WASHINGTON—The federal government needs to take steps to improve the security of its information technology systems by fully implementing key initiatives, according to two Government Accountability Office (GAO) reports released Monday. Concerted Effort Needed to Consolidate and Secure Internet Connections at Federal Agencies (GAO-10-237) and Agencies Need to Implement Federal Desktop Core Configuration Requirements (GAO-10-202) detail problems with implementation of the Einstein Program; the Trusted Internet Connections (TIC) program; and the Federal Desktop Core Configuration (FDCC) initiative.
Senate Homeland Security and Governmental Affairs Chairman Joe Lieberman, ID-Conn., Ranking Member Susan Collins, R-Me., and Subcommittee on Federal Financial Management, Government Information, Federal Services, and International Security Chairman Tom Carper, D-Del., requested the reports.
“The security of federal IT systems is an ever-growing problem that must be confronted aggressively and with all available means,” Lieberman said “Unfortunately, these key initiatives, which have been underway for years, have faced challenges, particularly the lack of communication and follow through from the Office of Management and Budget and the Department of Homeland Security. OMB and DHS have agreed with the GAO’s findings, and are already acting to address the concerns raised in these reports. The Committee is also currently drafting legislation to address many of the lessons learned in implementing these key cyber security initiatives. ”
Said Collins: “In an era where millions of attempted cyber attacks on government computers occur every month, the GAO’s findings are most disturbing. In examining the Trusted Internet Connections (TIC) initiative aimed at reducing the threat to federal systems and operations posed by cyber attacks, the GAO’s review of 23 agencies determined that none—zero—had met all program requirements. In looking also at the Federal Desktop Core Configuration initiative, the GAO reached much the same conclusion. Its review of 24 major agencies found that none had fully adopted and implemented the program.
“These GAO findings show that our government’s current system of weak authorities and diffuse responsibility is simply not sufficient to secure our critical cyber networks. We must elevate the focus on cybersecurity within the federal government and across our nation’s critical cyber infrastructure. Only a strong leader with significant new authorities can be held accountable for the security of these digital assets.”
“After holding several Subcommittee hearings examining the sophisticated and persistent threat against our government networks, the story seems to be the same: agencies are taking years to inefficiently defend our systems while our adversaries are taking seconds to exploit our weaknesses at a fraction of the cost,” said Carper. “This is simply unacceptable and we can do better—in fact, we need to do better.
“I have been actively working with my colleagues for the past several years to update the decade-old Federal Information Security Management Act and these reports are yet another warning shot across our bow,” continued Carper. “I look forward to getting the reforms outlined in our bill, the U.S. Information and Communications Enhancement Act of 2009, on the President’s desk by the end of the year.”
On Monday, Lieberman, Collins, and Carper sent letters to OMB Director Peter Orszag and Department of Homeland Security Secretary Janet Napolitano, asking them both to report back on how they will implement the reports’ recommendations.
The Einstein and TIC initiatives require a reduction in agencies’ external network connections, and increased security controls over the remaining connections. Doing so drastically reduces the network’s vulnerability to attacks and allows for improved monitoring of internet traffic. The FDCC program requires federal agencies to standardize their desktop computer systems, leveraging the government’s massive purchasing power to increase security.
-30-