GAO Says Federal Systems Still Weak on Cyber Security

This was written by Jack Mann on Wednesday, November 18, 2009, 13:51.

According to a recently released report by the Government Accountability Office (GAO), a number of federal systems are still vulnerable to cyber attacks. A number of major government agencies have still not adequately addressed some of the security loopholes that continue to make the agencies vulnerable to cyber threats.

The GAO report stated that some of the principle failings were failing to authenticate users, monitor security events (such as attempted breaches) and utilizing encryption to protect data. The report alleges that the security weaknesses are a result of either the failure to implement or poor implementation of information security programs at the various agencies under review.

Despite the gloom of the report, some government agencies are actually moving towards better security practices. At a recent conference on the Top 20 Critical Controls, John Streufert, CISO at the State Department, highlighted the success of his organization in minimizing security risks across the largely decentralized State Department systems. In a one year period, the State Department saw a drop of 89% at domestic sites and 90% in the field in risks. Streufert classified the move as “Attempt[ing] to find known vulnerabilities…[to] be prepared for what comes.”

Tony Sanger of the National Security Agency (NSA) highlighted the shift in focus from finding problems with security to solving them. His unit has a number of white hat hackers who help test the security of other systems. These hackers are now looking to not only point out the vulnerabilities but also help agencies solve their security problems by suggesting how to improve their systems.

According to Sanger, it is important to ask “What’s a rational trade off between security and operations?”  The implementation of highly effective, but restrictive, security measures can restrict the operational environment to the point of making an organization effective. Agencies need to find the appropriate balance between the two to ensure that they have security and functionality at the same time.