Report: Federal Agencies Get a "D" for Cyber-Security
By Eric Wolff, The New York Sun
New York, NY (December 11, 2003) - Lawmakers gave the federal government
a "D" grade for cyber-security this year - and that was an improvement
from last year's "F".
The House Governmental Reform Subcommittee on Information Technology Issued
its fourth annual report card on the strengths and weaknesses of the government's
information technology, and for the fourth year in a row, it found federal
computer systems lacking basic precautions.
The 25 largest government agencies were inspected for the report, and
19 lacked inventories of "mission critical" systems, including
important computers/the location of crucial data, or which systems had
to be maintained in the event of an emergency. Rep. Adam Putnam: 'How
can you secure what you don't know you have?'
"How can you secure what you don't know you have?" wrote Rep.
Adam Putnam, a Republican from Florida, in the introduction to the report.
The Department of Homeland Security was just one of several agencies that
earned a failing grade.
The State Department received its second "F" in a row because
only 15% of component agencies had an information technology plan to detail
basic procedures like how often to change a password and how to back up
data. Only 11% of all its systems had been checked for obvious security
The Department of the Interior also received its second "F"
in a row. None of the agencies could be reached immediately for comment.
The Department of Treasury, responsible for the creation of currency,
and its collection via the IRS, had 70 "material weaknesses,"
according to the report, which dismissed the department's claim that 41%
of its systems had been assessed for security risks, since even the assessments
were not up to legal standards.
Only two agencies received "A"s: the Nuclear Regulatory Commission
and the National Science Foundation, which improved to an "A-"
this year from a "D" in 2002.
Eight other agencies improved their performance two grades, simply by
implementing basic IT plans and training, the report said. No government
agent interviewed by The New York Sun had a justification for why security
measures hadn't been improved over the four years the report cards have
been given out.
"A lot of this stuff needs a lot
of manpower more than money," said a network security expert, Adam
Hirsch from Net at Work, a New York security consulting firm. "A
lot of these things are just a matter of proper organization - setting
up formal processes, doing the work."
NASA and the Department of Health and Human Services were the only agencies
to get lower grades since the 2002 report card.