Suche innerhalb des Archivs / Search the Archive All words Any words

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[] WP: US Behörden fallen beim "Cybertest" durch,
Zusammenfassung des GAO-Berichts: Schlechte Noten für die 
Computersicherheit in amerikanischen Behörden

Agencies Fail Cyber Test
Panel Notes 'Significant Weaknesses' in Computer Security

By Christopher Lee
Washington Post Staff Writer
Wednesday, November 20, 2002; Page A23

The federal government earned a failing grade yesterday for its 
agencies' poor record of protecting vital computer systems from fraud, 
misuse and cyber-terrorism.

The House Government Reform subcommittee on government efficiency 
flunked 14 of the 24 largest departments and agencies, whose computer 
security efforts were reviewed by the General Accounting Office and 
found wanting. Another seven agencies earned a D and two were given Cs. 
Only one, the Social Security Administration, got a B-minus, the highest 
grade awarded to one of the major agencies.

"The overall government grade is an F, the same as last year," said Rep. 
Stephen Horn (R-Calif.), the panel's chairman. "While 11 of the 24 
agencies have shown some improvement, overall progress is slow. . . . 
[T]he federal government's systems and assets remain vulnerable."

Investigators from the GAO, the congressional watchdog group, found 
"significant weaknesses" in each of the 24 agencies. Many of the 
failures involved inadequate access controls, leaving sensitive 
information systems and data vulnerable to tampering by disgruntled 
workers or attack by thieves or terrorists.

The weak spots could, for instance, lead to the loss or theft of federal 
payments and collections. Information, such as Social Security and 
medical records, could be inappropriately released or copied for 
criminal purposes. Thieves might be able to obtain tax records and other 
personal information to establish credit and rack up debt under someone 
else's name.

Protection of computer systems is important if the government is to keep 
functioning during terrorist attacks or other interruptions, 
investigators said.

In general, "poor information security is a widespread federal problem 
with potentially devastating consequences," the GAO found, echoing its 
earlier studies.

But the report's author, Robert F. Dacey, director of information 
security issues at the GAO, noted that reports of vulnerabilities do not 
necessarily mean that computer security is actually getting worse.

"They are more likely to indicate that information security weaknesses 
are becoming more fully understood -- an important step toward 
addressing the overall problem," Dacey wrote. "Nevertheless, the results 
leave no doubt that serious, pervasive weaknesses persist."

Among agencies with the worst grades were the departments of Justice, 
State, Defense and Transportation.

Kenneth M. Mead, the inspector general at the Department of 
Transportation, told the House panel that the agency had improved from 
last year, when it also received a failing grade. But DOT still must 
improve controls over access to sensitive systems by the "more than 
100,000" agency employees, contractors, grantees and industry 
associations who are authorized to pass through the agency's protective 
firewall and enter its computer networks, Mead said.

"DOT is making progress," Mead said. "However, based on our recent 
results, more work needs to be done and management attention should be 
focused on identifying computer vulnerabilities that need immediate fixing."

At the Social Security Administration, which improved from a C-plus last 
year to a B-minus this year, employees must notify officials when a 
computer virus or intrusion is suspected. And information security is 
routinely discussed at executive meetings, said James B. Lockhart, the 
agency's deputy commissioner.

"We know we cannot rest on past practice, but must be vigilant in every 
way we can," he said.

© 2002 The Washington Post Company

Liste verlassen: 
Mail an infowar -
 de-request -!
- infopeace -
 de mit "unsubscribe" im Text.