GAO US Treasury’s security ‘ineffective’

During the past few years, the U.S. General Accounting Office has issued dozens of reports skewering security measures at various federal department and agencies. It has tested security by using techniques ranging from government-sponsored break-ins to audits.

This month it released another security assessment, little different from its previous ones. This one, however, was aimed at the agency that manages the government’s US$1.9 trillion cash box, the U.S. Department of the Treasury.

In a public version of its report (the nonpublic, limited distribution version has the gritty details), the GAO said the Treasury Department’s overall security control environment “continues to be ineffective in identifying, deterring and responding to computer control weaknesses promptly. Consequently, billions of dollars of payments and collections are at significant risk of loss or fraud, sensitive data are at risk of inappropriate disclosure, and critical computer-based operations are vulnerable to serious disruptions.”

These kinds of problems aren’t new to federal officials, and the Bush administration called for security improvements and new electronic government initiatives in a fiscal 2003 budget proposal that would hike IT spending by more than 10 percent.

The White House wants $50 billion in IT spending next year, up from an estimated $45 billion this year. In 1999, federal IT spending was $32.9 billion.

The intent of this year’s IT budget push is to “unify hundreds of redundant government computer systems across agencies that act as ‘islands of automation,'” according to the Bush administration budget. These systems, according to the proposed budget, “have held back necessary productivity gains.”

The Bush administration acknowledged that security is a problem and said its budget proposal “reflects IT investment decisions made to address security gaps.”

Specifically, the budget plan calls for “greatly increasing” senior management attention to computer security, establishment of performance measures, increasing the security education and awareness of IT managers and end users, full integration of security into capital planning and ensuring that contractors are adequately secure.

“The United States can no longer afford to be the world’s No. 1 superpower yet run the risk of being second-rate as a federal government in providing services to its citizens,” the administration said in its budget request.

The Treasury Department will likely get a big chunk of those IT dollars. This department disbursed more than $1.9 trillion in Social Security and veterans benefit payments, tax refunds and federal salaries.

The “overriding reason” that computer security problems exist at this department, the GAO said, is the absence of an “effective entity-wide computer security management program.”

Ray Bjorklund, a vice president at consulting firm Federal Sources Inc. in McLean, Va., said civilian agencies of the U.S. government have been lagging behind federal defense and security agencies in protecting systems.

“The civilian agencies are going to have to catch up with the higher levels of security measures that already exist in the national security community,” said Bjorklund.

The GAO, which has reviewed Treasury Department security operations in two previous reports, acknowledged that the department is making improvements. But in a letter to the GAO, Treasury officials wrote that the government watchdog agency was being a little too harsh and inaccurate.

“In particular, we have made great strides in eliminating the vulnerabilities caused by old legacy systems and obsolete technology,” wrote Richard Gregg, commissioner of the Treasury Department’s Financial Management Service. “This progress — and the significant reduction in risk as a result of these actions — is not reflected in your report.”

“It is my belief that we have made substantial progress in our computer and security controls, and we have a maturing entity-wide security program,” said Gregg.