Capitol Hill could be waking up to IT security
Connecting state and local government leaders
New GAO reports make clear how difficult it is making governmentwide changes in institutionalized IT practices.
Given the limited attention members of Congress seem to pay to information technology and its critical role across government, we could make the case that the recent flurry of cybersecurity announcements emanating from Capitol Hill comes as good news.
However, as is also often the case, such attention usually arises only after it becomes clear that mandates and deadlines aren’t enough to get federal agencies to meet their obligations.
That was illustrated again recently when a pair of new reports from the Government Accountability Office prompted Sens. Joe Lieberman (I-Conn), Susan Collins (R- Maine) and Tom Carper (D-Del.) to issue a joint announcement that raised fresh concerns that — surprise! — federal agencies haven’t taken the necessary steps to improve the security of their IT systems.
Agencies struggle with securing computers, GAO reports
The first report (GAO-10-237) concluded that a concerted effort still needs to be made to consolidate and secure Internet connections at federal agencies. The second (GAO-10-202) found that as of September 2009, none of the 24 major agencies had fully adopted and implemented the Federal Desktop Core Configurations required by the Office of Management and Budget.
What both reports make clear is the difficulty of instituting governmentwide changes in institutionalized IT practices.
Among many longstanding recommendations to improve the security of government networks, one of the more widely embraced is the notion of reducing the government’s electronic attack surface by significantly reducing the number of points at which government networks physically connect to the Internet.
With the Trusted Internet Connections initiative, OMB began a sweeping effort in November 2007 to reduce the number of connections from an estimated 4,000 to as few as 50 by June 2008. And that led to efforts by the Homeland Security Department to improve its Einstein technology that's designed to automate the detection of intrusions and mitigation of attacks.
Although the Defense Department successfully implemented a similar initiative, the TIC program proved much harder for civilian agencies to execute than many appreciated. As GAO investigators learned, that was partially because of how many unidentified connections existed and how long OMB took to resolve how many connections agencies were allowed to have. Not surprisingly, the 16 agencies that chose to become Internet access providers had only reduced the number of connection from 3,286 to 1,753 as of September 2009, GAO said. Meanwhile, Einstein 2 had been deployed to only six agencies.
GAO cited shortcomings by OMB and DHS in communicating with agencies for many of the delays. But what really needs fixing is a governmentwide commitment to implement established IT security practices. Let’s hope the Hill’s attention will help.