we learn about risks to security of data on computers at 24 federal government agencies. >> host: recently the government accountability office released a report on the security of federal information and information on the federal web sites. greg wilshusen is the information security issues director of the government accountability office. it's his report, his and his team's report they came out. mr. wilshusen how would you describe generally the information, taxpayer information, how secure that is on federal web sites as well as security information that the

government keeps? >> guest: federal agencies contain a lot of sensitive information on their computers. you mention taxpayer information. there is also medical information as well as classified and sensitive information related to national security, national economic security as well as business proprietary information on federal systems. this information is at risk of compromise due to a number of vulnerabilities on federal systems throughout federal agencies. our review which we issued last week in our report, identified that weaknesses exist in key security controls at each of the 24 major federal agencies in the government. >> host: in your report he wrote that in february 2011 director of national intelligence testified that there had been a dramatic increase in malicious cyberactivity, targeting u.s. computers and networks including a more than tripling of the volume of malicious software

since 2009. who is installing the software and what kind of damage does it do? >> guest: he can be a number of factors. the threats to the federal systems are growing and evolving and these factors can include nations states. they include criminal groups or organizations, hackers, potentially terrorists and in some instances insiders. employees and government contractors come either knowingly or unwittingly installing these types of malicious software. >> host: we will explore that a little bit later but jill aitoro is a senior reporter with the "washington business journal." >> guest: thank you for joining us. one thing i noticed in the report is that he said that the number of security incidents that agencies report have increased to 650%. that is a huge number. i know a lot of time -- better detection and there's also a lot

that goes unnoticed. how should we look at that number? is it as scary as it appears to be? >> guest: clearly it is a dramatic increase in the number of security incidents. from fiscal year 2,632,010 the number increased from 5500 to over 41,000 security incidents. as you say, a 650% increase. 30% of those in fiscal year 10 dealt with malicious software and the installation of the code on federal systems and networks. so this is quite a significant issue and it can be both due to better reporting and detection but also as alluded to in peter's opening comments to an increase in activity in cyberevents on federal systems. that you are absolutely right. whether that is the actual number, where there is there are a number of incidents that are recurring that remain undetected i'm sure that happens but you don't know what you don't now

and so the bottom line is, while it has been increasing quite a bit you don't know the full extent of it. >> guest: i know in addition to malicious software there was also one of the top incidents reported had to do with unauthorized access. you mentioned of course insider threats. how much of this is a technology problem in terms of not having the technology in place needed to protect the systems versus a people problem where they are not following rules or policies? >> guest: it is probably a commendation of both in terms of an actual ratio. i don't know but in terms of factors that contribute to this, certainly it is due to insecure systems and how agencies figure and devise or configure their systems and their devices as well as individuals taking inappropriate activities either knowingly or unintentionally. for example plugging a thumb drive into a workstation may obtain a malicious code that can

cause these incidents do occur. >> guest: and then one other point you brought up with contractors. we have heard in recent months about a number of contractors getting targeted themselves and their own systems getting exploited to various degrees of exposure. is there not policy in place for oversight of the systems or are contractors allowed too much access? how do you make that balance in terms of contractors in the agency versus creating or enhancing risks that already exist? >> guest: you raise a key point because that gets to the crux of information security, risk management, balancing the cost effectiveness of security controls versus the impact it may have on -- with contractors they are a group that is particularly vulnerable or at least to the federal systems because often as business partners we grant them greater access then we would to normal public so vulnerabilities in the contractor systems that may lead to a security attack can

potentially introduce a federal systems. federal agencies are required under fisma, federal information security management act, to assure that the security over their information, whether on their systems or on those operating on their behalf such as contractors is adequately protected and we have shown in our audits as well as in the ig reports that agencies, oversight of contractor systems and efforts need improvement. >> host: mr. wilshusen what percentage of federal agencies use contractors and what percentage are contractors in charge of this federal information? >> guest: well percentage, 24 cfo act of agencies i would say every agencies as contractors for one of their i.t. operations. omb issued a report on its fisma implementation which is required

to under law last year or early this year and it identifies about 1100 of the 13,000 systems operated by the federal government, 1100 of those were operated by contractors. in addition, the i.t. personnel that were involved in information security activity for which there are about 80,000 fte's a large percentage of those, particularly in the civilian agencies, over half of those, were contractor personnel. so it is a large number of contractor personnel that have access to information. >> host: to follow up on joe's line of questioning does that lead to further security concerns and what about the issue of cloud computing? does that lead to security threats? >> guest: certainly with the use of contractors, agencies need to understand and be aware of the controls they have in place to oversee the actions of those contractors to make sure

they adequately protect information systems and their information. with respect to cloud computing i testified last week on the senate congressional committee in which i indicated our reviews have shown that cloud computing can have both positive and negative security implications. on the positive side the use of virtualization and automation frequently used in cloud computing deployment can help improve security insofar as getting security controls in place quick way. it can also lead to low-cost disaster recovery and data storage which has been another security benefit raised by the federal agencies during our review. at the same time though, it can also lead to increased security risks particularly with respect to federal agencies now relying on these contractors in the cloud service providers to protect their information in the cloud.

also, the client or in this case the federal agency, may not have disability or control or access to this information on the cloud so they are relying on the security assurances and controls of the provider to protect their information. federal agencies are responsible for assuring that security. another risk that we have identified is that federal agencies expect to lose aura may lose information should the cloud service be terminated. there is concern about interoperability standards and the fact that once the cloud service implementation is determined, will agencies be able to deflect their information and be able to process -- process it. >> guest: you know, you mentioned fisma and fisma has received a lot of criticism over the years in terms of being what some describe as a paperpushing exercise. there were efforts to improve that by really emphasizing continuous monitoring of systems

and networks. how far of agencies come in doing that and then what about the next step which some say as penetration testing, and trying to identify the vulnerabilities before they are exploited by the hackers. where the agency stand in terms of improving how they're handling it? >> guest: with respect to continuous monitoring agencies have a long way to go to implement the capabilities of continuous monitoring and their environments. as part of the recent fisma report, and in our report reissued last week we noted that igs and most of the federal agencies noted weaknesses in their agencies continuous monitoring capabilities, even by appropriate policies and procedures or to not have implemented over a large percentage. in addition, in those same reports come agencies reported themselves that their capability to have monitoring capability over a large percentage of their devices was nonexistent in many

of the agencies. for example, 14 of the 24 agencies reported that they have less than, that they had an automated monitoring capability for monitoring the security configurations for less than 60% of their devices. and that is a key development as well as a key requirement to implement a continuous monitoring capability. to be able to monitor those on a frequent and ongoing basis because of the changes in the computing environments, the changes in threats as well as the increasing interconnectivity of these computer networks. it is imperative that agencies monitor on a more frequent basis than they have been. under previous -- he referred to the old regime of fisma, the law itself is pretty sound and based on fundamental security principles. i think it has been more of how

omb and -- have developed the reporting instructions which led agencies to focus on some of what have been called a checklist approach to security. there is an emphasis on assuring that each system was certified and accredited under the old regime and as a result agency spent a lot of money to have certification accreditation reports prepared. sometimes they are frequently out of date. so the continuous monitoring capability which is designed to help improve that situation may want to becomes fully mature at the agencies. >> guest: another issue, you mentioned the ability to for example secure mobile devices and so put. a lot of this comes down to procurement and the ability for these agencies to buy capabilities in a timely fashion to ensure they can stay on top of the threats. so how can federal government work better with industry to be

able to acquire the services and the products they need to better protect themselves? >> guest: one is to leverage the buying power the federal government. we saw within christian, special by arrangement that was created by gsa. federal agencies were able to achieve significant dollar savings through the use of buying discounts to buy off the schedule and through the special buying situations where they could achieve by in discounts and obtain standardized sets of encryption products at a more reasonable price. so one way would be to add those governmentwide type approaches and agreements. >> guest: with that also improve the timeliness? i know sometimes these contracts actually require these products can take years if you are talking about a large procurement which is the lifecycle of a given contract. >> guest: right, that is one of being reported and potential benefits of cloud computing is

that agencies would be able to provision increases in computing capabilities and capacity more promptly untimely. and our review of cloud computing, we found that at several agencies we looked at, that they were in fact able to reduce the amount of time necessary to acquire these resources and dramatically through these case studies that we reviewed. >> host: this is c-span's can mitigators program. we are talking with someone who is the director of information security issues at the government accountability office. a new report out on the security of federal information that is available on our web site, c-span.org/communicators. jill aitoro of the "washington business journal" is also with us today. mr. wilshusen again just to follow-up on jill's question, is there a governmentwide system or standard that is used for

security information, or is it each agency does what each agency wants? >> guest: there are governor marc -- government wide standards that are developed and promulgated by the national institute of standards and technology. in addition, it also issue special publications and these are information security guidelines that are recommended or suggested for federal agencies to use. in addition, omb, office of management and budget issues policy memorandums as part of its oversight role of federal activities, so there are governmentwide policies and procedures as well as standards, and at the same time though, federal agencies need to assess the risks and apply those standards as they pertain to their own environments. so they're going to need to be able to assess the risk and

determine which appropriate controls are necessary to mitigate those risks in their own computing environment. >> host: did the gao in its report look at the framework for decision-making and have any suggestions for that? >> guest: yes, in our review we do look at a standards that omb have established with federal agencies and monitor the extent to which federal agencies have implemented that. under fisma gao's responsible for assessing the security at federal agencies and compliance of the provisions of the act. so that is the other side of the federal law. it's another requirement for agencies to follow. in our report we do address how well federal agencies are meeting those requirements based on the work the gao has done as well as the work that agency igs in the agencies themselves have issued reports on information. >> host: and in your report, you say that 11 of the 24

agencies have significant deficiencies when it comes to protecting information on the federal systems. what did you mean by significant deficiencies? >> guest: okay that statistic dealt with the result of the financial statement audits at the federal agency. and so is part of an age and seeing audit, audit of the financial statements the auditors are supposed to review their agencies internal controls over financial resources and reporting. a key component of an agency's internal control are the controls of the financial systems. what that shows is actually does not only 11 the show significant deficiencies but also aids that handle material which is even more severe in terms of that. what a significant deficiency is that it is likely an error or misstatement in the agency's financial statement would occur and not be detected to the

normal course of the agency's internal control process, because of the weaknesses in i.t. security. v-8 that had a material weakness means that a sickly the same thing except that the misstatement could be material to the financial statement for reporting, financial reporting purposes. >> guest: we hear obviously a lot and are talking about the state of federal's cybersecurity but needless to say some of the biggest risk we face have to do with our critical infrastructure, transportation systems, power plants in that sort of thing and it is up for debate how much control the federal government should have over that so what is the state of security for the physical infrastructure of the u.s.? what kind of controlled as the federal government happened is that changing? >> guest: clearly, the federal government is not only reliance on the critical infrastructure as far as its own operations but also has a role to play with the private sector to help protect those critical infrastructures because they are extremely

important to the national security and economic security. as well as public health and safety information. the federal government particularly through dhs and other agencies as far as specific sectors have established what is known as a public right of partnership in which the federal government is working with the private sector to help them secure these critical infrastructures. we issued a report last year that showed that the expectations of the your industry groups with these partnership models were largely not being met. what they expected from their federal partners were to provide timely and actionable threat and alert information. in fact 90% of the respondents to our survey intended that this was very important to them. but only 27% of those respondents said that they were,

those expectations were being largely met by the federal government. at the same time, the federal government also had some concerns about the sharing of information on the part of the private sector and that several agencies felt that the private sector was not sharing incident information to them in a timely manner in order to be able to use it in informing others. so that it's been a key component within the federal efforts to assure that cyberreliance critical infrastructure being adequately protected. there is still more that needs to be done. >> guest: i imagine the private sector somewhat concerned about sharing the information because they could be held responsible to some degree. is there an effort from the federal side of things to enable them to more easily and readily be able to come forward? >> guest: well, yes there are. one of the areas, security incident information, the federal government has

mechanisms to anonymize that information so it is not readily apparent, from which companies or organizations it came from. in addition the department of homeland security has recently established a national cybersecurity and communications integration center and this is a center that is to be used not only among dhs and other civilian and as well as defense organizations within the federal government but also the private sector in order to share information, to monitor ongoing security threats and incidents and to help increase the collaboration, the coordination between these different parties. >> guest: and to take that global because needless to say other countries have their own policies in place and so forth. is there a partnership collaboration, enough of a collaboration on the global level with our allies to address this problem and what you do about those countries that are actually the ones targeting us in the first place? >> guest: that is something we

looked at also and issued a report last year of some of the global challenges and aspects of cybersecurity. and we have found that there are a number of different federal agencies involved in these actions -- these efforts and there are a number of different efforts underway with this. but there did not seem to be a central coordinator the overarching strategy for maintaining and delivering -- not delivering but in discussing these global aspects. now with the cybersecurity coordinator in place, that should help. recently they have come out with a global strategy but we noticed a number of different challenges related to the leadership, on which agency and which group is to take the lead on addressing these aspects as well as just the different norms that different nations may have with regard to cybersecurity.

and trying to ensure that investigations were coordinated throughout the multiple organizations as you mentioned. and number of different countries involved with cyberattacks that can originate anywhere across the globe. there a number of challenges associated with that. >> host: greg wilshusen back to your report. you write, we have made hundreds of our conditions to agencies in fiscal years 2010 and 11 to address the security control deficiencies. however, most of these recommendations have not been fully implemented. a two-part question. what kind of recommendations and what are the most serious in your few that have not been implemented? >> guest: we make recommendations that span management operational and technical controls. many of our very specific technical control recommendations are those that result in improvements to the specific configurations or architectures of an age and sees network or configurations of

their specific devices. servers, routers, switches, databases in their computing environment. we also make recommendations related to the weaknesses in the process is that agencies may have to address security. for example their processes for assessing the risks and developing cost-effective security controls as well as the processes and protecting and evaluating bass controls and taking remedial action and correcting the vulnerabilities as they become known. and so we would have a number of recommendations that address these processes as well. so we also look at the management side and have made recommendations to how well agencies assured that physical security and personnel security are adequately addressed. we find generally agencies do agree with our recommendations and take corrective actions, but several of these have not yet fully been implemented in part

he does it take some time to implement them. the ones i would say are the most critical are the ones that deal with the processes and ensure that they take adequate steps to test and evaluated systems and take corrective action for known weaknesses. because those will transcend all types of technical control weaknesses and should also help address new threats and new vulnerabilities as they arrived -- a arise and they fervently do. >> host: mr. wilshusen we recently did a communicator segment where we talked about how much government spends on i.t. and i.t. security and the figure was about 80 billion or something like this. how much is spent on protecting information? is that something you delved into into your report? >> guest: >> guest: is something that omb for the first time reported in its fiscal year 2010 fisma report and it noted that 15 --

know, $12 billion was spent on i.t. security activities and that comprised of about 15% of the 80 billion of the total i.t. budget within the federal government, and that is just over the 24 cfo active agencies, the larger departments and agencies. the bulk of that, the cost, dealt with i.t. personnel costs. >> guest: relating to budgets, and we all heard about the drastic cuts that are going to happen as a result of the debt deal to raise the ceiling and then more calming, 1.2 trillion cuts happened over the next 10 years and so forth if they even come up with some way of doing that. where to cybersecurity stand in terms of seeing funding taken away and how will would that impact agencies? >> guest: well that certainly is to be decided. to what extent cybersecurity will be impacted my the budget constraints that all federal agencies will be operating

under. certainly it could have an impact on how well agencies will be able to maintain and improve the security over their systems and networks. it will impact them to the extent that they will need to place greater emphasis and assessing their risks and identifying and prioritizing the key controls that help them to effectively mitigate those risks to an acceptable level. so it will place a greater emphasis on tyra dicing their information security work and assessing their risks and threats. >> guest: i'm sorry. is going to say that is a little frightening because you are saying okay, what is most worth protecting or where can we kind of let our guard down to some degree? i know in your report you said the agencies need to establish cybersecurity targets. what do you mean by targets and what does that have to did do with prioritizing? >> guest: it has to do primarily with the performance measures that have been established in which agencies are to report that omb, dhs and

the congress can then monitor the extent to which agencies are meeting their performance targets, using these measures. those targets relate to identifying prayer agencies should -- where agencies should be performing versus what they are actually reporting. >> host: again the report put out by the government accountability office is available at c-span.org/communicators. greg wilshusen is the director of information security issues at the gao. jill aitoro, senior reporter at the "washington business journal." this has been "the communicators."

>> middle and high school students it's time to get those cameras rolling for this year c-span student kim video competition. make a five to eight minute video on this year's theme, the constitution and you come and get it to c-span by the deadline of january 20 and he can win the grand prize