Congress, GAO want to see better security planning

By Shruti Dat'GCN StaffCongress is laboring over legislation to set computer security standards and mandates, but exasperated lawmakers say they can only legislate, not micromanage, federal agencies.Deficient computer security management plagues most government agencies, the General Accounting Office and Congress report, but agencies' security efforts are not equal to the threat to federal systems.The recent rash of distributed denial-of-service attacks, the Melissa virus and hacking of federal Web sites have fostered a sense of urgency to solve security problems, but in practice it remains an afterthought, lawmakers say.'We continue to find that poor security planning and management is the rule more than the exception,' GAO director of government-wide and Defense information systems Jack L. Brock testified at a Senate Governmental Affairs Committee hearing this month.'Most agencies do not develop security plans for major systems based on risk, have not formally documented security policies and have not implemented programs for testing and evaluating the effectiveness of controls they rely on,' Brock said.Over the past year, GAO has identified weaknesses or gained unauthorized access to systems in the State, Defense and Veterans Affairs departments, officials said. In May, GAO reported that it had penetrated several of NASA's mission-critical systems, including one that calculates and distributes data received from spacecraft.The shutdown of the Environmental Protection Agency's Web site last month is the most recent example of weak computer security controls [].'What is most alarming to me is that after all this time and all these efforts, there is still no organization effort to prevent cyberattacks,' Sen. Fred Thompson, (R-Tenn.), chairman of the Governmental Affairs Committee, said at the hearing.'It is another example of how difficult it is to get the federal bureaucracy to move, even in an area as important as this,' he said.Rep. Connie Morella (R-Md.) agrees. 'People are asleep,' she said in an interview. 'The agencies are not implementing regulations. We will have to keep pushing the agencies.'Morella, chairwoman of the House Science Subcommittee on Technology, said agencies could ensure computer security through the current legislative framework. But the Computer Security Enhancement Act of 1999 would help push agencies to implement more effective computer security measures, she said.The bill, HR 2413, sponsored by House Science Committee chairman F. James Sensenbrenner Jr. (R-Wis.), would amend the Computer Security Act of 1987 to give the National Institute of Standards and Technology responsibility for developing security standards and guidelines.The Technology Subcommittee will mark up the bill in April.'Congress feels that it needs to do something because there is a hole right now,' a Senate Governmental Affairs Committee staff member said. 'But how do you force good management? In that sense there is a little anxiety because we don't want to micromanage.'Congress wants more information, said Rep. Steve Horn (R-Calif.), chairman of the House Government Reform Subcommittee on Government Management, Information and Technology.'We want to know the dimension and scope of these cyberattacks,' he said. 'We want to know what efforts are being undertaken toward solving the problem. We want to know what the federal government is doing to address this problem.'Lawmakers 'can set policies and appropriate funds,' Sensenbrenner said. 'We are not micromanagers.'The Senate Governmental Affairs Committee staff member said the panel has concluded that current legislation provides an insufficient computer security framework for federal agencies.Sen. Joseph Lieberman (D-Conn.), the Governmental Affairs Committee's ranking member, said, 'The government has a long way to go before its digital information is adequately protected, as we must fundamentally change the way we think about information security and the importance we place on it.'Thompson and Lieberman in November introduced the Government Information Security Act of 1999, which would mandate a risk-based computer security management structure with independent annual audits.Brock said the bill, S 1993, addresses key concerns but should incorporate better-defined security standards and strengthen leadership for information security control practices and oversight.'This area needs to be addressed quickly,' Lieberman said at the March 2 hearing. 'I would not be surprised if scores of other governmental sites have been invaded'but we will never know because we don't have a comprehensive system to monitor intrusions.'EPA's own records identified several serious computer incidents in the past two years, but the problems were not resolved, officials said.'It's not good enough to have a program; there must be accountability,' the committee staff member said.Brock said agencies must set management procedures and an organizational framework for identifying and assessing risks, deciding which policies and controls are needed, and periodically evaluating the effectiveness of these policies and controls rather than reacting with ad hoc measures.Lieberman said, 'Our primary concern is to ensure, to the greatest extent possible, the confidentiality and the integrity of government information that includes sensitive data such as the tax and wage records of every working American.'