Panel plans to beef up Computer Security Act

Calling the lack of computer security in the federal government "a national crisis " Rep. Constance Morella (R-Md.) announced last week that the House Science Committee plans to introduce a bill this month to strengthen the 10-year-old Computer Security Act. Designed to establish minimum security standards for guarding federal systems the act required the National Institute of Standards and Technology to develop security and privacy standards and to ensure the standards' cost-effectiveness. It also required agencies to form security plans and provide mandatory security training for personnel.

Although work on the new legislation is not yet complete Morella said the proposed bill would strengthen NIST's traditional role in computer security and address the lack of information technology security in educational programs nationwide. It has "total bipartisan support " she said including that of Rep. George Brown of California the ranking Democrat on the Science Committee.

"It really is a national crisis " Morella said. "It threatens our national security.... Federal systems and data are not being adequately protected. The enormity of this issue is self-evident."

Underscoring the need to beef up the federal systems security Morella cited a September 1996 General Accounting Office study that concluded that 10 of the 15 largest federal agencies have serious information security weaknesses some of which have existed for years. Morella was speaking at a meeting of the NIST Computer Systems Security and Privacy Advisory Board which approved a resolution late last week that advises NIST to elevate its commitment to the Computer Security Act. According to the resolution NIST should:

* Act as a central service within the federal government to advise on the selection integration and use of products for securing nonclassified systems.

* Provide a computer systems security assessment capability for civilian agencies.

* Maintain a registry of security and privacy incidents and solutions suggest corrective actions to remedy computer security vulnerabilities.

Lynn McNulty former associate director for computer security at NIST and now the director of government affairs for RSA Data Security Inc. characterized the existing legislation as a "toothless tiger" because it does not require agencies to comply with the security plans submitted shortly after its passage in 1987. The act required agencies to identify all systems containing sensitive information and to establish a security plan to protect those systems. The legislation however does not define any agency requirements for specific system security.

"[NIST is] not perceived as being very active or very visible particularly to the federal user community " he said.

Board member Joseph Leo deputy administrator for management for the Agriculture Department's Food and Consumer Service said "I've yet to have the implementation vision with regard to [the Office of Management and Budget] or the Hill." "Until NIST gets a vision of really wanting to come in and help me I'm probably not going to warm up to it."