mr. wilshusen, how would you describe generally the information, taxpayer information, how secure that is on federal web sites as well as security information that the government keeps? >> guest: well, federal agencies contain a lot of sensitive information on their computers. you mentioned taxpayer information, there's also medical information as well as classified and sensitive information related to national security, national economic security as well as business ro pry tear information on -- proprietary information on federal systems. this information is at risk of compromise due to a number of vulnerabilities on federal systems throughout the federal agencies. our review, which we issued last year and our report identified that weaknesses existed in key security controls at each of the 24 major federal agencies and departments. >> host: in your report you wrote that in february 2011 the

director of national intelligence testified that there had been a dramatic increase in malicious cyber activity targeting u.s. computers and networks -- >> host: who's installing this software, and what kind of damage does it do? >> guest: it can be any number of actors that do that. the threats to federal systems are growing and evolving, and these actors can include nation states, it can include criminal groups or organizations, hackers, potentially terrorists. and be in some instances, insiders, employees and government contractors either knowingly or unwittingly installing these types of malicious software: >> host: and we'll explore that a little bit later. but jill aitoro is also with us, she's a senior reporter with the washington business journal. >> host: thank you for joining us. >> guest: thank you. >> host: one thing i noticed in the report is that you said that

the number of security incidents that agencies report has increased 650%. um, that's a huge number. i know a lot of times that's explained by better detection, ask i know there's also quite a lot of security incidents that go unnoticed. so how should we look at that number? is it as scary as it appears to be? >> guest: well, clearly, it's a dramatic increase in the number of security incidents from fiscal year 2006 through 2010 the number increased from 5500 to over 41,000 security incidents, as you say, a 650% increase. 30% of those in fiscal year 10 dealt with malicious software and the installation of malicious code on federal systems and networks. and so this is quite a significant issue, and it can be both due to better reporting and detection, but also, as alluded to to peter's opening comments, to an increase in activity in

cyber events on federal systems. but you're absolutely right, whether that's the actual number, whether there are a number of incidents that are occurring that remain un detected, i'm sure that happens. but you don't know what you don't know, and so the bottom line is while it's been increasing quite a bit, we don't know still the full be extent of it. >> host: and i know there was also one of the top incidents reported had to do with unauthorized access, so, and you mentioned, of course, insider threats. howive of this is a technology -- how much of this is a technology problem in terms of not having the technology in place versus a people problem where they're not following the rules and the policies? >> guest: it's probably a combination of both. in terms of an actual ratio, i don't know. but in terms of factors that contribute to this, certainly it's due to insecure systems and how agencies configure and divide or configure their systems and devices as well as

individuals taking inappropriate activities either knowingly or, again, unintentionally. for example, plugging in a thumb drive into a workstation that may contain malicious code that can cause these incidents to occur. >> host: uh-huh. and then one other point you brought up was contractors. and we've heard in recent months about a number of contractors actually getting targeted themselves and their own systems getting exploited, varying degrees of exposure involved there. is there enough policy in place for oversight of these systems, or, you know, are contractors allowed too much access? i mean, how do you make that balance in terms of contractors at the agencies versus creating or enhancing risks that already exist? >> guest: well, you raise a key point because that really gets to the crux of information security. it's risk management, balancing the cost effectiveness of security controls versus the impact it may have on operations. with contractors they are a

group that's particularly vulnerable, or at least to federal systems, because often as business partners we grant them greater access than we would to normal public. and so vulnerability's in the contractors' systems that may lead to security attacks can potentially intrude into federal systems. and federal agencies are required under fisma, federal information security management act, to assure that the security over their information whether on their systems or on those that are operated on their behalf such as contractors is adequately protected. and we have shown in our audits as well as in the ig reports that agencies' oversight of contractor systems and efforts needs improvement. >> host: mr. wilshusen, what percentage of federal agencies use contractors, and what percentage are contractors in charge of this federal information?

>> guest: well, percentage of the 24 cfo agencies, i would say every agency uses contractors for running their i.t. operations. omb issued a report on its fisma implementation which is required to under law last year, earlier this year, and it identified that about 1100 of the 13,000 systems operated by the federal government, 1100 of those were operated by contractors. in addition, of the i.t. personnel that were involved in information security activities of which there are about 80,000 ftes, a large percentage of those -- particularly in the civilian agencies, over half of those -- were contractor personnel. so it's a large number of contractor personnel that have access to federal systems and information. >> host: and just to follow up on jill's line of questioning, does that lead to further security concerns? and what about the issue of cloud computing?

does that lead to security threats? >> guest: well, certainly with the use of contractors, agencies need to understand and be aware of the controls that they have in place to oversee the actions of those contractors to make sure that they adequately protect information systems and their information. with respect to cloud computing, i testified last week or the week before last on this at a congressional committee in which i indicated that our reviews have shown that cloud computing can have both positive and negative security implications. on the positive side, the use of virtualization and automation techniques that are frequently used in cloud computing deployments can help improve security insofar as getting security controls in place quickly. it can also lead to low cost disaster recovery and data storage which has been another security benefit that's been raised by the federal agencies during our review. at the same time, though, it can

also lead to increased security risk, particularly with respect that federal agencies now rely on these contractors of the cloud service providers to protect their information in the cloud. often which the client, or in this case the federal agency, may not have visibility of control or access to their information in the cloud. so they're reliant on the security assurances and controls of the provider to protect their information. still, l federal agencies are responsible for assuring that security. another risk that was identified is that federal agencies expect to lose or may lose information should the cloud service be terminated. there's concern about interoperability standards and the fact that once a cloud service implementation has been terminated, will agencies be able to collect their information and be able to process it through another service provider or themselves?

>> host: you know, you mentioned fisma, and fisma has received a lot of criticism over the years in terms of being what some described as a paper-pushing exercise. there were some efforts to improve that by really emphasizing continuous monitoring of systems and networks. how far have agencies come in doing that, and then what about the next step which some say is penetration testing, actually trying to identify the vulnerabilities before they're exploited by the hackers? where do agencies stand in terms of how they're handling -- >> guest: with respect to continuous monitoring, agencies still have a long ways to go to fully implement the capabilities of continuous monitoring in their environments. as part of the recent fisma report and in our report we issued last week, we noted that igs at most of the federal agencies noted weaknesses in their agency's continuous monitoring capabilities. they either lacked appropriate policies or procedures or did not have it implemented over a

large percentage of their devices. in addition, in those same reports agencies reported themselves that their capability to have an automated monitoring capability over, over a large percentage of their devices was nonexistent at many of the agencies. for example, 14 of the 24 agencies reported that they had less than, that they had an automated monitoring capability for monitoring the security configurations for less than 60% of their devices. and that is a key development as well as a key requirement to implement a continuous monitoring capability, is be able to automatedly monitor those on a frequent and ongoing basis because of the changes in computing environments, the changes in threats as well as the increasing interconnectivity of these computer networks. it's imperative that agencies monitor on a more frequent basis.

and under previously you referred to under the old regime of fisma, if you will, the law itself is pretty sound and based on fundamental security principles. i think it's been more of how omb and perhaps, this sc has developed the reporting instructions which led agencies to focus on some of the what has been called a checklist approach to security. there is an emphasis on assuring that each system was certified and accredited under the old reporting regime. and as a result, agencies spent a lot of money to have certification and accreditation reports prepared. sometimes they were frequently out of date before too long. >> host: yeah. >> guest: so the continuous monitoring capability which is designed to help improve that situation may once it becomes more fully ha cure at the agencies. >> host: and another issue, you mention the ability to, for example, secure mobile devices

and so forth. a lot of this comes down to procurement and the ability for agencies to buy these capabilities in a timely fashion to insure that they can stay on top of the threat. so how can federal government work better with industry to with be able to acquire the services and the products they need to better protect themselves? >> guest: well, one is to leverage the buying power of the federal government. we saw with the encryption special buy arrangement that was created by gsa that federal agencies were able to achieve significant dollar savings through the use of buying in discounts to buy off the gsa schedule and through these special buy situations where they could achieve buying discounts and obtain standardized set of encryption products at a more reasonable price. so one way would be to have those, the government have purchasing agreements. >> host: and would that also improve the timeliness? i know sometimes these

contracts, to actually acquire these products can sometimes take years if you're talking about a large procurement with just the life psych old after a -- cycle of a given contractor, so how do you -- >> guest: right. well, that's one of the reported and potential benefits of cloud computing is that agencies would be able to ro -- provision increases in computing capabilities and capacity more promptly and timely. in our review of cloud computing, we found that at several agencies we looked at that they were, in fact, able to reduce the amount of time necessary to acquire these resources like new servers and -- dramatically through these case studies that we reviewed. >> host: this is c-span's "communicators" program. we're talking with greg wilshusen who is the director of information security issues at the government accountability office. new report out on the security of federal information, that is available on our web site, c-span.org/communicators.

jill aitoro of the washington business journal is also with us today. from wilshusen -- mr. wilshusen, again, just to follow up on jill's question, is there a government-wide system or standard that is used for security information, or is it each agency does what each agency wants? >> guest: there are federal government information processing standards that are developed and promulgated by the national institute of standards and technology. in addition -- nist also issues special publications, and these are information security guidelines that are recommended or suggested for federal agencies to use. in addition, ohb, office of management and budget, issues policy memorandums as art of its oversight role of federal activities. so there are government-wide policies and procedures as well as standards.

and at the same time, though, federal agencies need to assess the risk and alie those standards -- apply those standards as they pertain to their own environments. so they're going to need to be able to assess the risk and determine which appropriate controls are necessary to mitigate those risks this their own computing environments. >> host: did the gao in its report look at the framework for decision making and have any suggestions for that? >> >> guest: yes. in our ore view, we do look at the standards that nist and omb has established for federal agencies and monitor the extent to which federal agencies have implemented that. under fisma, gao is responsible for assessing the security at federal agencies and compliance with the ro visions of the act -- ro visions of the act. so that's the other side is federal law is another requirement for agencies to follow. and in our report we do address how well federal agencies were

meeting those requirements based on the work that gao has performed as well as the work that agency igs and agencies themselves have issued reports on information. >> host: and in your report you say that 11 of the 24 agencies have significant deficiencies when it comes to protecting information on federal systems. what did you mean by significant deficiencies? >> guest: okay. that statistic dealt with the result of the financial statement audits at the federal agencies. and so as part of an agent icy's -- agency's financial statements, the auditors are supposed to review the agency's internal controls over financial resources and reporting. a key component of an agency's internal control are the controls over the financial systems. what that shows is that, actually, it's not only eight that show -- or 11 that shows significant deficiencies, but also eight that had a material weakness which is even more

severe in terms of that. and what a significant deficiency is, is that it's likely that an error or misstatement in an agency's financial statement would occur and not be detected through the normal course of the agency's internal control process. because of the weaknds in i.t -- weaknesses in the i.t. security. the eight that had a material weakness means that, basically, the same thing except that the misstatement could be material to the financial statement for reporting, financial reporting purposes. >> host: um, we hear, obviously, a lot and are talking a lot about the state of federal cybersecurity, but, um, needless to say some of the biggest risks we face have to do with our critical infrastructure; transportation systems, power plants, that sort of thing. and it's up for debate how much control the federal government should have over that. so what is the state of security for the physical infrastructure of the u.s., what kind of control does the federal government have, and is that

changing? >> guest: well, clearly, you know, the federal government is not only reliant on the critical infrastructures for its own operations, but also has a role to play with the private sector to help protect those critical infrastructures because they are extremely important to the national security and economic security, as well as public health and safety of the nation. presently, the federal government particularly through dhs and other lead agencies for specific sectors of the private sector has established what is known as a public/private partnership in which federal government is working with the private sector to help them secure these critical infrastructures. we issued a report last year that showed that the expectations of the private sector industry groups with this partnership model were largely not being met. what they expected from their federal partners were to provide timely and actionable threat and

alert information. in fact, 98% of the respondents to our survey indicated that this was very important to them. but only 27% of those respondents said those expectations were being largely met by the federal government. at the same time, the federal government also had some concerns about the sharing of information on the part of the private sector in that several agencies felt that the private sector was not sharing incident information to them in a timely manner in order to be able to use in informing others. so that has been a key component within the federal efforts to assure that cyber-reliant critical infrastructures are being adequately protected. and there's still more that needs to be done. >> host: well, and i imagine the private sector is somewhat concerned about sharing the information because they could be held responsible to some degree. um, is there earths from the --

efforts from the federal side of things to enable them to more ease hi and readily be able -- easily and readily be able to come forward? >> guest: well, yes, there are. and one of the areas the federal government has mechanisms to try and anonymize that information so it's not readily apart from which company or organization it came from. in addition, the department of homeland security has recently established the national cybersecurity and communications integration center or nccic, and this is a center that is to be used not only among dh, and and other -- dhs and other civilian as well as defense organizations within the federal government, but also the private sector in order to share information, to monitor ongoing security threats and incidents and to help increase the collaboration and coordination between these different parties. >> host: well, and take that global because, needless to say, ore countries -- other countries

have their own policies in place and so forth. is there a partnership, collaboration, enough of a collaboration on the global level with our allies to address this problem? and what do you do about those countries that are actually the ones targeting us in the first place? >> guest: right. that's something we looked at, also, and issued a report last year on some of the global challenges and aspects of cybersecurity. and we had found that there are a number of different federal agencies involved in these efforts, and there are a number of different efforts underway with this. but there did not seem to be a central, coordinated, overarching strategy for maintaining and delivering -- not delivering, but in discussing these global aspects. now with the cybersecurity coordinator in place, that should help. and recently they have come out with a global strategy. but we notice a thurm of different challenge -- a number of different challenges related

to the leadership on which agency and which group was to take the lead on addressing these aspects as well as just the different norms that different nations may have with regard to cybersecurity. and trying to insure shah investigations -- that investigations were coordinated throughout the multiple organizations as you mentioned. there are a number of different countries involved in cyber attacks that can only mate anywhere across the globe. and so there are a number of challenges associated with that. >> host: greg wilshusen, back to your report. you write, we have made hundreds of recommendations to agencies in fiscal years 2010 and '11 -- >> host: two-part question, what kind of recommendations, and what are the most serious, in your view, that have not been implemented? >> guest: okay. we make recommendations that

span both management, operational and technical controls. many of our very specific technical control recommendations are those that result in improvements to the specific configurations or act techtures of an agency's network or configurations of their specific devices; servers, routers, switches, databases in their computing environment. we also make recommendations related to the weaknesses in in the processes that agencies may have to address security. for example, their processes for assessing the risk and developing a cost effective security control as well as the processes for testing and evaluating those controls and taking remedial action in correcting the vulnerabilities as they become known. and so we would have a number of recommendations that address these processes as well as. and so we also look at the management side and have made recommendations to how well

agencies assure that physical security and personnel security are adequately addressed in there. we find that, generally, agencies do agree with our recommendations and take corrective actions. but several of these have not yet fully been implemented in part because it takes some time to implement them. the ones i would say are most critical are with -- are the ones that deal with the processes and ensure they take adequate steps to evaluate their systems and take corrective actions over known weaknesses because those will transcend all types of technical control weaknesses and should also help address new threats and new vulnerabilities as they arise, as they frequently do. >> host: now, mr. wilshusen, we recently did a "communicators" segment where we talked about how much government spends on i.t. and i.t. security, and the fig was about 80 billion or something like this. how much is spent on protecting

information? is that something youd into in your -- you delved into in your report? >> guest: it's something that omb for the first time reported in its fiscal year 2010 fisma report. and it noted that 15% -- no, $12 billion were spent on i'm sorry t. security activities -- i.t. security activities, and that comprised about 15% of the 80 billion of the total i.t. budgets within the federal government, and that is just over the 24 cfo act agencies, the larger departments and agencies. the bulk of that, of the cost dealt with i.t. personnel cost. >> host: um, relating to budgets, and we all heard about the drastic cuts that are going to happen as a result of the, um, the debt deal to raise the ceiling and then more coming, 1.2 trillion in cuts happening over the next ten years and so forth, if they even come up with some way of doing that. what from -- where does cybersecurity stand in terms of seeing funding taken away, and

how will that impact the agencies? >> guest: well, that certainly is to be decided. you know, to what extent the cybersecurity will be impacted by the budget constraints that all federal agencies will be operating under. and certainly it could have an impact on how well agencies will be able to maintain and improve the security over their systems and networks. it will impact them to the extent that they will need to place greater emphasis in assessing the risk and identifying and prioritizing the key controls that help them to effectively mitigate those risks to an acceptable level. and so it will place a greater emphasis on prioritizing their information security work and assessing their risk and threats. >> host: i'm sorry. i was going to say that's a little frightening because your saying -- you're saying, okay, what is most worth protecting, or can we let our guard down. and i know you said agencies

need to establish cybersecurity targets. what do you mean by targets, and does it have to do with prioritizing to some degree? >> guest: well, it has to do primarily with the performance measures that have been established and which agencies are to report, and omb, dhs and the congress can monitor the extent to which agencies are meeting their performance targets using these measures. so those targets relate to identifying where agencies should be performing at a certain level versus what they're actually reporting as meeting. >> host: and, again, the report put out by the government accountability office is available at c-span.org/communicators. greg wilshusen is the director of the information security issues at the gao. jill aitoro, senior reporter at the washington business journal. this has been "the communicators." >> coming up next, a senate hearing examining the environmental protection agency's program that provides

funds to states and local communities to revitalize land contaminated by hazardous waste. after that, a discussion on increasing gas prices and their effect on the middle class. and later, we're live with a briefing by the congressional republican health care caucus on states' efforts to cover the uninsured. >> other programming today includes a discussion on the impact of the global financial crisis. you'll hear from a group of international independent analysts with the so-called joint shadow financial regulatory committee. they'll discuss what's happening in their regions of the world along with the trends they see developing and their policy recommendations. hosted by the american enterprise institute, the forum begins live at 10:30 a.m. eastern on our companion network, c-span3. and later today a hearing by a house armed services subcommittee on the future of the defense industrial base. members will hear from leaders with so-called think tanks on ways to eliminate regulations

that bar smaller firms from entering the defense sector. live coverage at 3 p.m. eastern also on c-span3. >> you're watching c-span2 with politics and public affairs, weekdays featuring live coverage of the u.s. senate. on weeknights watch key public policy events and every weekend the latest nonfiction authors and books on booktv. you can see past programs and get our scheduled toes at our web site, and you can join in the conversation on social media sites. >> our review, which we issued last week in our report, identified that weaknesses existed in key security controls at each of the 24 major federal agencies and departments. >> sensitive personal and classified data stored by the federal government is at high risk of cyber attack. that's the finding of a just-released gao report. find out more with the gao's head of information security issues, greg wilshus