Government agencies are spending billions on technology for homeland security, yet system vulnerabilities are increasing exponentially, agency representatives told a Congressional panel this week. Incidents due to security weaknesses in computer systems in the U.S. have skyrocketed from about 9800 in 1999 to more than 137,500 in 2003, according to the U.S. Computer Emergency Response Team (CERT) at Carnegie-Mellon University--so reports Robert Dacey, director of information security issues in the General Accounting Office. The GAO prepared a status report on how government agencies and departments are progressing with software patches and other protection measures against cyberattacks.
Networks Vulnerable
Government computers are still susceptible to cyberattack, and the more that systems are interconnected, the greater the risk, according to agencies at the hearing.
The $60 billion budgeted for technology for homeland security is a waste if systems remain vulnerable, agency representatives told the House subcommittee hearing. Patches are irrelevant if they aren't applied everywhere, they noted. If one weak system is unpatched, the patched systems remain at risk of a cyberattack.
The sophistication and effectiveness of cyberattacks has steadily advanced, Dacey told the subcommittee. The GAO report also estimates that 80 percent of security incidents go unreported. The data was gathered with the help of CERT, which is teaming with the Department of Homeland Security on cybersecurity issues.
Testimony came from representatives of several agencies, including the Department of Homeland Security, which oversees federal cybersecurity as well as more traditional security matters. The presentation was before the House Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census.
Protecting Intranets
The biggest threats come from state government connections to federal government systems, panelists said in answer to a query by Committee Chair Adam Putnam (R-Florida).
Issues of connecting computerized benefits programs at the state and local government levels leave the most vulnerabilities, Dacey said. Medicare and other benefit programs have systems connected with the federal government and often employ many smaller contractors.
"There have been reported incidents of state systems broken into and used for other activities," Dacey said, adding that he did not have exact numbers.
The Defense Department has modified its information systems in the past year to block uninvited guests from entering its internal site, said Dawn Meyerriecks, the DOD's chief technology officer.
"People actually were coming into our own intranet to reach the public interfaces," Meyerriecks said. "Actions like fixing this problem have already paid off."
Witnesses also noted that applying patches is complicated when different departments have individual security concerns, unique applications, and systems that react differently.
"The Air Force, for example, has a mission that could be impacted negatively because it doesn't understand the patch, Meyerriecks said. "We roll it out on an enterprise level and then come down from there."
All witnesses expressed the concern that patches might have a detrimental effect on individual systems.
"At the heart and soul of the issue is the need for a management process," Karen Evans, an administrator of e-government and information technology in the Office of Management and Budget, told the House subcommittee. Representatives of other agencies agreed.
Ongoing Review
The House Committee on Government Reform had requested the GAO's cybersecurity assessment. The study examines 24 agencies and reviews patch management practices.
According to the report, "Not all agencies are testing all patches before deployment, performing documented risk assessments of major systems to determine whether to apply patches, or monitoring the status of patches once they are deployed to ensure they are properly installed."
Hackers often rely on reverse engineering to undo patches, Dacey noted.
"Reverse engineering starts by locating the files or code that changed when a patch was installed," Dacey testified. "Then, by comparing the patched and unpatched versions of those files, a hacker can examine the specific functions that changed, uncover the vulnerability, and exploit it."
Various Congressional committees have regularly requested review of cybersecurity efforts.
Quelle: PC World, 04.06.2004
