Feds' math is fuzzy on computer crime

The federal government can report in exacting detail the number of bank robberies committed in any given year. But when it comes to computer crimes against government agencies, it's close to clueless.

Government officials estimate that only 20% of computer crime incidents are being reported because the agencies either don't have the technical sophistication to discover the crimes or they want to keep bad news quiet. It's for those reasons that the 155 root compromises to federal computers reported last year likely represent a fraction of the actual number.

"It's a serious issue," said Jim Craft, information security officer at the U.S. Agency for International Development and head of the CIO Council's best practices subcommittee on security.

Lack of Resources, Teamwork

Craft said senior managers fear the unwelcome attention that computer crime reports bring and in many cases lack the money and tools to detect or fight computer crime. But there's also an ingrained reluctance for agencies to work together, he said.

"We don't have a culture of collaboration in the federal government," said Craft. "We can't even get people sometimes to share good news."

For the first three months of this year, the government's central crime data repository, the Federal Computer Incident Response Center (FedCIRC), recorded 55 root compromises at civilian nondefense federal agencies -- putting it on pace to exceed last year's total. A root compromise occurs when an intruder gains systems administration privileges, such as the ability to copy documents, alter data or plant malicious code.

Still, it's impossible to gauge just what the first-quarter increase means, say experts.

"We don't know whether we're seeing a change in the rate of reporting, a change in the rate of detection or a change in the rate of penetration," said Michel E. Kabay, a computer security expert at consulting firm Atomic Tangerine Inc. in Menlo Park, Calif., who has done research on computer crime statistics.

For its part, the Bush administration has begun to take steps to improve compliance by federal agencies in reporting and responding to security breaches, including recommending a 38% boost in funding, from $8 million to $11 million, for FedCIRC. Agencies are already required by law to report to FedCIRC as a result of the Government Security Reform Act approved last year.

But Sallie McDonald, an assistant commissioner at the General Services Administration, which runs FedCIRC, said she recognizes that it takes time to gain agency cooperation.

Nonetheless, "I would hope that we don't have to go through a tremendous [data] loss in order to start complying with the things that we should be doing," she said.