United States General Accounting Office GAO Testimony Before the Subcommittee on Technology, Terrorism and Government Information, Committee on the Judiciary, U.S. Senate For Release on Delivery Expected at 10 a.m. CRITICAL Wednesday, October 6, 1999 INFRASTRUCTURE PROTECTION Fundamental Improvements Needed to Assure Security of Federal Operations Statement of Jack L. Brock, Jr. Director, Governmentwide and Defense Information Systems Accounting and Information Management Division GAO/T-AIMD-00-7 Mr. Chairman and Members of the Subcommittee: We are pleased to be here today to discuss the “cyber,” or computer security aspects of critical infrastructure protection. Since the early 1990s, an explosion in computer interconnectivity, most notably growth in use of the Internet, has revolutionized the way our government, our nation, and much of the world communicate and conduct business. The benefits have been enormous in terms of facilitating communications, business processes, and access to information. However, without proper safeguards, this widespread interconnectivity poses enormous risks to our computer systems and, more importantly, to the critical operations and infrastructures they support including telecommunications, power distribution, emergency services, law enforcement, national defense, and other government services. Today, I will focus on federal agency performance in addressing computer security issues. Recent audits by GAO and agency inspectors general (IG) show that our government is not adequately protecting critical federal operations and assets from computer-based attacks. These audits show that 22 of the largest federal agencies have significant computer security weaknesses. Addressing this widespread and persistent problem requires significant management attention and action within individual agencies as well as increased coordination and oversight at the governmentwide level. I will now provide greater detail on these problems and discuss broader issues that need to be considered as a national strategy for critical infrastructure protection is being considered. Page 1 GAO/T-AIMD-00-7 Weak Controls Place GAO and IG reports issued over the last 5 years describe persistent computer security weaknesses that place federal operations such as Federal Programs at national defense, law enforcement, air traffic control, and benefit payments Risk at risk of disruption as well as fraud and inappropriate disclosures.1 Our most recent analysis, of reports issued during fiscal year 1999, identified significant computer security weaknesses in 22 of the largest federal agencies.2 These included weaknesses in (1) controls over access to sensitive systems and data, (2) controls over software development and changes, and (3) continuity of service plans. These types of weaknesses increase the risk that intruders or authorized users with malicious intentions could read, modify, delete, or otherwise damage information or disrupt operations for purposes, such as fraud, sabotage, or espionage. This body of audit evidence led us, in February 1997 and again in January 1999, to designate information security as a governmentwide high-risk area in reports to the Congress.3 Examples of these weaknesses and the risks they present include the following. • In May 1999, we reported that, as part of our tests of the National Aeronautics and Space Administration’s (NASA) computer-based controls, we successfully penetrated several mission-critical systems. Having obtained access, we could have disrupted NASA’s ongoing command and control operations and stolen, modified, or destroyed system software and data.4 1 Information Security: Opportunities for Improved OMB Oversight of Agency Practices (GAO/AIMD-96-110, September 24, 1996), Information Security: Serious Weaknesses Place Critical Federal Operations and Assets at Risk (GAO/AIMD-98-92, September 23, 1998). 2 Critical Infrastructure Protection: Comprehensive Strategy Can Draw on Year 2000 Experiences (GAO/AIMD-00-01, October 1, 1999). 3 High Risk Series: Information Management and Technology (GAO/HR-97-9, February 1997) and High Risk Series: An Update (GAO/HR-99-1, January 1999). 4 Information Security: Many NASA Mission-Critical Systems Face Serious Risks (GAO/AIMD-99-47, May 20, 1999). Page 2 GAO/T-AIMD-00-7 • In August 1999, we reported that serious weaknesses in Department of Defense (DOD) information security continue to provide both hackers and hundreds of thousands of authorized users the opportunity to modify, steal, inappropriately disclose, and destroy sensitive DOD data. These weaknesses impair DOD’s ability to (1) control physical and electronic access to its systems and data, (2) ensure that software running on its systems is properly authorized, tested, and functioning as intended, (3) limit employees’ ability to perform incompatible functions, and (4) resume operations in the event of a disaster. As a result, numerous Defense functions, including weapons and supercomputer research, logistics, finance, procurement, personnel management, military health, and payroll, have already been adversely affected by system attacks or fraud.5 • In July 1999, we reported that the Department of Agriculture’s (USDA) National Finance Center (NFC) had serious access control weaknesses that affected its ability to prevent and/or detect unauthorized changes to payroll and other payment data or computer software. NFC develops and operates administrative and financial systems, including payroll/personnel, property management, and accounting systems for both the USDA and more than 60 other federal organizations. During fiscal year 1998, NFC processed more than $19 billion in payroll payments for more than 450,000 federal employees. NFC is also responsible for maintaining records for the world’s largest 401(k)-type program, the federal Thrift Savings Program. This program, which is growing at about $1 billion per month, covers about 2.3 million employees and totaled more than $60 billion as of September 30, 1998.6 The weaknesses we identified increased the risk that users could cause improper payments and that sensitive information could be misused, improperly disclosed, or destroyed. • In October 1999, we reported that Department of Veterans Affairs (VA) systems continued to be vulnerable to unauthorized access.7 VA operates the largest healthcare delivery system in the United States and reported spending more than $17 billion on medical care in fiscal year 5 DOD Information Security: Serious Weaknesses Continue to Place Defense Operations at Risk (GAO/AIMD-99-107, August 26, 1999). 6 USDA Information Security: Weaknesses at National Finance Center Increase Risk of Fraud, Misuse, and Improper Disclosure (GAO/AIMD-99-227, July 30, 1999). 7 Information Systems: The Status of Computer Security at the Department of Veterans Affairs (GAO/AIMD-00-05, October 4, 1999). Page 3 GAO/T-AIMD-00-7 1998. The department also processed more than 42 million benefit payments totaling about $22 billion in fiscal year 1998 and provided life insurance protection through more than 2.4 million policies that represented about $23 billion in coverage. In providing these benefits and services, VA collects and maintains sensitive medical record and benefit payment information for veterans and their family members. GAO, as well as the VA IG, continued to find serious problems that placed sensitive information at increased risk of inadvertent or deliberate misuse, fraudulent use, improper disclosure, or destruction, possibly occurring without detection. For example, at one VA insurance center, 265 users who had not been authorized access had the ability to read, write, and delete information related to insurance awards. Such unauthorized access could lead to improper insurance payments. Poor Security Program While a number of factors have contributed to weak federal information security, such as insufficient understanding of risks, technical staff Management Is the shortages, and a lack of system and security architectures, the fundamental Fundamental Cause of underlying problem is poor security program management. We reported on this problem in 1996 and, again, in 1998,8 noting that agency managers are Poor Computer not ensuring, on an ongoing basis, that risks are identified and addressed Security and that controls are operating as intended. In many cases, senior agency officials have not recognized that computer-supported operations are integral to carrying out their missions and that they can no longer relegate the security of these operations solely to lower-level technical specialists. For these reasons, it is essential that this fundamental problem be addressed as part of an effective information technology management strategy, which will also serve to strengthen critical infrastructure protection. Agencies have responded to scores of recommendations for improvement made by us and by agency inspectors general. However, similar weaknesses continue to surface because agencies have not implemented a management framework for overseeing information security on an agencywide and ongoing basis. Instead, there is a tendency to react to individual audit findings as they are reported, with little ongoing attention to the systemic causes of control weaknesses. 8 GAO/AIMD-96-110, September 24, 1996, and GAO/AIMD-98-92, September 23, 1998. Page 4 GAO/T-AIMD-00-7 To identify potential solutions to this problem, we studied the security management practices of eight nonfederal organizations known for their superior security programs. We found that these organizations managed their information security risks through a cycle of risk management activities.9 The basic framework−built on 16 specific practices−allows risk management through an ongoing cycle of activities coordinated by a central focal point. The management process involves • assessing risk to determine information security needs; • developing and implementing policies and controls that meet these needs; • promoting awareness to ensure that risks, roles, and responsibilities are understood; and • instituting an ongoing program of tests and evaluations to ensure that policies and controls are appropriate and effective. 9 Information Security Management: Learning From Leading Organizations (GAO/AIMD- 98-68, May 1998). Page 5 GAO/T-AIMD-00-7 Figure 1: The Risk Management Cycle The guide is generally consistent with OMB and NIST guidance on information security program management, and it has been endorsed by the Chief Information Officers (CIO) Council as a useful resource for agency managers. One agency that has illustrated the value of these management practices in strengthening computer security is the Internal Revenue Service (IRS). IRS has made significant progress by acknowledging the seriousness of its computer security weaknesses, consolidating overall responsibility for computer security management, reevaluating its approach to computer security management, and developing a high-level plan for mitigating the identified weaknesses.10 10 IRS Systems Security: Although Significant Improvements Made, Tax Processing Operations and Data Still at Serious Risk (GAO/AIMD-99-38, December 14, 1998). Page 6 GAO/T-AIMD-00-7 A Comprehensive While adopting the practices recommended by the guide can better prepare agencies to protect their systems, detect attacks, and react to security Strategy for breaches, other actions are also needed to improve oversight and Improvement Is otherwise address the problem from a governmentwide perspective. Needed Presidential Decision Directive (PDD) 63, issued in May 1998, recognized that addressing computer-based risks to our nation’s critical infrastructures requires an approach that involves coordination and cooperation across federal agencies and among public and private-sector entities and other nations. In this regard, PDD 63 established several entities to coordinate infrastructure protection efforts.11 However, the details of the PDD’s approach have not been finalized. As a result, a major objective of PDD 63 to make the federal government “a model to the private sector on how best to protect critical infrastructure,” has not been realized nor is it clear how this objective will be met. To provide greater assurance that critical infrastructure objectives can be met, we believe that actions are needed in seven key areas. I will briefly discuss each of these. Clearly Defined Roles and First, it is important that the federal strategy delineate the roles and Responsibilities responsibilities of the numerous entities involved in federal information security and related aspects of critical infrastructure protection. Under current law, OMB is responsible for overseeing and coordinating federal agency security; and the National Institute of Standards and Technology (NIST), with assistance from the National Security Agency (NSA), is responsible for establishing related standards.12 In addition, interagency bodies, such as the CIO Council and the entities created under PDD 63 are attempting to coordinate agency initiatives. While these organizations have developed fundamentally sound policies and guidance and have undertaken potentially useful initiatives, effective improvements are not taking place. This is due, in part, to the relative 11 In May 1998, PDD 63 created several new entities in the National Security Council, the Department of Commerce, and the Federal Bureau of Investigation which also have responsibility for guiding and overseeing and coordinating agency security with a focus on critical infrastructure protection. 12 The Computer Security Act and the Paperwork Reduction Act. Page 7 GAO/T-AIMD-00-7 immaturity of the recently established processes. It is also unclear how the activities of these many organizations interrelate, who should be held accountable for their success or failure, and whether they will effectively and efficiently support national goals. Constraints on resources and the urgency of the problem require that government activities are designed and coordinated to achieve clearly understood goals. There must also be clear linkage between policy guidance, technical standards, and agency practices to ensure responsibility/accountability for actual improvements. Specific Risk-Based Second, agencies need more specific guidance on the controls that they Standards need to implement. Currently agencies have wide discretion in deciding (1) what computer security controls to implement and (2) the level of rigor with which they enforce these controls. In theory, this is appropriate since, as OMB and NIST guidance states, the level of protection that agencies provide should be commensurate with the risk to agency operations and assets. In essence, one set of specific controls will not be appropriate for all types of systems and data. However, our studies of best practices at leading organizations have shown that more specific guidance is important. In particular, specific mandatory standards for varying risk levels can clarify expectations for information protection, including audit criteria; provide a standard framework for assessing information security risk; and help ensure that shared data are appropriately protected. Implementing such standards for federal agencies would require developing (1) a single set of information classification categories for use by all agencies to define the criticality and sensitivity of the various types of information they maintain and (2) minimum mandatory requirements for protecting information in each classification category. Routine Evaluations of Third, routine periodic audits must be implemented to allow for meaningful Agency Performance performance measurement. A requirement for periodic examinations of controls in operation would significantly strengthen oversight requirements in the Computer Security Act, which focus on evaluating agency security plans, rather than practices. Ensuring effective implementation of agency information security and critical infrastructure protection plans will require monitoring to determine if milestones are being met and testing to determine if policies and controls Page 8 GAO/T-AIMD-00-7 are operating as intended. Evaluations at several levels can be beneficial. Tests initiated by agency officials are essential because they provide information needed to fulfill their ongoing responsibility for managing security programs. Evaluations initiated by independent auditors, such as agency inspectors general, can serve as an independent check on management evaluations and provide useful information for congressional and executive branch oversight. Summary evaluations performed by entities such as OMB, GAO, or the CIO Council can provide a governmentwide view of progress and help identify crosscutting problems. At present, there is no requirement for periodic independently initiated tests and evaluations of agency computer security programs. As a result, information for measuring the effectiveness of agency security programs, and thus, holding agency managers accountable is limited. While some control testing is done in support of annual independent financial statement audits, ensuring routine periodic testing of all critical agency systems−both financial and nonfinancial−may require new legislation. Executive Branch and Fourth, the executive branch and the Congress must effectively use audit Congressional Oversight results and performance measures to monitor agency performance and take whatever action is deemed advisable to remedy identified problems. Such oversight is essential to hold agencies accountable for their performance and was demonstrated by the recent OMB and congressional efforts to oversee the Year 2000 challenge. Adequate Technical Fifth, it is important for agencies to have the technical expertise they need Expertise to select, implement, and maintain controls that protect their computer systems. Similarly, the federal government must maximize the value of its technical staff by sharing expertise and information. The Computer Security Act authorized NIST to provide assistance to agencies and included provisions for periodic training in computer security awareness and practice. However, as the Year 2000 challenge showed, the availability of adequate technical expertise has been a continuing concern to agencies. A number of programs and recommendations have been proposed that merit congressional study. For example, prompted in part by concerns over technical staff shortages affecting Year 2000 efforts, the CIO Council’s Education and Training committee studied ways to help agencies recruit and retain information technology personnel. The resulting report provides an extensive description of the current status of federal information Page 9 GAO/T-AIMD-00-7 technology employment, improvement efforts currently underway, and detailed proposals for action. Adequate Funding Sixth, agencies must have resources sufficient to support their computer security and infrastructure protection activities. Funding for security is already embedded to some extent in agency budgets for computer system development efforts and routine network and system management and maintenance. However, some additional amounts are likely to be needed to address specific weaknesses and new tasks. Also, addressing the Year 2000 challenge has resulted in postponement of many program and information technology initiatives−including system enhancements and computer security.13 OMB and congressional oversight of future spending on computer security will be important to ensure that agencies are not using the funds they receive to continue ad hoc, piece-meal security fixes not supported by a strong agency risk management framework. Incident Response and Seventh, there is a need to more comprehensively monitor and develop Coordination responses to intrusions, viruses, and other incidents that threaten federal systems. Several entities are already providing some central coordination in this area−including the FBI, NIST, and the FedCIRC.14 However, the specific roles and responsibilities of these organizations, as well as the balance between governmentwide and individual agency responsibilities, should be clarified and expanded to provide a more comprehensive picture of the security events that are occurring and assistance in dealing with them. Such efforts can take several forms that provide differing benefits. For example, a governmentwide response center could provide immediate emergency assistance to agencies experiencing intrusions or other potential problems. It could also provide assistance on a nonemergency basis, especially by alerting agencies to new threats and vulnerabilities and helping them identify actions to prevent or mitigate incidents. By calling on a center for such assistance, agencies could tap into a source of specialized 13 Year 2000 Computing Challenge: Estimated Costs, Planned Uses of Emergency Funding, and Future Implications (GAO/T-AIMD-99-214, June 22, 1999). 14 FedCIRC−the Federal Computer Incident Response Capability−is a reporting center at the General Services Administration. Page 10 GAO/T-AIMD-00-7 expertise that may be difficult and expensive to maintain at the individual agency level. A governmentwide center could also serve as clearinghouse of information on incidents that would be available to federal agencies and the public. Such information can be valuable in estimating the significance of different types of information security risks. For example, when the Melissa virus surfaced earlier this year, we found that there was no single place to obtain complete data on what agencies were hit and how they were affected. Moreover, there were no data available that quantified the impact of the virus in terms of productivity lost or the value of data lost. Finally, it is important to recognize that, by itself, a central clearinghouse is not complete solution for the information security problems across the federal government. Agencies themselves must still use this information effectively to assess risks to their own computer-supported operations and to develop and implement sound management controls. In conclusion, Mr. Chairman, I want to stress that there are no simple solutions to improving computer security throughout the government. What is clear is that a bottom-up approach will not work. To begin to meet the lofty goal of PDD 63−making the government a model−will require sustained top management support, consistent oversight, and additional levels of technical and funding support. Taking steps to address the issues outlined in my statement could help the government put its own house in order and more effectively work with the private sector to protect critical infrastructures. This concludes my testimony. I will be happy to answer any questions you or Members of the Subcommittee may have. (511065) Leter Page 11 GAO/T-AIMD-00-7 Ordering Information The first copy of each GAO report and testimony is free. Additional copies are $2 each. Orders should be sent to the following address, accompanied by a check or money order made out to the Superintendent of Documents, when necessary, VISA and MasterCard credit cards are accepted, also. Orders for 100 or more copies to be mailed to a single address are discounted 25 percent. Orders by mail: U.S. General Accounting Office P.O. Box 37050 Washington, DC 20013 or visit: Room 1100 700 4th St. NW (corner of 4th and G Sts. NW) U.S. General Accounting Office Washington, DC Orders may also be placed by calling (202) 512-6000 or by using fax number (202) 512-6061, or TDD (202) 512-2537. Each day, GAO issues a list of newly available reports and testimony. To receive facsimile copies of the daily list or any list from the past 30 days, please call (202) 512-6000 using a touchtone phone. A recorded menu will provide information on how to obtain these lists. For information on how to access GAO reports on the INTERNET, send an e-mail message with “info” in the body to: firstname.lastname@example.org or visit GAO’s World Wide Web Home Page at: http://www.gao.gov United States Bulk Mail General Accounting Office Postage & Fees Paid Washington, D.C. 20548-0001 GAO Permit No. GI00 Official Business Penalty for Private Use $300 Address Correction Requested
Critical Infrastructure Protection: Fundamental Improvements Needed to Assure Security of Federal Operations
Published by the Government Accountability Office on 1999-10-06.
Below is a raw (and likely hideous) rendition of the original report. (PDF)