Horn, GAO plot security agenda

By Shruti Dat'GCN StaffRep. Steve Horn is weighing the use of grades to evaluate federal computer security efforts'something similar to the year 2000 report cards the California Republican began doling out two years ago.Agency chief information officers, however, said that such an oversight initiative must be implemented with caution.Horn said the staff of his House Government Reform Subcommittee on Government Management, Information and Technology will work with a Government Accounting Office task force on the computer security project.'We've got to first work out the quantifiable way to make comparisons and the degree to which agencies could give us the information to start with,'' Horn said this month from his Long Beach, Calif., district office. He said he will tackle federal computer security when he returns to Washington after the August congressional recess.'I think it is a good idea personally that we look at the security breaches, and we do try to figure out what could be done to eliminate those things,'' Horn said. 'We're just going to have to think it out, but right now we have not given it much thought.''At a House hearing earlier this month, Harris N. Miller, president of the Information Technology Association of America of Arlington, Va., said he would endorse the use of report cards as a way to raise awareness of computer security issues.The joint hearing of the Government Management, Information and Technology Subcommittee and the House Science Subcommittee on Technology helped highlight the issue of computer security, Miller said.'Congressman Horn's simple grading system for the Y2K problem had a great impact by educating people about the Y2K problem,'' Miller said. 'The best way to get someone's attention is to give them a grade,' he said.Energy CIO John Gilligan agreed that a grading system could spotlight the security problem.'I think there is some benefit in having a congressional forum and congressional visibility on the issue of computer security,'' said Gilligan, who is co-chairman of the CIO Council's Security, Privacy and Critical Infrastructure Committee.Gilligan acknowledged that CIOs will need a lot of support to make speedy progress on computer security. 'It might be support in the form of grading that would appear to be a negative reinforcement,'' he said. 'Maybe that would be important in getting visibility.''The effort would need to be more widespread, he said. The Office of Management and Budget, GAO and agencies' inspectors general must also offer oversight and guidance, Gilligan said.Another agency CIO said she was less than enthusiastic about security report cards.'I think the grading system is somewhat artificial and could end up causing us to focus on the wrong things,'' said Anne F. Thomson Reed, CIO at the Agriculture Department. 'You need to be very careful what you measure or resources will be misapplied.''Reed said she suspected that report cards would likely tie security to information systems rather than to the incorporation of security into program delivery.A former Navy Reserve officer who worked in cryptology agreed with Reed. 'Security must be integral to one overall management picture,'' said Dean Rich, who works for Warroom Research Inc. of Annapolis, Md.Although sometimes painful, the re-port cards were good snapshots of agencies' year 2000 readiness, Miller said. Similar security ratings could give agencies a focus and put cybersecurity high on their radar screens, he said.But, Miller added, CIOs and lawmakers must develop a standard metric to evaluate agencies' computer security appropriately. Gilligan and Horn agreed.Miller recommended that government look at the percentage of IT funds allotted to security, training staff to recognize security breaches, training security personnel and systems protection.If computer security measures had received more oversight, the Energy Department might not have suffered security breaches, Miller said.Gilligan agreed that the espionage scandal at the Los Alamos National Laboratory in Los Alamos, N.M., has made computer security a top priority [GCN, March 29, Page 1].'I think [federal agencies] have waited until something happened and then taken action,'' Gilligan said. 'I think we can't afford to take a reactive posture. The consequences would be harsh. We must take a much more proactive approach.''He added, however, that his peers across government are struggling with an increasing number of priorities.'The monies I need are well beyond the normal CIO budget,'' Gilligan said. DOE plans to ask for an additional $40 million to $50 million for each of the next two years, almost doubling its computer security budget, he said.