The U.S. Department of Homeland Security earned failing marks in an annual computer security report card released Thursday by a congressional oversight committee.
That means the federal agency tasked with principal responsibility for the nation's cybersecurity has now received a grade of "F" from the U.S. House of Representatives Committee on Government Reform for three straight years--in other words, every year of its young existence.
It's not alone. Of the 24 departments on the scorecard (click for PDF), seven others, including Energy, Agriculture, Veterans Affairs, State, and Defense, also received failing marks for 2005. The scores for both Defense and State had hovered above passing--
at D and D+, respectively--in 2004. The overall grade across all government agencies was D+, unchanged from last year.
The shortcomings were little surprise but are nonetheless "appalling," said Gene Spafford, a Purdue University computer science professor who has long been urging greater cybersecurity research and more development dollars. He served on a presidential advisory committee that released a scathing report last year called "The Cyber Security Crisis: A Failure of Prioritization."
"Despite all the rhetoric from government officials about preparedness and defense against those who would harm the U.S., it is clear that they still don't 'get it' about IT security," he said in an e-mail interview.
The report cards are based on reports from agencies about their compliance with the Federal Information Security
Management Act of 2002. That law sets a broad framework of requirements, including devising an information security program, keeping an inventory of its systems, training personnel and contractors in security "awareness," evaluating the effectiveness of its program periodically, and flagging and developing plans to root out weaknesses.
To be sure, the news wasn't all bad. Seven agencies, including the Department of Labor, the Social Security Administration, and the National Science Foundation, received grades in the A range, in some cases pulling their scores up from the C range over the past year. But progress has been "uneven" on a government-wide scale, concluded the Government Accountability Office in a presentation delivered Thursday before the House committee.
The Department of Homeland Security has proven itself a particular magnet for criticism and had been chided for its failure to develop a cyber crisis contingency plan, prompting experts to question its ability to handle a massive attack. The agency recently modeled such a scenario, drawing praise from tech companies that participated, but it doesn't expect to release an analysis of its outcome until the summer.
A high-level cybersecurity czar post proposed by the department also remains vacant, though perhaps through no fault of the agency's own. A congressional bill consenting to its creation remains bottled up in committee.
DHS Chief Information Officer Scott Charbo told politicians in prepared testimony for Thursday's hearing that the department is committed to making improvements. It launched three major new tools in 2005, he said, including monthly information security scorecards for department leaders to review. By February, it had also brought 60 percent of its 700 systems into full compliance with federal security standards, up from 26 percent before launching a special "Remediation Project" in October 2005.
Meantime, Congress scores F on preventing adware in its own report card
In a moment of great irony, though, Congress' own report card that reprimands Federal agencies on cybersecurity, includes within the PDF file what could be called "adware" -- you'll see a logo for "PDF Complete" when you open the file that pitches the sale of a premium upgrade for creating Adobe Acrobat PDF files. PDF Complete is a competing company to Adobe. Hilarious!
That's because you have the same BIG VENDORS gumming
...up the works. They stall and manipulate and undermine until and unless they get all the $$$. Nobody's doing nothing until they've been cut in. Pathetic. Unpatriotic. Security my arse.
The United States of Commerce. All hail the dollar.
MIT creates a simulation to celebrate the 50th anniversary of Spacewar. A relic of the early days of minicomputers, it was one of the first computer video games and set the stage for many others, including Asteroids.
Company requests ban on sales in the U.S. of the Samsung-made showcase for Google's heavily touted Ice Cream Sandwich version of the Android operating system, saying it violates four Apple patents.
AstrologyDating.com is a new site that tries to find you your perfect love on the basis of birth date, birth time, and birthplace. But will it tell you the truth? Well, it asks you to pay only per match. So I tried it.
The Web fulminates when it is revealed that executives from VEVO--vehement music industry antipirates--played a pirated stream of an NFL playoff game at a party. VEVO claims it left its Wi-Fi unsupervised. Have we heard that argument before?
Tor's "obfsproxy" technology would make encrypted data look innocuous and let it dodge government censors. That could help citizens in Iran reach blocked sites as antigovernment protests reportedly loom.
iPhones and Angry Birds aside, the arcade endures. Crave pays a visit--and offers up an homage to games and gamers of years past and a tribute to the possibly endangered, but not yet dead, atmosphere of the arcade itself.
The United States of Commerce. All hail the dollar.