|
|
|
Government
Computers
Still
Exposed
Emily
Kumler,
Medill
News
Service
WASHINGTON--
Government
agencies
are
spending
billions
on
technology
for
homeland
security,
yet
system
vulnerabilities
are
increasing
exponentially,
agency
representatives
told
a
Congressional
panel
this
week.
Incidents
due
to
security
weaknesses
found
in
government
agency
computer
systems
have
skyrocketed
from
about
9800
in
1999
to
more
than
137,500
in
2003,
says
Robert
Dacey,
director
of
information
security
issues
in
the
General
Accounting
Office
(news
- web
sites).
The
GAO
prepared
a
status
report
on
how
government
agencies
and
departments
are
progressing
with
software
patches
and
other
protection
measures
against
cyberattacks. Networks
Vulnerable
Government
computers
are
still
susceptible
to
cyberattack,
and
the
more
that
systems
are
interconnected,
the
greater
the
risk,
according
to
agencies
at
the
hearing. The
$60
billion
budgeted
for
technology
for
homeland
security
is
a
waste
if
systems
remain
vulnerable,
agency
representatives
told
the
House
subcommittee
hearing.
Patches
are
irrelevant
if
they
aren't
applied
everywhere,
they
noted.
If
one
weak
system
is
unpatched,
the
patched
systems
remain
at
risk
of
a
cyberattack. The
sophistication
and
effectiveness
of
cyberattacks
has
steadily
advanced,
Dacey
told
the
subcommittee.
The
GAO
report
also
estimates
that
80
percent
of
security
incidents
go
unreported.
The
data
was
gathered
with
the
help
of
the
U.S.
Computer
Emergency
Response
Team
(CERT)
at
Carnegie-Mellon
University,
which
is
teaming
with
the
Department
of
Homeland
Security
on
cybersecurity
issues.
Testimony
came
from
representatives
of
several
agencies,
including
the
Department
of
Homeland
Security,
which
oversees
federal
cybersecurity
as
well
as
more
traditional
security
matters.
The
presentation
was
before
the
House
Government
Reform
Subcommittee
on
Technology,
Information
Policy,
Intergovernmental
Relations
and
the
Census. Protecting
Intranets
The
biggest
threats
come
from
state
government
connections
to
federal
government
systems,
panelists
said
in
answer
to
a
query
by
Committee
Chair
Adam
Putnam
(R-Florida). Issues
of
connecting
computerized
benefits
programs
at
the
state
and
local
government
levels
leave
the
most
vulnerabilities,
Dacey
said.
Medicare
and
other
benefit
programs
have
systems
connected
with
the
federal
government
and
often
employ
many
smaller
contractors. "There
have
been
reported
incidents
of
state
systems
broken
into
and
used
for
other
activities,"
Dacey
said,
adding
that
he
did
not
have
exact
numbers.
The
Defense
Department
has
modified
its
information
systems
in
the
past
year
to
block
uninvited
guests
from
entering
its
internal
site,
said
Dawn
Meyerriecks,
the
DOD's
chief
technology
officer. "People
actually
were
coming
into
our
own
intranet
to
reach
the
public
interfaces,"
Meyerriecks
said.
"Actions
like
fixing
this
problem
have
already
paid
off." Witnesses
also
noted
that
applying
patches
is
complicated
when
different
departments
have
individual
security
concerns,
unique
applications,
and
systems
that
react
differently.
"The
Air
Force,
for
example,
has
a
mission
that
could
be
impacted
negatively
because
it
doesn't
understand
the
patch,
Meyerriecks
said."We
roll
it
out
on
an
enterprise
level
and
then
come
down
from
there." All
witnesses
expressed
the
concern
that
patches
might
have
a
detrimental
effect
on
individual
systems.
"At
the
heart
and
soul
of
the
issue
is
the
need
for
a
management
process,"Karen
Evans,
an
administrator
of
e-government
and
information
technology
in
the
Office
of
Management
and
Budget,
told
the
House
subcommittee.
Representatives
of
other
agencies
agreed.
Ongoing
Review
The
House
Committee
on
Government
Reform
had
requested
the
GAO's
cybersecurity
assessment.
The
study
examines
24
agencies
and
reviews
patch
management
practices.
According
to
the
report,"Not
all
agencies
are
testing
all
patches
before
deployment,
performing
documented
risk
assessments
of
major
systems
to
determine
whether
to
apply
patches,
or
monitoring
the
status
of
patches
once
they
are
deployed
to
ensure
they
are
properly
installed."
Hackers
often
rely
on
reverse
engineering
to
undo
patches,
Dacey
noted.
"Reverse
engineering
starts
by
locating
the
files
or
code
that
changed
when
a
patch
was
installed,"Dacey
testified."Then,
by
comparing
the
patched
and
unpatched
versions
of
those
files,
a
hacker
can
examine
the
specific
functions
that
changed,
uncover
the
vulnerability,
and
exploit
it." Various
Congressional
committees
have
regularly
requested
review
of
cybersecurity
efforts. June
4,
2004
Copyright © 2003-2004 Jill St. Claire/HomelandSecurityUS.net |
|
|
