Lawmakers decry continued IT security vulnerability

Recent security breaches are prompting concern over whether current federal rules are strong enough.

US lawmakers charged with overseeing homeland security have voiced alarm at the continued vulnerability of federal computers to attack by foreign parties.

Recent hacks into government networks that maintain sensitive information, such as those alleged against the so-called "NASA hacker" Gary McKinnon from north London,  have sparked a growing recognition that current US mandates are inadequate to prompt improved security.

I believe they made the determination that accessibility to data is more important than confidentiality and integrity.
Rep. James Langevin, D-R.I.,

"I believe the infiltration by foreign nationals of federal government networks is one of the most critical issues confronting our nation," Rep. James Langevin, said at a hearing of the House Subcommittee on Emerging Threats, Cybersecurity, Science and Technology . "Over time, the theft of critical information from government servers could cost the United States our advantage over our adversaries."

Of particular concern is the latest attack on government computers to be disclosed officially—an infiltration of the Department of State's networks in Washington and east Asia last summer. In May 2006, a department employee opened a malicious email that contained an attachment that installed a Trojan Horse, Donald Reid, senior coordinator for Security Infrastructure at the State Department's Bureau of Diplomatic Security, said at the hearing. When officials discovered that data was being stolen, they cut off Internet connectivity to the department's East Asia Pacific region. Because Microsoft Corp. couldn't deploy a patch quickly, the State Department implemented a temporary security fix for the vulnerability. Microsoft released the patch in August.

Langevin, chairman of the subcommittee, took State to task for implementing a temporary fix rather than taking the entire system offline for a complete inspection while waiting for Microsoft to release the patch.

Data security breach:

State Department to face hearing on '06 security breach: A Congressional subcommittee is seeking answers about the attacks, which appeared to originate in Asia.

Group calls for federal data security breach notification law: A group of security vendors is calling on Congress to pass a law that emphasises encryption and the public disclosure of security breaches. A law would apply in all states.

PCI DSS auditors see lessons in TJX data breach: Following the recent TJX data breach, several PCI Data Security Standard auditors say the retailer violated basic requirements of the PCI DSS. But they say there are lessons to be learned from TJX's mistakes.

"I believe they made the determination that accessibility to data is more important than confidentiality and integrity," Langevin said.

Defending the agency's actions, Reid said officials felt "pretty confident" that the recommended wrapper was the best course of action, although it was a difficult decision.

"There's a business case here in terms of taking an entire system offline," Reid said, noting that the visa application process and other diplomatic services would come to a halt if the system had been taken down. "We felt that the risks were worth it, that we had a solution that was going to work."

Dave Jarrell, manager of the Critical Infrastructure Protection Program at the Department of Commerce, testified that hackers using a rootkit attacked the department's Bureau of Industry and Security in October. Jarrell said he has no evidence to indicate any BIS data was taken during the incident, but Langevin said he was troubled that the department didn't know exactly when the infiltration took place.

The network intrusions at State and Commerce follow years of documented failure to comply with the Federal Information Security Management Act (FISMA), which requires agencies to maintain a complete inventory of network devices and systems. Government and industry officials at the hearing acknowledged a disconnect between FISMA's intent and effecting improved network security.

"The current system that provides letter grades seems to have no connection to actual security," said Rep. Zoe Lofgren, D-Calif.

Some lawmakers are considering whether the Department of Homeland Security should be given primary responsibility for overseeing federal network security, but officials at DHS and elsewhere suggested that wouldn't be the best idea. Noting that DHS has not performed well on the annual FISMA report card and has not implemented all of the recommendations put forth for improved analysis and warning capabilities for attacks, Greg Wilshusen, director of information security issues at the Government Accountability Office, said it would be problematic from an organizational standpoint to put DHS in the position of compelling other agencies to comply.

Read more on IT risk management