastructure in the U.S. is actually owned and controlled by private industry, which is better secured, a major cyber incident would still cause great embarrassment, hearings, and “heads to roll” in the U.S., Stiennon said.
Surprise Attacks
However, Stiennon said attackers are unlikely to draw attention to their efforts, which might include industrial espionage, nationalized hacking efforts directed at the U.S., and increasingly, theft from large financial institutions and others.
“Some of the primary attackers wouldn’t want [a large event],” he said. They’re more likely to take a stealthy approach, he concluded.