Home
The 2008 IT Report Card PDF Print E-mail
by Hank Hogan   
Monday, 01 September 2008

In its annual computer security report card issued in May, the Department of Homeland Security (DHS) showed substantial improvement, vaulting from the previous year’s dismal D to a much better B+. However, this good news about DHS’ success in meeting the mandates of the 2002 Federal Information Security Management Act, or FISMA, has its critics, some of them within Congress. For its part, DHS had earlier given itself a solid C with regard to cybersecurity.

Thus, while there’s agreement that DHS deserves a passing grade, there’s disagreement over the exact mark the agency earned. That’s symptomatic of the state of IT in DHS. On the technical side, cybersecurity trends haven’t changed, with cybercrime and associated threats growing despite efforts to control the situation.

Assessing DHS

Key events 2007

  • December: In remarks to a security summit in New York, DHS Cybersecurity and Communications Assistant Secretary Greg Garcia touts Einstein, a system that automatically monitors networks to thwart intrusions. He says the system cuts the time needed to gather and share critical data on federal government computer security risks from as much as five days to as little as four hours.

2008

  • February: C isn’t just for cybersecurity, as DHS officials give themselves that grade at a congressional hearing when assessing the agency’s efforts.
  • March: DHS sponsors Cyber Storm II, the largest cybersecurity exercise ever organized. It includes representatives from four foreign governments, nine states, 18 federal agencies and 40 private companies. A final report is to be released at the end of the summer.
  • May: DHS gets a B+ in the FISMA report for computer security, much better than the F from two years before.
  • June: A General Accountability Office (GAO) report Secure Border Initiative Fiscal Year 2008 Expenditure Plan Shows Improvement, but Deficiencies Limit Congressional Oversight and DHS Accountability is issued that shows most of the legislative requirements for the 2008 expenditure plan for the Secure Border Initiative (SBI) have been met. The only one of the 15 conditions not satisfied relates to planning that demonstrates how specific SBI activities link with the overall secure border strategy. The GAO report notes that the spending plan lacks information about some tactical infrastructure-related costs. It also states that the plan doesn’t detail progress toward meeting the goals of SBInet, the technology portion of SBI.

The year in review

DHS is making progress but it’s difficult to accurately judge how much. For example, DHS is spearheading the deployment of Einstein across the federal government. However, outside cybersecurity experts and congressional critics contend that Einstein is no genius, requiring routine download and analysis of data.

What’s more, they also fear that the FISMA grading is being gamed and are concerned that what’s being measured isn’t the proper criteria. Partly in response, legislation has been introduced that would change how the assessment is done.

This moving of the goalposts has to be frustrating to anyone trying to meet the designated targets. However, in a way, this change and the criticism can be seen as proof that DHS is indeed meeting the old goals—or at least coming nearer to them.

Technically speaking

Key events 2007

  • October: In a speech at the National Cyber Security Awareness Month Kick-off Summit, Garcia notes that the market for cybercrime is more than $100 billion, surpassing drug trafficking. He also states that the United States Computer Emergency Readiness Team (US-CERT) handled 37,006 incidents over the past year, a 54 percent increase over the year before.

2008

  • March: US-CERT reports on a large-scale attack involving more than 10,000 Web pages into which hackers have inserted malicious JavaScript files. Users who visited the sites may have executed the code and put themselves or others at risk.
  • April: Symantec publishes its security threat report for the last half of 2007, reporting that attacks have become Web-based. In the last half of 2006, none of the top 50 malicious code samples attempted to modify Web pages on a compromised computer. A year later, 7 percent of the top 50 code samples did so.
  • May: US-CERT reports a 21 percent increase in scans, probes or attempted access in the quarter ending in March as compared to the previous quarter. Phishing, which falls into this category, accounts for just over 72 percent of all incidents reported.
  • July: European newspaper giant Axel Springer reportedly is moving more than 10,000 employees to the Mac over the next five years. This switch is emblematic of the growing corporate market penetration by Apple. Another factor is the iPhone and other smartphones. The ongoing movement away from a Windows-based IT monoculture on desktops could present some management and security challenges.

Analysis

As has been the case for years, cybersecurity continues to grow more complex and difficult. Because of the money to be made and increased connectivity, cybercrime has attracted the attention of organized gangs and is increasingly moving onto the Web.

Complicating the management of these trends is a change in enterprise computing. Corporations now have to contend with users bringing in iPhones and other mobile computing devices, along with an increase in the market share for Macs in a business environment. Such changes will likely impact the government IT space, either directly or through contractors and third parties. While each component may itself be secure, the combination of PCs, Macs and smartphones in a network may reveal new vulnerabilities. HST


Hank Hogan
About the author:
HSToday IT correspondent, is an Austin, Texas-based writer who has covered information technology, data centers and ­security for a variety of publications. He has also worked as an engineer for high tech firms.