Feds' math is fuzzy on computer crime
The federal government can report in exacting detail the number of bank robberies committed in any given year. But when it comes to computer crimes against government agencies, it's close to clueless.
Government officials estimate that only 20% of computer crime incidents are being reported because the agencies either don't have the technical sophistication to discover the crimes or they want to keep bad news quiet. It's for those reasons that the 155 root compromises to federal computers reported last year likely represent a fraction of the actual number.
"It's a serious issue," said Jim Craft, information security officer at the U.S. Agency for International Development and head of the CIO Council's best practices subcommittee on security.
Lack of Resources, Teamwork
Craft said senior managers fear the unwelcome attention that computer crime reports bring and in many cases lack the money and tools to detect or fight computer crime. But there's also an ingrained reluctance for agencies to work together, he said.
"We don't have a culture of collaboration in the federal government," said Craft. "We can't even get people sometimes to share good news."
For the first three months of this year, the government's central crime data repository, the Federal Computer Incident Response Center (FedCIRC), recorded 55 root compromises at civilian nondefense federal agencies -- putting it on pace to exceed last year's total. A root compromise occurs when an intruder gains systems administration privileges, such as the ability to copy documents, alter data or plant malicious code.
Still, it's impossible to gauge just what the first-quarter increase means, say experts.
"We don't know whether we're seeing a change in the rate of reporting, a change in the rate of detection or a change in the rate of penetration," said Michel E. Kabay, a computer security expert at consulting firm Atomic Tangerine Inc. in Menlo Park, Calif., who has done research on computer crime statistics.
For its part, the Bush administration has begun to take steps to improve compliance by federal agencies in reporting and responding to security breaches, including recommending a 38% boost in funding, from $8 million to $11 million, for FedCIRC. Agencies are already required by law to report to FedCIRC as a result of the Government Security Reform Act approved last year.
But Sallie McDonald, an assistant commissioner at the General Services Administration, which runs FedCIRC, said she recognizes that it takes time to gain agency cooperation.
Nonetheless, "I would hope that we don't have to go through a tremendous [data] loss in order to start complying with the things that we should be doing," she said.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
jfruh
Apple syncing patent can't come soon enough
pasmith
New Twitter features borrow from 3rd party clients
Esther Schindler
Open Source Changes the Software Acquisition Process
mikelgan
How to set up continuous podcast play on the new iTunes
David Strom
Five important Windows 7 mobility features
sjvn
Guard your Wi-Fi for your own sake
Sandra Henry-Stocker
Grepping on Whole Words
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
