To Agency Insiders, Cyber Thefts And Slow Response Are No Surprise

By Zachary A. Goldfarb
Special to The Washington Post
Tuesday, July 18, 2006

Every day, an electronic wall guarding the Agriculture Department's servers is probed for holes 2,000 times by potential hackers and data thieves.

The probes usually can't get through that wall. But on the first weekend in June, a hacker made it deep into one server, prompting an announcement late last month that personal information on 26,000 Washington area employees, contractors and retirees may have been compromised.

To government officials responsible for information security and to outside experts, the intrusion -- and several recent security incidents at other agencies -- was no surprise. For the past five years, the department had received failing grades on a congressional report card for its information-security practices. The overall grade for federal agencies in 2005 was D-plus.

In the past few weeks, the Agriculture incident was joined by cases of potentially compromised data at Veterans Affairs, Health and Human Services, the Federal Trade Commission, the Government Accountability Office, Housing and Urban Development, the Navy, and the Energy Department. The State Department also suffered a series of hacking attacks.

The VA incident, with a loss of data on 26.5 million veterans and military personnel, drew the sharpest public attention. The data were later recovered. But officials and experts say that the frequency of the recent security incidents is not unusual, and that much more work needs to be done in the federal government to implement effective cybersecurity policies.

"We believe the number of breaches are at the same level as we have experienced them," said Clay Johnson III, deputy director for management in the Office of Management and Budget. "We have been very demanding of agencies to improve the IT security of their systems. We still have a long way to go."

In fiscal 2005, major federal agencies reported about 3,600 incidents that were serious enough to warrant alerting the government's cybersecurity center at the Department of Homeland Security, including 304 instances of unauthorized access and 1,806 cases of malicious computer code, according to a yearly OMB report.

But that does not present a full picture. Despite requirements to do so, agencies are "not consistently reporting incidents of emerging cybersecurity threats," government auditors said last year.

The grades that agencies receive on the congressional report card -- compiled by the House Government Reform Committee -- reflect their level of compliance with the 2002 Federal Information Security Management Act, which outlines security procedures for agencies.

In 2005, in addition to Agriculture, the departments of Defense, Energy, Health and Human Services, Homeland Security, Interior, State and Veterans Affairs received F's.

Department technology officials said in interviews that whatever the past weaknesses, they have taken steps in recent months to improve the situation significantly.

"It's not something that happens overnight. It's not something that happens in a year," said Robert West, DHS's chief information-security officer. "We are walking toward an effective program. We're not chasing grades."

CONTINUED     1        >

© 2006 The Washington Post Company