Federal Information Security: Actions Needed to Address Widespread
Weaknesses (Testimony, 03/29/2000, GAO/T-AIMD-00-135).

Pursuant to a congressional request, GAO discussed federal information
security, focusing on actions federal agencies can take immediately to
strengthen their security programs as well as other actions required to
make more fundamental and long-term improvements.

GAO noted that: (1) federal agencies can act immediately to address
federal information security weaknesses and reduce the related risks;
(2) specifically, they can: (a) increase awareness; (b) ensure that
existing controls are operating effectively; (c) ensure that software
patches are up-to-date; (d) use automated scanning and testing tools to
quickly identify problems; (e) propagate their best practices; and (f)
ensure that their most common vulnerabilities are addressed; (3) none of
these actions alone will ensure good security; (4) however, they take
advantage of readily available information and tools and, thus, do not
involve significant new resources; and (5) as a result, they are steps
that can be made without delay.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  T-AIMD-00-135
     TITLE:  Federal Information Security: Actions Needed to Address
	     Widespread Weaknesses
      DATE:  03/29/2000
   SUBJECT:  Computer security
	     Computer software verification and validation
	     Information resources management
	     Internal controls
	     Classified information
	     Strategic information systems planning
	     Security classification (government documents)

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Testimony.                                               **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************

   * For Release on Delivery
     Expected at
     10 a.m.

Wednesday,

March 29, 2000

GAO/T-AIMD-00-135

federal information security

Actions Needed to Address Widespread Weaknesses

        Statement of Jack L. Brock, Jr.

Director, Governmentwide and Defense Information Systems

Accounting and Information Management Division

Testimony

Before the Subcommittee on Government Management, Information and
Technology, Committee on Government Reform, House of Representatives

United States General Accounting Office

GAO

Mr. Chairman and Members of the Subcommittee:

I am pleased to be here today to discuss federal information security. Our
recent audit findings in this area present a disturbing picture of the state
of computer security practices at individual agencies. Our work-and the work
of other audit entities-has demonstrated that many agencies' critical
operations and processes are at serious risk of disruption because of weak
security practices. We have designated computer security as a high-risk
area, and the President's plan for protecting critical infrastructure
reinforces this designation.

At your request, I will discuss actions agencies can take immediately to
strengthen their security programs as well as other actions required to make
more fundamental and long-term improvements. Additionally, I will discuss
governmentwide actions needed to support and encourage agency progress and
congressional oversight of this progress.

Serious and Widespread Weaknesses Place Critical and Sensitive Operations
and Assets at Risk

However, this reliance on automated systems increases the risks of fraud,
inappropriate disclosure of sensitive data, and disruption of critical
operations and services. The same factors that benefit operations-speed and
accessibility-also make it possible for individuals and organizations to
inexpensively interfere with or eavesdrop on operations, possibly for
purposes of fraud or sabotage or other malicious purposes. Threats of such
actions are increasing, in part, because the number of individuals with
computer skills is increasing and because intrusion, or "hacking,"
techniques have become readily accessible through magazines and on computer
bulletin boards. In addition, natural disasters and inadvertent errors by
authorized computer users can have devastating consequences if information
resources are poorly protected.

Recent audits show that federal systems are highly vulnerable to these
risks. Our October 1999 analysis of our own and inspector general audits
found that 22 of the largest federal agencies were not adequately protecting
critical federal operations and assets from computer-based attacks. Our most
recent individual agency review, of the Environmental Protection Agency
(EPA), corroborated our governmentwide analysis. Our tests identified
numerous security weaknesses associated with the computer operating systems
and the agencywide computer network that support most of EPA's
mission-related and financial operations. In addition, EPA's own records
identified several serious computer incidents in the last 2 years. EPA is
currently taking significant steps to address these weaknesses, but
resolving them on a lasting basis will require substantial ongoing
management attention and changes in the way EPA views information security.

EPA is not unique. Within the past 12 months we have identified significant
management weaknesses and control deficiencies at a number of agencies.

   * In August 1999, we reported that pervasive weaknesses in Department of
     Defense information security continue to provide both hackers and
     hundreds of thousands of authorized users the opportunity to modify,
     steal, inappropriately disclose, and destroy sensitive DOD data.
   * In May 1999, we reported that as part of our tests of the National
     Aeronautics and Space Administration's (NASA) computer-based controls,
     we successfully penetrated several mission-critical systems, including
     one responsible for calculating detailed positioning data for each
     orbiting spacecraft and another that processes and distributes the
     scientific data received from these spacecraft. Having obtained access,
     we could have disrupted ongoing command and control operations and
     modified or destroyed system software and data.
   * In August 1999, an independent accounting firm reported that the
     Department of State's mainframe computers for domestic operations were
     vulnerable to unauthorized access. Consequently, other systems, which
     process data using these computers, could also be vulnerable. A year
     earlier, in May 1998, we reported that our tests at State demonstrated
     that its computer systems and the information they maintained were very
     susceptible to hackers, terrorists, or other unauthorized individuals
     seeking to damage State operations or reap financial gain by exploiting
     the department's information security weaknesses.
   * In October 1999, we reported that serious weaknesses placed sensitive
     information belonging to the Department of Veterans Affairs (VA) at
     risk of inadvertent or deliberate misuse, fraudulent use, improper
     disclosure, or destruction, possibly occurring without detection. Such
     findings were particularly troublesome since VA collects and maintains
     sensitive medical record and benefit payment information for veterans
     and family members and is responsible for tens of billions of dollars
     of benefit payments annually.

Control Weaknesses Are Similar Among Agencies

   * Entitywide Security Program Planning and Management. Each organization
     needs a set of management procedures and an organizational framework
     for identifying and assessing risks, deciding what policies and
     controls are needed, periodically evaluating the effectiveness of these
     policies and controls, and acting to address any identified weaknesses.
     These are the fundamental activities that allow an organization to
     manage its information security risks cost effectively, rather than
     reacting to individual problems ad hoc only after a violation has been
     detected or an audit finding has been reported. Despite the importance
     of this aspect of an information security program, we continue to find
     that poor security planning and management is the rule rather than the
     exception. Most agencies do not develop security plans for major
     systems based on risk, have not formally documented security policies,
     and have not implemented programs for testing and evaluating the
     effectiveness of the controls they rely on.
   * Access Controls. Access controls limit or detect inappropriate access
     to computer resources (data, equipment, and facilities) thereby
     protecting these resources against unauthorized modification, loss, and
     disclosure. They include physical protections such as gates and guards.
     They also include logical controls, which are controls built into
     software that
     (1) require users to authenticate themselves through passwords or other
     identifiers and (2) limit the files and other resources that an
     authenticated user can access and the actions that he or she can
     execute. In many of our reviews we have found that managers do not
     identify or document access needs for individual users or groups, and,
     as a result, they provide overly broad access privileges to very large
     groups of users. Additionally, we often find that users share accounts
     and passwords or post passwords in plain view, making it impossible to
     trace specific transactions or modifications to an individual.
     Unfortunately, as a result of these and other access control
     weaknesses, auditors conducting penetration tests of agency systems are
     almost always successful in gaining unauthorized access that would
     allow intruders to read, modify, or delete data for whatever purposes
     they had in mind.
   * Application Software Development and Change Controls. Application
     software development and change controls prevent unauthorized software
     programs or modifications to programs from being implemented. Without
     them, individuals can surreptitiously modify software programs to
     include processing steps or features that could later be exploited for
     personal gain or sabotage. In many of our audits, we find that (1)
     testing procedures are undisciplined and do not ensure that implemented
     software operates as intended, (2) implementation procedures do not
     ensure that only authorized software is used, and
     (3) access to software program libraries is inadequately controlled.
   * Segregation of Duties. Segregation of duties refers to the policies,
     procedures, and organizational structure that help ensure that one
     individual cannot independently control all key aspects of a process or
     computer-related operation and thereby conduct unauthorized actions or
     gain unauthorized access to assets or records without detection. For
     example, one computer programmer should not be allowed to independently
     write, test, and approve program changes. We commonly find that
     computer programmers and operators are authorized to perform a wide
     variety of duties, thus providing them the ability to independently
     modify, circumvent, and disable system security features. Similarly, we
     have also identified problems related to transaction processing, where
     all users of a financial management system can independently perform
     all of the steps needed to initiate and complete a payment.
   * System Software Controls. System software controls limit and monitor
     access to the powerful programs and sensitive files associated with the
     computer systems operation, e.g., operating systems, system utilities,
     security software, and database management systems. If controls in this
     area are inadequate, unauthorized individuals might use system software
     to circumvent security controls to read, modify, or delete critical or
     sensitive information and programs. Such weaknesses seriously diminish
     the reliability of information produced by all of the applications
     supported by the computer system and increase the risk of fraud,
     sabotage, and inappropriate disclosures. Our reviews frequently
     identify systems with insufficiently restricted access that in turn
     makes it possible for knowledgeable individuals to disable or
     circumvent controls.
   * Service Continuity Controls. Service continuity controls ensure that
     critical operations can continue when unexpected events occur, such as
     a temporary power failure, accidental loss of files, or even a major
     disaster such as a fire. For this reason, an agency should have (1)
     procedures in place to protect information resources and minimize the
     risk of unplanned interruptions and (2) a plan to recover critical
     operations should interruptions occur. At many of the agencies we have
     reviewed, we have found that plans and procedures are incomplete
     because operations and supporting resources had not been fully analyzed
     to determine which were most critical and would need to be restored
     first. In addition, disaster recovery plans are often not fully tested
     to identify their weaknesses. As a result, many agencies have
     inadequate assurance that they can recover operational capability in a
     timely, orderly manner after a disruptive attack.

Actions Agencies Can Take Immediately to Reduce Risks

Raise Awareness

First, agency security managers can take steps to ensure that agency
personnel at all levels understand the significance of their dependence on
computer support and the related risks to mission-related operations. Better
understanding risks allows senior executives to make more informed decisions
regarding appropriate levels of financial and personnel resources to protect
these assets over the long term. However, we have found that when senior
managers do not understand such risks, they may not devote adequate
resources to security or be willing to tolerate the inconvenience that may
be associated with maintaining adequate controls. In addition, system users
must understand the importance of complying with policies and controls and
why these controls are important to the agency in meeting its
mission-critical functions. Engendering such understanding and awareness
requires a proactive approach from agency security experts and, most
important, support from the agency head.

Ensure Policies and Controls Are Operating Effectively

Implement Software Patches

Routinely Use Automated Tools to Monitor Security

Identify and Propagate Pockets of Excellence

Focus on the Most Common Vulnerabilities First

Finally, agencies can develop and distribute lists of the most common types
of vulnerabilities, accompanied by suggested corrective actions, so that
individual organizational units can take advantage of experience gained by
others. Such lists can be developed based on in-house experience, or
agencies can adapt lists available through professional organizations and
other centers of expertise. In the course of our audits, we frequently find
the same vulnerabilities over and over again. By encouraging managers to
monitor for the most common vulnerabilities continually, agencies can help
ensure that they area promptly addressed, thereby quickly reducing their
risk and possibly freeing technical experts to identify and address more
difficult problems.

Improved Security Program Management Is Essential

   * agency actions are appropriately controlled and coordinated,
   * testing tools are appropriately selected and tested prior to their use,
   * personnel involved in using tools and in implementing software patches
     are properly trained,
   * good practices and lessons learned are shared on an agencywide basis,
   * controls are systematically tested to ensure that they are effective,
     and
   * appropriate risk management decisions are made regarding the best way
     to address identified problems.

Establishing such a management framework requires that agencies take a
comprehensive approach that involves both (1) senior agency program managers
who understand which aspects of their missions are the most critical and
sensitive and (2) technical experts who know the agencies' systems and can
suggest appropriate technical security control techniques. We studied the
practices of organizations with superior security programs and summarized
our findings in a May 1998 executive guide entitled Information Security
Management: Learning From Leading Organizations (GAO/AIMD-98-68). Our study
found that these organizations managed their information security risks
through a cycle of risk management activities that included

   * assessing risks and determining protection needs,
   * selecting and implementing cost-effective policies and controls to meet
     these needs,
   * promoting awareness of policies and controls and of the risks that
     prompted their adoption among those responsible for complying with
     them, and
   * implementing a program of routine tests and examinations for evaluating
     the effectiveness of policies and related controls and reporting the
     resulting conclusions to those who can take appropriate corrective
     action.

In addition, a strong, centralized focal point can help ensure that the
major elements of the risk management cycle are carried out and serve as a
communications link among organizational units. Such coordination is
especially important in today's highly networked computing environments.
This cycle of risk management activities is depicted below.

Need for New Governmentwide Actions to Support Agency Security Efforts

While individual agencies bear primary responsibility for the information
security associated with their own operations and assets, there are several
areas where governmentwide criteria and requirements could be strengthened.
Existing requirements are somewhat out-of-date and do not provide agencies
adequate guidance as to what levels of security are appropriate for their
varying computer-supported operations. In addition, while the rigor and
scope of our information security audits have increased in recent years,
information on agency performance in this area is incomplete making it
difficult to measure incremental improvements.

Perhaps most important, the legal framework supporting federal computer
security needs to be updated. In particular, the Computer Security Act of
1987 First, there is a need for routine periodic independent audits to provide
(1) a basis for measuring agency performance and (2) information for
strengthened oversight. Except for security audits associated with financial
statement audits, current information security reviews are performed on an
ad hoc basis.

Second, agencies need more prescriptive guidance regarding the level of
protection that is appropriate for their systems. Currently, agencies have
wide discretion in deciding what computer security controls to implement and
the level of rigor with which they enforce these controls. OMB and NIST
guidance is not detailed enough to ensure that agencies are making
appropriate judgments in this area and that they are protecting the same
types of data consistently throughout the federal community. More specific
guidance could be developed in two parts:

   * A set of data classifications that could be used by all federal
     agencies to categorize the criticality and sensitivity of the data they
     generate and maintain. These classifications could range from
     noncritical, publicly available information requiring a relatively low
     level of protection to highly sensitive and critical information that
     requires an extremely high level of protection. Intermediate
     classifications could cover a range of financial and other important
     and sensitive data that require significant protection but not at the
     very highest levels. It would be important for these data
     classifications to be clearly defined and accompanied by guidelines
     regarding the types of data that would fall into each classification.
   * A set of minimum mandatory control requirements for each
     classification. Such control requirements could cover issues such as
     (1) the strength of system user authentication techniques (e.g.,
     passwords, smart cards, and biometrics) for each classification, (2)
     appropriate types of cryptographic tools for each classification, and
     (3) the frequency and rigor of testing appropriate for each
     classification.

Third, there is a need for stronger central leadership and coordination of
information security-related activities across government. Under current
law, responsibility for guidance and oversight of agency information
security is divided among a number of agencies, including OMB, NIST, the
General Services Administration, and the National Security Agency. Other
organizations are also becoming involved through the administration's
critical infrastructure protection initiative, including the Department of
Justice and the Critical Infrastructure Assurance Office. The federal CIO
Council is also supporting these efforts. While all of these organizations
have made positive contributions, some roles and responsibilities are not
clear and central coordination is lacking in certain key areas. In
particular, information on vulnerabilities and related solutions is not
being adequately shared among agencies and requirements related to handling
and reporting security incidents are not clear.

In conclusion, I want to emphasize that while there are many valuable tools
and practices that agencies can adopt, there is no "silver bullet" for
information security. Ensuring effective and efficient progress in this area
throughout the federal government will require concerted efforts by senior
executives, program managers, and technical specialists. It will require
cooperative efforts by executive agencies and by the central management
agencies, such as OMB. Further, it will require sustained congressional
oversight to ensure that improvements are realized.

Mr. Chairman, this concludes my statement. I would be happy to answer any
questions you or other Subcommittee members may have. For future contacts
regarding this testimony, please contact me at (202) 512-6240.

(511710)

        Orders by Internet

For information on how to access GAO reports on the Internet, send an e-mail
message with "info" in the body to:

[email protected]

or visit GAO's World Wide Web home page at:

http://www.gao.gov

        Web site: http://www.gao.gov/fraudnet/fraudnet.htm

E-mail: [email protected]

1-800-424-5454 (automated answering system)
  
*** End of document. ***