WASHINGTON — Two congressional studies released in April showed that no federal agencies have successfully implemented security programs required by the Office of Management and Budget (OMB).
That means not one of the 23 government agencies cited in the reports is secure enough to meet minimum government standards for preventing intrusions and destructive viruses.
The reports by the Government Accountability Office (GAO) regarding Internet connection and personal computer security both recommended that the agencies crack down and a a better job of enforcing and implementing the plans. The GAO serves as an independent congressional watchdog and is the “official investigative arm” of Congress and provides data and research to lawmakers.
Several departments were in partial compliance but none were fully secure, the reports said. Among those in partial compliance, the Department of Defense was cited as having the best record for securing its Windows Vista computers; 99 percent of the workstations using the operating system were secure. However, none of their older computers were described as being in complete compliance.
Several departments including Education, Homeland Security, Transportation and State were listed as having zero percent of their computers in compliance.
The reports come at the same time as the State Department is launching a digital innovations team and planning greater expansion into the digital world. But if government agencies can’t properly implement existing minimum security standards, some critics ask, will such new innovations be any more secure?
Those requirements were launched in 2007 and 2008, well before .President Obama’s much-reported refusal to give up his Blackberry. At the time there was much handwringing and debating whether it was safe for the leader of the free world to be carrying a tiny, hackable gateway to a treasure trove of state secrets.
The GAO studies do not explicitly describe the basic security requirements in question, instead referring to approved settings at each individual agency.
Sen. Joseph Lieberman (I-Conn.), chairman of the Senate Homeland Security and Governmental Affairs Committee issued a response to the reports on April 12 expressing his disappointment in the study’s findings. He took? OMB to task for falling short in its enforcement of the standards. However, neither he, nor the agencies had a plan for how or when they’d reach the security standards.
“The security of federal IT [information technology] systems is an ever-growing problem that must be confronted aggressively and with all available means,” Lieberman said in a statement. Quote resume here? “Unfortunately, these key initiatives, which have been underway for years, have faced challenges, particularly the lack of communication and follow through from the Office of Management and Budget and the Department of Homeland Security.”
Lieberman went on to say that OMB agreed with the findings and would be “acting to address many of the lessons learned,” but noted that no concrete commitments were made as to how they would do so.
Some digital security analysts like Kevin Thompson, a Chicago area attorney and author of the blog Cyberlaw Central, aren’t surprised by the GAO’s low compliance findings.
“They’ve got a long way to go in living up to their requirements in being secure,” he said of the agencies. “A lot of people think that the government would have access to the latest and greatest technology but in reality they don’t.”
Thompson has researched government digital security infrastructure and says he’s seen a lack of funding and attention paid to the issue.
“We should be able to reach the minimums we set,” he said.
For his part, Thompson sees value in moving towards a creative, innovative approach to how the government uses digital tools while still ensuring their security.
In his statement Lieberman said his committee would be drafting legislation to address the issue. But the constantly evolving nature of the digital world begs the question, is another piece of legislation enough?
