Congressman calls government’s info security “embarrassing” and “dangerous”

Calling federal information security “embarrassing” and “dangerous”, Rep. James R. Langevin (D-RI) lashed out at federal departments including State, Commerce and Homeland security for lax practices and serious breaches.

The comments came at a hearing of the Committee on Homeland Security’s subcommittee on emerging threats, cybersecurity and science and technology, to discuss recent high-level security breaches in government, at which representatives of State, Commerce and the Government Accountability Office testified.

Langevin cited failing grades by both Departments of Commerce and State under the FISMA assessment. FISMA stands for the federal information security management act of 2002. See background information via the National Institute of Standards and Technology here.

Langevin also cited a hack into Commerce systems using a rootkit last October, and a June 2006 penetration of State Department systems which used social engineering and a zero-day exploit of Microsoft Word to gain access.

Both departments, Langevin said, tried to downplay the incidents saying no classified systems were compromised. Langevin said that because the departments failed their FISMA assessments and have failed to inventory all of their systems, “they can’t know for certain that these incidents don’t involved classified systems.”

About DHS, which received a D on its FISMA assessment–the first time since 2003 DHS did not receive an F–Langevin said he was “disappointed and troubled” with the departments progress in securing cyberspace. “I don’t know how the department thinks it’s going to lead this nation in securing cyberspace when it can’t even secure its own networks.”

SANS Institute director of research Alan Paller, who attended the hearing, said that government officials are finally saying publicly what many have known all along: Their systems are insecure and put the nation at risk. “The State and Commerce Department penetrations are the tiniest tip of the iceberg,” said Paller.

Paller also noted that participants at the hearing said the FISMA was a bad assessment system that measured the wrong things, and that receiving a grade of A wouldn’t make any of the participants at the hearing believe they were necessarily secure.

The hearing demonstrated the remarkable consistency between corporate and government problems with information security. The zero-day exploits and rootkits are the biggest issues private companies are dealing with right now. Two zero-day exploits have been discovered in the past month, and some speculate that rootkits may have been used in the breach of TJX, the biggest data leakage case in history to date. Indeed, the Commerce department’s failure to pinpoint the time when hackers first gained access mirrors TJX’s confusion over origins of access, which is usually a sign the hackers were able to conceal their activity through the use of a rootkit, a basic tool for economic hackers.

Langevin also cited issues with intelligence sharing between departments over vulnerabilities and exploits.

Langevin concluded his opening statement with words that are becoming more common both in government and business when it comes to information security: “We don’t know the scope of our networks. We don’t know who’s inside our networks. We don’t know what information has been stolen.”

He added: “We need to get serious about this threat to our national security.”

— Scott Berinato

More information:

Opening statement of Rep. Langevin