Last year 586 incidents affecting federal computer systems were reported, a slight increase over the 580 reported in 1999, but 35 per cent more than the 376 incidents reported in 1998, Sallie McDonald, assistant commissioner of the Office of Information Assurance and Critical Infrastructure, told the House Energy and Commerce Committee's subcommittee on oversight and investigation.
More significantly, 155 of those incidents were described as a "root compromise" intrusions, which gave the intruder full administrative privileges over the targeted system. In at least five of the "root compromise" incidents access to sensitive government information was verified, said McDonald, whose office is part of the General Services Administration (GSA). For the remaining incidents it's assumed that information was compromised, McDonald added.
Distributed denial of service attacks and computer viruses comprised the other attacks on federal government computer systems last year. Though government agencies are required to report attacks and intrusions to the Federal Computer Incident Response Center run by the office of Information Assurance and Critical Infrastructure, any number of other intrusions and attacks go unreported because agencies are unable to recognize that systems have been compromised, McDonald said.
McDonald said to her knowledge none of the attacks or intrusions last year involved classified or secret information, and she said the increases have been mostly in data produced by government scientific researchers and environmental specialists. One of the things the office is shopping for is a system that would facilitate the distribution of patches to known vulnerabilities, she said.
McDonald also assured members of the subcommittee that the agency's revamped approach to intrusion detection, which replaces the controversial Federal Intrusion Detection Network (FIDNet), was not an attempt to sneak around Congress and put into place a system that could indiscriminately monitor private e-mail.
The GSA said last June it was moving forward with its plans to build a government-wide system to monitor agency networks for cyber-attacks. Asked about the system Thursday, McDonald said GSA now refers to it as managed security services. These types of services have matured and are now available commercially, she said.
"The idea was to make it much more palatable to the federal civilian agencies, to put them in control of the system because they would be the ones that would be procuring it," McDonald said. "We are encouraging them to procure these services and then share the results ... with us."
She said unless someone who is accessing government information is "acting anomalously," meaning behaving in a way that is not within the range of "normal approved-type activity," their communications would not be tracked by the intrusion detection systems.
The subcommittee also was told that there are 102 ongoing investigations into intrusions. Ronald Dick, director of the National Infrastructure Protection Center within the Federal Bureau of Investigation, said thus far none of the intrusions has been attributed to any "foreign powers' organizations."
Nevertheless, computer systems at federal facilities as well as systems in the private sector are extremely vulnerable to potentially crippling cyber attacks, Dick told the subcommittee.
"There are numerous tools out there to exploit the vulnerabilities in (government and private) systems, and unless there is due diligence on the part of systems administrators, CEOs and executive management of government agencies as well as the private sector as a whole you are going to have vulnerabilities," Dick said. "That includes due diligence not only in the implementation of firewalls and intrusion detection software, but ... continually updating and correcting your system."
In a statement released in conjunction with the hearing, the Information Technology Association of America (ITAA) called on the federal government to make information security a national priority. ITAA recommended the government spend more money on information security; organize itself efficiently to develop sound information security policies; adopt some means of ensuring internal accountability for information security; and fund advanced information security research.