House panel bolsters NIST security role

Members of the House Science Committee last week introduced legislation to provide strong federal guidance and commercial tools that will push civilian agencies to protect their computer systems.

The Computer Security Enhancement Act of 1997 which would revamp the 10-year-old Computer Security Act taps the National Institute of Standards and Technology as the lead agency for information security. It also requires NIST to promote federal use of commercial off-the-shelf products for civilian security needs. While the original security legislation established minimum security standards for guarding federal systems it did not require agencies to enforce their own internal policies.

Rep. Constance Morella (R-Md.) chairwoman of the House Technology Subcommittee said at a hearing last week that the new bill is intended to assist NIST in meeting the increasing security needs of civilian agencies and to give those agencies better access to advanced private-sector technology.

"Since the passage of the Computer Security Act the networking revolution has improved the ability of federal agencies to process and transfer data " Morella said. "It has also made that same data more vulnerable to corruption and theft."

The bill also enhances the role of the independent Computer System Security and Privacy Advisory Board in NIST's decision-making process. The board which is made up of representatives from industry and federal agencies will help NIST develop standards and guidelines for federal systems.

The board recently recommended that NIST increase its assistance to federal agencies. Its members noted that officials should focus more time and resources on current computer security issues rather than long-term needs. It also recommended that NIST establish a clearinghouse to detail the vulnerabilities of federal government agency information systems.

Gary Bachula acting undersecretary of Commerce for technology said the Commerce Department backs the effort of the legislators to reinforce NIST's role in promoting computer security. A number of the provisions he said are consistent with the board's recommendations and NIST's established role in working with the private sector to develop standards and guidelines.

During discussions of NIST's role in computer security many have pointed to the agency's lack of funding as a probable cause for its leadership shortcomings. Morella said recent budget authorization legislation provides an additional $10 million a year for NIST to increase its efforts to improve federal government security.

Kelly Kavanagh research director with the market research firm IDC Government said that no agency has stepped forward to take a leadership role in the information security realm.

"NIST has considerable expertise in this kind of work " Kavanagh said. "They haven't been forced to do this and they haven't had the resources to do it. Somebody has to really run out and beat the drum." Industry representatives expressed support for the legislation saying it would foster a beneficial relationship between the government and industry in the process of equipping agencies with the weapons to fend off hackers and other unauthorized users. The legislation directs NIST to rely primarily on market-driven technology rather than government imposed standards in developing agency security guidelines.

In the past NIST's close relationship with the National Security Agency has fostered an adversarial relationship with industry said Jim Bidzos president of RSA Data Security Inc. The Digital Signature and Escrowed Encryption standards - designed by NSA - are two examples of security initiatives that have hampered the ability of agencies to deliver secure electronic services by cutting these agencies off from commercial advances in the cryptography arena he said.

"When it comes to encryption I'm afraid they've turned the relationship with industry into an adversarial one. The unfortunate victims of this policy are the civilian agencies of the federal government that are simply trying to provide security " Bidzos said.

As one example of the vulnerability of government systems Bidzos pointed to last week's first ever successful attack of the government's Data Encryption Standard which is used to scramble almost all the government's sensitive but unclassified data. The standard was cracked by thousands of PC users who have been working cooperatively over the Internet since February. Bidzos' Redwood City Calif.-based company sponsored a $10 000 contest to crack the code.