Analysis: OMB report on feds' IT security

By SHAUN WATERMAN, UPI Homeland and National Security Editor  |  March 4, 2008 at 7:19 PM
share with facebook
share with twitter

WASHINGTON, March 4 (UPI) -- The White House Office of Management and Budget says that the number of computer security incidents reported by federal network managers more than doubled last year, largely due to big increases in the disclosure or loss of personal data and intrusions of an as-yet undetermined character.

Officials said the increase was at least in part due to improved reporting of incidents by departments and agencies, and touted other figures in the report to lawmakers, released quietly at the weekend, that showed that the number of federal computer systems certified secure had finally reached a 90-percent government-wide goal set in 2002.

But other observers said the rise was likely in part attributable to an increase in the number and severity of attacks. "The level of malicious activity accelerated sharply in 2007" on the public and private sector networks we know about, Tim Bennett, president of the Cyber-Security Industry Alliance, told United Press International.

Bennett said it was likely federal networks had experienced a similar rise in malicious activities.

The report says the threat to U.S. government computer systems was "shifting from opportunistic hacking to targeted, dynamically adapting attacks" and acknowledged that "a long-term architectural roadmap is necessary to provide a consistent strategy for mitigating malicious cyber activity."

The total number of security incidents reported in 2007 by departments and agencies to the U.S. Computer Emergency Readiness Team, or US-CERT -- the monitoring center based at the Department of Homeland Security -- rose to 12,986, compared with 5,146 in 2006.

The two categories of incidents that grew the fastest were "improper usage" -- which soared five-fold from 638 to 3,305 -- and "under investigation" -- which rose four-fold from 912 to 4,056.

The report said two-thirds of the improper usage incidents were the result of the accidental loss or disclosure of personally identifiable information, or PII, by the Department of Veterans Affairs, while the other third consisted of "similar cases of PII disclosure reported by other agencies."

Incidents under investigation, which were more than 30 percent of the total, "are deemed … as unconfirmed and warranting further review as they are potentially malicious or anomalous," said the report.

"That's another way of saying, 'We have no idea what it is,'" blogged's Allan Holmes. Holmes pointed out the figure is consistent with data from a recent survey of the private sector -- where about a third of respondents "said they couldn't identify the type of cyberattack that hit them."

The OMB report said the reason for the "massive increase" in the under investigation category was "intensive analysis of suspicious traffic picked up by the Einstein program sensors."

Einstein is a security program operated by the Department of Homeland Security that monitors traffic into and out of federal networks, looking for anomalous or suspicious patterns of activity that might be a computer virus propagating or a hacker trying to gain entry.

"There are better tools and processes for reporting, and more importantly, there's better awareness of the need to report" incidents, former Bush White House senior cybersecurity official Howard Schmidt told UPI.

The report says agencies certified and accredited 92 percent of their computer systems in 2007, compared with 88 percent the previous year -- meeting after five years a government-wide goal of 90 percent.

But lawmakers have recently complained that so-called process metrics -- like measuring the numbers of systems certified -- are self-serving and should be replaced with output metrics, like measuring the number of intrusions detected and prevented.

Schmidt said those metrics would be harder to show progress on. "We will continue to see increases" in the numbers of security incidents, he said, adding that from one point of view that was a good thing -- the more sophisticated an intrusion or other effort was, the greater the chances of it occurring undetected.

Schmidt, now a private-sector IT security consultant, said Einstein and the Trusted Internet Connections initiative with which it is linked would yield "significant improvements" in the security of federal networks but that new security metrics would likely not reflect that for some time.

"It will take time to turn that ship around," he said, blaming a legacy of inherited, un-patched and inconsistently configured systems throughout the federal government.

"We still have to get beyond that legacy," he said.

Officials defend measuring certification and accreditation but say that they are looking hard at new, more output-oriented metrics they might be able to introduce down the road.

Related UPI Stories
Trending Stories