Gov't Agencies Fail Computer Review


Monday, September 11th 2000, 12:00 am
By: News On 6


WASHINGTON (AP) — A fourth of the government's major agencies, including the departments of Justice, Labor, Interior, Agriculture and Health and Human Services, flunked a computer security review.

The F's given to seven of the 24 major agencies, based on agency-reported data and General Accounting Office and the Inspector General audits, led to a government-wide grade of D-, said Rep. Stephen Horn, R-Ca., chairman of the House Government Reform Committee's technology subcommittee.

The departments that flunked all keep important computer data, said Horn, who called the scores the first government-wide assessment of computer security.

``The Department of Labor, charged with maintaining vital employment statistics, an F. The Department of the Interior, which manages the nation's public lands, an F,'' said Horn, as his staffers passed out fake report cards to the media.

``The Department of Health and Human Services that holds personal information on every citizen who receives Medicare, another F. Agriculture and Justice, the Small Business Administration and the Office of Personnel Management, the personnel office for the entire federal government, all F's.''

All 24 agencies has significant problems in allowing unauthorized access to sensitive information, said Joel Willemssen, director of the GAO's accounting and information management division. Auditors proved that point by trying to hack into government computers from remote locations.

``Our auditors have been successful, in almost every test, in readily gaining unauthorized access that would allow intruders to read, modify or delete data for whatever purpose they have in mind,'' the GAO report said.

The agencies aren't good at monitoring access inside their own work forces, either, the report said.

At one unnamed agency, all 1,100 computer users were granted access to sensitive system directories and settings, while at another agency, 20,000 users had been provided access to one system without written authorization, the GAO report said.

``Federal agencies have serious and widespread computer security weaknesses,'' Willemssen said.

But the government's patchwork funding for computer security is partly to blame, said John Gilligan, the Energy Department's chief information officer and co-chair of the Chief Information Officer Council Committee on Security, Privacy and Critical Infrastructure Protection.

``It is an area where the executive and legislature are failing,'' he said.

But some of the problems could be solved by simply doing things like changing passwords regularly or turning computers off after workers leave, Horn said. ``That doesn't cost a thing,'' he said.

And grading all the federal agencies with the same standards may not be the best way to get results, said John Spotila, administrator of the Office of Information and Regulatory Affairs in the president's Office of Management and Budget.

``Just as we must resist the simplicity of a one-size-fits-all security program for the vast variety of agency systems, we must also avoid a one-size-fits-all approach to measuring successes and shortfalls,'' he said.

Rep. Jim Turner, D-Texas, advocated the creation of a national Chief Information Officer position in the federal government to monitor and coordinate computer security issues, an issue the subcommittee will tackle on Tuesday.

———

On the Net: House Government Reform subcommittee on government management, information and technology: http://www.house.gov/reform/gmit/