Feds Flunk Security 101
Modernizing Authentication — What It Takes to Transform Secure Access
The language is dry but the findings are damning. Despite some improvements, the U.S. Government Accountability Office, in its first comprehensive study of computer security in the federal government conducted under the 2002 Federal Information Security Management Act, found "pervasive weaknesses" in security practices at 24 major agencies.
The departments of Defense and Homeland Security were among the 14 agencies with problems in all five categories that were examined: controlling access to government data; controlling what software is installed; detecting inappropriate activity; business continuity planning; and fully implementing information security programs.
Many of the flaws the GAO documented in its gloomy July 2005 report are security basics. For example, users employed common words as passwords.
Also, agencies failed to deactivate user accounts, keep software updated, and include emergency contact information in their contingency plans. Gregory Wilshusen, the GAO's director of information security issues, writes that these and other weaknesses "put federal operations and assets at risk of fraud, misuse and destruction. In addition, they place . . . sensitive information at risk of inappropriate disclosure, and critical operations at risk of disruption."
Wilshusen says that the government is "making progress," however. For example, 23 agencies reviewed at least 90 percent of their systems in 2004, up from 11 agencies in 2003. Wilshusen also urges better follow-through on implementing programs and more detailed reporting.