GAO: IT security law needed

Agencies have improved the security of many information systems, but the lack of clearly defined roles among agencies coordinating security has hindered federal security experts' ability to protect systems from intrusion, according to the General Accounting Office.

Agencies have spent the past two years plugging security holes in computer systems, but it has been such an ad hoc effort that federal security managers have been left without any coordinated guidance on developing a fully secure government, GAO officials told the Senate Judiciary Technology, Terrorism and Government Information Subcommittee this month.

To help pull together agencies' efforts, GAO recommended that Congress should consider passing legislation that would better define how lead organizations should work together and how agencies should follow their direction.

"It's not so much that there needs to be one central organization in charge as the need for defining where each organization fits," said Jean Boltz, assistant director of governmentwide and defense information systems within GAO's Accounting and Information Management Division (AIMD). "I think this is an area where legislation should definitely be considered."

Until recently, the authority to oversee computer security resided in two organizations. The Paperwork Reduction Act of 1995 gave security oversight authority to the Office of Management and Budget, while the Computer Security Act of 1987 gave authority to the National Institute of Standards and Technology.

But last year, President Clinton issued Presidential Decision Directive 63, requiring agencies to protect their critical information systems from cyberattacks. While PDD 63 helped focus federal attention on growing information security threats, it also created several new groups, including the National Infrastructure Protection Center at the FBI and the Critical Infrastructure Assurance Office (CIAO) at the National Security Council.

The organizations' overlapping—and in some cases conflicting—responsibilities has led to duplicate efforts, such as developing governmentwide instead of agency-specific best-practices guidelines, which has confused agencies, according to GAO executives.

"While these organizations have developed fundamentally sound policies and guidance and have undertaken potentially useful initiatives, effective improvements are not taking place," said Jack Brock, director of the AIMD office, testified before the subcommittee this month.

Some of the problems stem from the fact that the NIPC and the CIAO, formed in 1998, and the CIO Council, formed in 1997, are relatively new, and any new process or organization will need to iron out kinks, Brock said.

Still, some basic security issues must be solved soon, he said.

"It is unclear how the activities of these many organizations interrelate, who should be held accountable for their success or failure and whether they will effectively and efficiently support national goals," Brock said.

For agencies that are developing their own security plans under PDD 63 while complying with OMB regulations, it can be especially confusing getting guidance from so many places, Boltz said. And the fact that some organizations' power is prescribed by law while others are given by PDD 63 or other executive orders leaves agencies wondering which orders are going.

Some legislative changes are under way in Congress. The House Science Technology Subcommittee is working on the Computer Security Enhancement Act, a bill that would update NIST's role in the governmentwide security landscape. Others, including the Senate Government Affairs Committee, also have expressed interest in the issue of legislation.

"There's a lot of interest and a lot of people looking at it right now," Boltz said. "It's really coming to fruition."