House panel OKs updated security bill

The House Science Committee last week unanimously passed the Computer Security Enhancement Act which updates a decade-old federal computer security law and strengthens the role of the National Institute of Standards and Technology to promote the security and privacy of federal systems.

The bill which the full House could consider this year was passed with one amendment. Rep. Bart Gordon (D-Tenn.) added language that would establish a national policy panel for digital signatures in hopes to bring together government and private-sector representatives to discuss the use of digital signatures. Digital signature technology - commonly believed to be one of the core components to widespread use of electronic commerce - enables individuals to attach a verifiable electronic "signature" to a digital document that remains with the document throughout its transmission. It is designed to verify the identity of the sender of the data and to ensure that it is not tampered with by unauthorized users.

The panel would work to develop the digital signature infrastructure and alert government and private-sector individuals about information security threats Gordon said.

The Computer Security Enhancement Act which would revamp the Computer Security Act taps NIST as the lead agency for information security. It also requires NIST to promote federal use of commercial off-the-shelf products for civilian security needs [FCW June 23]. There is now no companion bill in the Senate.

Rep. Constance Morella (R-Md.) chairwoman of the House Technology Subcommittee said the bill is designed to promote the maximum protection of federal civilian agency computer systems while also supporting the information technology industry.

"By encouraging the use of commercially available computer security products [the bill] takes advantage of the wealth of commercial expertise on securing information networks " Morella said at a subcommittee meeting last week. "It also provides for a wealth of new information sharing between NIST and the private sector [that] should aid businesses and federal agencies in safeguarding their sensitive electronic information."

The bill also requires NIST to develop standardized tests and procedures to evaluate the strength of foreign encryption products in an attempt to diffuse the raging debate surrounding the export of domestic encryption products. It would also increase the power of the Computer System Security and Privacy Advisory Board. The board which is made up of representatives from industry government and other entities should assist NIST in the development of agency standards and guidelines.

Is NIST Dropping the Ball?

Since Morella began discussing the bill industry observers have pointed to NIST's lack of funding and lack of enforcement mechanisms for the security standards it issues to agencies as contributing to lagging federal security measures.

Frederick Weingarten a member of the Security and Privacy Advisory Board said at a recent meeting of federal information security managers that the board believes NIST has not given agencies the systemwide assistance that agencies think they need.

"That may not be a problem with the Computer Security Act itself but in the way it's implemented " he said. "NIST does short-term research on information technology and offers technical assistance. What is missing is senior management priority for that function of NIST in the Department of Commerce - and funding. We thought Commerce needed to put this higher on its agenda."

Joan Winston principal policy analyst at Glenwood Md.-based Trusted Information Systems said at the managers' meeting that an effective revision of the aging Computer Security Act will require not only increased funding for NIST and other agencies but strong policy guidance she said. "Only then will there be sufficient resources and management attention given to getting the job done " Winston said.