today. that is the point. this is nothing new. we need to get ahead of the curve and make long-term, fundamental, unpredictable changes in our tax and regulatory policies. i am hearing from everybody, from fortune 500's to companies of three or one, everybody is saying the same thing. they need certainty and stability, because of uncertainty has a price tag. and that price tag is being born right now by the americans unemployed. that is what we have to correct. i am not here to find blame. i'm here to get the job done for the american people. >> you can watch the entire hearing on c-span at 12:30 p.m. eastern. >> this week on "the communicators" we learn about risk to security of data on computers at 24 federal government agencies. [captioning performed by

national captioning institute] [captions copyright national cable satellite corp. 2011] host: the government accountability office released a report on the security of federal information and information on the federal websites. greg wilshusen is the information and security issues director at the government accountability office. it is his report that came out. mr. wilshusen, how would you describe gentlelady information, taxpayer information, how secure that is unfetter web sites, as well as security information that the government keeps? guest: federal agencies contained a lot of sense of the information on their computers. you mentioned taxpayer information, results of medical information as well as classified information related to national security and economic security as well as business proprietary information on federal systems. this information is at risk of a compromise in due to a number of vulnerabilities on federal

systems. our review which we issued last week and our report identified that weaknesses existed and key security controls at each of the 24 federal agencies. host: in your report, you wrote that in february the director of national intelligence testified that there was a dramatic increase in the which is cyber activity targeting u.s. information and networks, including a more than tripling of the volume of melissa software since 2009. who is installing the software and what kind of damage is it doing? guest: it could be any number of factors that direct the federal systems. these actors can include nation states, criminal groups or organizations, hackers, potentially terrorists. in some instances, insiders, employers and government contractors either knowingly

or unwittingly installing this malicious software. is a jill itorro senior reporter with the "washington business journal." guest: you said that the number of security incidents that agency's report has increased 650%. that is a huge number. i know a lot of times that is explained by better detection. theirs is -- there are quite a lot of incidents that go unnoticed. how should we look at that number? guest: clearly, it is a dramatic increase in the number of incidents from fiscal year 2006 through 2010. the number increased from 5500 to 41,000 security incidents. a 650% increase. 10% of thoughse in 201

dealth with malicious software. this is a submitter to issue. it can be due to better reporting and detection, but also to an increase in activity and cyber of men's and federal systems. but you're absolutely right. whether that is the actual number, whether there are a number of incidents that are occurring that remain undetected, i am sure that happens. but you do not know what you do not know. the bottom line is what has been increasing, we do not know the full extent. guest: in addition to malicious software, there were the top reports due to unauthorized access. you mentioned insider threat. how much of this is a technology problem in terms of not having the technology in place versus a people problem, where they are not following the policies? guest: it is probably a

combination of both. in terms of a ratio, i do not know. in terms of factors that contribute to this, certainly it is due to in secure systems and how agencies configure and their systems and devices as well as individuals taking inappropriate activities, either knowingly or unintentionally. for example, plugging in a thumb drive that may contain malicious code that could cause these incidents to occur. guest: one other point you brought up with contractors. we heard about a number of contractors targeted themselves and their systems get exploited, varying degrees of exposure and fall. is there enough policy in place for oversight of these systems? or are contractors all love to much excess? how do strike ballots barractha?

guest: with contractors, they are groups that are vulnerable because often, as business partners we grant them greater access that we would to normal public. so of vulnerability is in a contractor systems. it may lead to security attacks. it can potentially intrude into of federal systems. federal agencies are required under fisma to assure the security over their information, whether on their systems or on those that are operated on their behalf, such as contractors, is adequately protected. and we have shown in our audits as well as in the i.g. reports

that agency's oversight contractors systems and efforts needs improvement. host: what percentage of federal agencies use contractors and what percentage are contractors in charge of the special information? guest: percentage of the 24 agencies, every agency uses contractors for their i.t. operations. omb issued a report on its fism a implementation last year, early this year, and it identified that about 1100 of the 13,000 systems operated by federal government were operated by contractors. in addition, of the i.t. personnel that were involved in information security operations, in which there were 80,000 fte's, over half of those were

contractor personnel. so it is a large number of contractor personnel that have access. host: just a follow-up on that line of questioning, does that lead to further security concerns? what about the issue of cloud computing? guest: certainly with the use of contractors, agencies need to understand and be aware of the controls they have in place to oversee the actions of those contractors to make sure that they adequately protect information systems and their information. with respect to cloud computing, i testified on the congressional committee last week, in which i indicated that our review can have both positive and negative implications. on the positive side, the use of automation techniques can help

improve securities in so far as getting security controls in place quickly. it can also lead to a low-cost disaster recover and data storage, which has been another security benefit raised by the federal agencies during our review. at the same time, though, it can also lead to increased security risk. particularly with respect to federal agency is in no relying on these contractors or the cloud service providers to protect their information in the cloud. often, the client or the federal agency may not have visibility or control or access to their information. relying on the security assurances of the provider to protect their information. so federal agencies are responsible for assuring that security. another risk that was identified is that federal agencies expect to lose or may lose information it should the

cloud service be terminated. there is concerned about into opera ability standards and the fact that once a cloud service has been terminated, will agencies be able to collect the information and process that? guest: you mentioned fisma, and they have received criticism over the years in terms of being a paper pushing exercise. their efforts to improve that by emphasizing continuous monitoring of systems. how far have agencies, and doing that? and what about the next step which some say is penetration testing, trying to identify the vulnerability for they are exploited by the hackers? where do agencies stand? guest: with respect to continuous monitoring, agencies have a long ways to go. as far as the recent fisma

atport, we noted that i.g.'s most of the federal agencies noted weaknesses in their agencies continuous monitoring capabilities, either lacked the proper policies or procedures or did not have it implemented over a large percentage of their devices. in a sense reports, agencies reported themselves -- in those same reports, agencies reported that their ability to have a monitoring capability over a large percentage of their devices is nonexistent. for example, 14 of the 24 agencies reported that they have less than -- they had an automated monitoring capability for monitoring the security configurations for less than 60% of their devices. and that is a key development, and a key requirement to implement a continuous monitoring capability. is to be able to automatically monitor those on a frequent an

ongoing basis, because of the changes in computing environments and changes and threats, as well as the increase in a connectivity of these computer networks, it's imperative that agencies monitor on a more frequent basis. you referred to the old regime of fisma. the law is sound and based on fundamental security principles. it has been more of how omb and perhaps we have developed the reporting destructions which led agencies to focus on some of the check list approaches to security. there's an emphasis on assuring that each system is secured under the old reported missing. agency spent a lot of money to have accreditation reports prepared sometimes, they were

out of date. so the continuous monitoring capability that was designed to improve that situation may need to become more mature at the agencies. guest: you mentioned the ability to secure mobile devices and so forth. all of this comes down to procurement and the ability for agencies to buy this capabilities in a timely fashion to ensure that they stay on top of the threat. so how can federal government work better with the industry to be able to acquire the services and products they need to protect themselves? guest: one is to leverage the buying power of the government. we saw with the encryption special buy or range been created by gsa that federal agencies were able to achieve significant dollar savings through the discounts to buy off the gsa schedule.

obtain a ld increasedzed seto of and products at a discount. guest: with that improve the timeliness? sometimes these contracts take years if you're talking about a large procurements with the life cycle of a given contract. guest: that is one of the reported and potential benefits of cloud computing is that agencies would be able to provision increases in capacity more promptly and timely. our review, in our review, we found that several agencies were able to reduce the amount of time necessary to acquire these resources like new servers dramatically through these case studies. host: this is c-span's "the

communicators". we are talking with greg wilshusen, director of information security at the government accountability office. and report out on security information and the government, that is available on our web site at c-span.org/commu nicators. just to follow up, is there a government wide system or a standard that is used for security information, or is i9t t each agency does with each agency wants? guest: there are government wide standards that are promulgated by the national institute of standards and technology. in addition, they also issue a special publications. these are information security guidelines that are recommended

or suggested for federal agencies to use. omb issues policy memoranda as part of its oversight role of federal activities. so there are government wide policies and procedures as well as standards. at the same time, though, federal agencies need to assess the risk and apply the standards as they pertain to their own environment. so they need to be able to assess the risk and determine which are proper controls are necessary to mitigate those risks in their own computing and are met. host: did the gao look of a framework for decision making in have suggestions? guest: yes. in our review will look at the standards of that omb has established for federal agencies and monitor the extent to which federal agencies have implemented that. under fisma, gao is responsible

for assessing the security at federal agencies and compliance of the provisions of the act. that is the other side is federal law. another requirement for agencies to follow. and our report we do address how well federal agencies are meeting those requirements are based on the work that gao has performed, as well as the work that agency i.g.'s and agencies themselves have issued. host: 11 of the 24 agencies have significant deficiencies when it comes to protecting information on federal systems, you say. what did you mean by significant deficiencies? guest: that dealt with the result of the financial statement audits of federal agencies. as part of an agency's audit, the auditors are supposed to review their internal controls

over financial resources and reporting. a key component of an agency's internal control are the controls of the financial systems. what that shows, it is not only 11 but 8 that had a material witness which is more severe. what a significant deficiency is is that it is likely that an error or misstatement and a financial statement would occur and not be detected through the normal course of the agency's internal control process, because of the weaknesses in i.t. security. materialt had a witness means the same thing, except that the misstatement could be material to the financial statement for reporting purposes. guest: we hear a lot about the state of federal service

security, but some of o biggest risks we face have to do with our infrastructure -- transportation systems, power plan. it is up for debate how much the federal government should have over that. what is the state of security for the critical infrastructure? what kind of control does the government have in is that changing? guest: the federal government is not only reliant on the critical infrastructure as far -- for its own operations, but also has a role to play with the private sector to help protect those critical infrastructures, because they are extremely important to the national security and economic security. so is public health and safety of the nation. presently, the federal government, particularly through dhs and other lead agencies for specific sectors of the private sector, has established what is known as a public-private partnership in which federal government is working with the private sector to help them secure these critical infrastructures. we issued a report last year

that showed that the expectations of the private sector industry groups with this partnership model were largely not being met. what they expected from the federal partners was to provide timely and actionable threat and alert information. in fact, a 98% of the respondents to our survey indicated this was very important to them. but only 27% of those repined -- respondents said that those expectations were being met by the federal government. at the same time, the federal government also had some concerns about the sharing of information on the part of the private sector in that several agencies felt that the private sector was not sharing incident information to them in a timely manner in order to be able to use and inform others. so that has been a key component

with in the federal efforts to criticalhat cyber, infrastructures are being who protected. guest: i imagine the private sector is concerned about sharing information because they could be held responsible. are their efforts from the federal side of things to enable them to more easily and readily be able to come forward? guest: yes, there are. one of the areas is with the security information. a federal government has the mechanisms to anatomize the information it so it is not readily apparent from which company organization it came from. in addition, the department of homeland security has recently established the national cyber security integration center. this is a center that is to be used not only among dhs and other civilian and defense organizations within the federal

government, but also the private sector in order to share information, to monitor ongoing security threats and incidents, and to help increase the collaboration and coordination between these different parties. guest: take that global. other countries have their own policies in place. is there a partnership, a enough of a collaboration on the global level with our allies to address this problem? what you do about those countries that are the ones targeting us in the first place? guest: right. that is something we looked at an issue report last year on some of the global challenges and aspects of cyber security. and we have found that there are a number of different federal agencies involved in these efforts, and there are a number of different efforts on the way. but there did not seem to be as central, coordinated, overarching strategy for maintaining and delivered --

not delivering, and discussing his global aspects. now with the cedras security coordinator in place, that should help. they have come out with a global strategy. we have noticed a number of different strategies related to the leadership, which agency or group was to take the lead on addressing these aspects, as well as just a different norms, that nations may have with regard to cyber security and trying to ensure that investigations were coordinated throughout the multiple organizations, as you mentioned. there are a number of different countries involved in cyber attacks that can originate anywhere across the globe. and so there are a number of challenges assess to deal with that. host: greg wilshusen, you write, " we have made hundreds of recommendations to agencies in fiscal years 2010 and 2011 to

address the security control deficiencies. however, most of these recommendations have not been fully implemented." what kind of recommendations and what are the most serious that have not been implemented? guest: we make recommendations that span, about management, operational, and technical controls. many of our technical control recommendations are those that result in improvements to specific configurations or architecture's of the agency's network or configurations of their specific devices. so router switches and databases at. . we also make recommendations related to the weaknesses in the prosthesis that agencies may have to address -- in the processes that agencies may have to address. there are processes for testing and evaluating those controls

and taking remedial action in correcting the vulnerabilities as they become known. and so we would have a number of recommendations that address these processes as well. and so we also look at the management side and have made recommendations to how well agencies and sure that physical security and personnel security are adequately addressed in there. we find that the general agencies to agree with our recommendations and take corrective actions, but several of these have not yet fully been implemented. in part because it takes some time to implement them. the ones i would say are most critical are the ones that deal with the processes and assure that they take adequate steps to test and evaluate their systems and take corrective actions over known witnesses because those will transcend all types of technical control weaknesses and should also help address new threats and vulnerabilities as

they arise. host: now, we recently did of wemmunicators " where talked about how much the government spends on i.t. security. the figure was $80 billion. how much is bent on protecting information? is that something you delve into? guest: it is something that the omb for the first time reported in this fiscal year 2010 fisma report. $12 billion was spent on i.t. security activities. that comprise 15% of the $80 billion of the total i.t. budget within the federal government. and that is just over the 24 cfo act agencies, the larger departments. the bulk of the cost dealt with i.t. personnel costs. guest: relating to budgets, and

we heard about the cuts that would take place as a result of the debt deal. $1.20 trillion in cuts happening over the next two years. what, where does cyber security stand in terms of seeing funding taken away? and how will that impact agencies? guest: that is to be decided. to what extent does server security -- is cyber security impacted by budget constraint? certainly, it could have been -- have an impact on how well agencies are able to maintain and improve the security over their systems. it will impact them to the extent that they will need to place greater emphasis in assessing their risk and identifying and prioritizing mickey controls that helped them to mitigate those risks. and so it will place a greater emphasis on prioritizing their

information security and assessing their risk and threats. guest: that is frightening, because you are saying what is most worth protecting, or where can we let our guard down? and i know in your report you said that agencies need to establish cyber security targets. what do you mean by targets? does it have to do with prioritizing? guest: it has to do primarily with the performance measures in which agencies are to report. omb, dhs and and the congress can monitor the extent to which agencies are meeting their performance targets using these measures. so those targets relate to us identifying where agencies should be performing at a certain level versus what they are reported as meeting. host: again, the report is available at c- span.org/communicators. greg wilshusen is the director

of information security at gao. jill itorros at washington business journal. this has been "the communicators." >> sunday on "newsmakers", senator tom harkin, chairman of the health education and labor and pensions committee. he will talk about the committee's work on the child left behind act. also the status of jobs legislation. that is at 10:00 a.m. and 6:00 p.m. eastern on c-span. >> tomorrow on washington journal, the talk about the future of libya. alex lawson, the executive director of social security worke, has details of the 6.3% increase in benefits next year. and a political roundtable with politico's senior reporter