Congress told U.S. Internet security earns failing grade

WASHINGTON -- A House panel gave failing grades Tuesday to the government's overall efforts to protect some of its most important computer systems and said online security at the departments of State, Justice and Transportation was especially bad.

The report card from the House Government Reform subcommittee on government efficiency was based largely on a new report from congressional investigators that found pervasive weaknesses in federal technology systems at the 24 largest departments and agencies.

Overall, the government flunked.

Four departments, including the Federal Emergency Management Agency, also failed individually; the best marks -- a B-minus -- were handed to the Social Security Administration and the tiny Agency for International Development.

Rep. Stephen Horn, R-Calif., the subcommittee's chairman, described efforts at the Social Security Administration as a "shining example of sound leadership and focused attention" on computer security.

Among the worst problems governmentwide were weak protections at nearly all agencies against insiders attempting sabotage or trying to profit personally by destroying or stealing sensitive information.

The failures put at risk federal payments, taxpayer data and medical records. "Critical federal operations and assets remain at risk," said a new report from the General Accounting Office.

The Transportation Department's inspector general, Kenneth Mead, cited some improvements over last year, but he admitted the agency "still has a long way to go to adequately secure its computer systems."

Mead said hackers could sneak into the agency's computer systems through unsecured connections or telephone lines, and Transportation officials failed last year to report to U.S. investigators three successful hacker break-ins to their Web sites.

Investigators said serious problems persist with government plans to continue operating during attacks or interruptions, which they said are particularly important in the aftermath of the Sept. 11, 2001, terror attacks.

There was some good news: Security was slightly better overall than in past years, and investigators said many of the latest problems were discovered during broad audits aimed specifically at finding such lapses. As these audits become more intense, even more faults probably will be discovered, the GAO predicted.

One expert said part of the blame falls on software designers who rush to sell products without ensuring the programs are resistant to hackers.

"We continue to see the same types of vulnerabilities in newer versions of products that we saw in earlier versions," said Richard Pethia of the federally funded CERT Coordination Center. "Until customers demand products that are more secure or there are changes in the way legal and liability issues are handled, the situation is unlikely to change."

------

On the Net

House Government Reform subcommittee on government efficiency: reform.house.gov/gefmir/