Computer systems abuse from insiders and outsiders plagues US federal agencies, creating mounting financial losses, according to an annual survey released last week.
More than 50% of the 82 federal agencies surveyed reported that their computer systems were accessed by unauthorized individuals last year, according to a study jointly conducted by the U.S. Federal Bureau of Investigation and the Computer Security Institute (CSI), San Francisco. Those figures show an 11 point increase from 1995 figures, when 39% of the 77 agencies surveyed confirmed unauthorised usage.
The majority of attacks or misuse resulted from viruses, insider abuse of Internet privileges, laptop theft, unauthorized access by insiders and system penetration, according to the survey.
Reported attacks and misuse of systems in the government were higher than incidents reported in the private sector. Most attacks - which include system penetration, sabotage and financial fraud - on government systems resulted from Internet access, which reverses the trend of agency employees as the most likely source of these types of attacks, says Richard Power, an analyst at CSI. FBI officials could not be reached for comment.
"The conventional wisdom has always been that 80% of the problem is insiders and 20 percent of the problem is outside," Power says. "If you had looked at the [survey] numbers a few years ago, they would have been turned around. The difference is the Internet. This indicates that, at least for government, there are a lot more people trying to get in."
More than 62% of 47 federal agencies responding said the Internet was a frequent origin of attack, while 40% cited internal access as a frequent origin of attack. Remote access was cited by 25 percent of the respondents.
The cost of these breaches also is increasing. Thirty four agencies reported that these security breaches resulted in US$1.5 million in financial losses, according to the survey. This figure probably represents only the "tip of the iceberg," Power says, because only three-quarters of the 45 agencies that reported unauthorised use or attacks quantified their losses.
In addition, Power said that because many attacks and abuses go unnoticed, many of the agencies that reported no unauthorszed use probably had suffered some losses.
The Air Force is one agency that appears to be making progress against security breaches.
According to recent US Air Force Computer Emergency Response Team statistics, the number of Air Force hacking incidents decreased to 47 in 1996 compared with 84 in 1995, and the number of intrusions decreased to 20 in 1996 from 26 in 1995. Attacks from computer viruses, however, jumped to 896 in 1996 from 583 a year earlier.
According to Major General Michael Hayden, commander of the Air Force's Air Intelligence Agency (AIA), hackers are shying away from Air Force sites because the agency has demonstrated its ability to track and prosecute them. Of 111 Air Force bases, 104 have fully operational automatic intrusion detection systems, and the remaining bases will have systems within weeks, he says.
The solution to federal agency - and private-sector - security breaches is better training, Power says.
Captain Philip Ray, director of the U.S. Navy's Information Warfare/Command and Control Division, says his office is pushing for increased security training for network administrators.
"Everybody thinks that technology is going to solve the problem. To realise true security, you have to bring the work force along. It's a cultural change," Ray said.