Fed cybersecurity doesn't hack it

Report card on computer security

A congressional report card released last week on information security gave

federal agencies generally lousy grades, but the only agreement among government

officials is that the marks were deserved, not how to improve them.

Rep. Stephen Horn (R-Calif.) issued the security grades to focus attention

on the lack of security practices in most areas of the federal government.

The governmentwide grade, according to Horn's evaluation, is a D-minus.

And while the highest grade was a B for the Social Security Administration,

seven agencies flunked, including the departments of Health and Human Services,

Agriculture, Justice, Labor and Interior.

"This report card sets a baseline for future oversight and also serves

as a wake-up call for agencies," Horn said.

But even after directives from President Clinton and new policies from

the Office of Management and Budget, everybody agreed that a wake-up call

is in order.

"This may bring the one thing that is missing most often, even today,

which is senior management interest and support," said Glenn Schlarman,

a security policy analyst with OMB's Office of Information and Regulatory

Affairs.

But officials added that recent history shows the necessary attention

is fleeting and that the grades do not help agencies address the basic problems

of ongoing information security management.

Horn's staff worked with the General Accounting Office to get a fair

picture by combining GAO and agency inspectors general audits with agencies'

own responses to a six-page questionnaire on their security systems, practices

and policies. But many agencies said the report card does not reflect their

current status.

"I am disappointed with the grade we received today, and in some way

dismayed by it," said Edward Hugler, deputy assistant secretary for administration

and management at Labor.

Since a Labor inspector general security audit last year, the department

has taken a number of steps to correct the problems identified, including

developing a computer security handbook for employees.

Every agency official at Horn's hearing said one key to their improvement

is Congress' willingness to fund the security requests in the fiscal 2001

budget. "The teacher can't issue report cards criticizing the student but

then not offer them the learning and resources to succeed," said Franklin

Reeder, chairman of the Computer System Security and Privacy Advisory Board,

a government/industry group that advises agencies and Congress.

In the past two years, Congress has failed to fund nearly all of the

White House's civilian cybersecurity initiatives, even a well-supported

program to educate and hire information security professionals. So although

agencies deserve their failing grades, so does Congress for its inaction,

said Richard Clarke, national coordinator for security, infrastructure protection

and counterterrorism at the National Security Council.

"So far, I think we're going to have to give them an incomplete because

their semester ends in about 20 days, but then, if it's not funded, I think

we're going to have to give them an F," Clarke said.

Some lawmakers said they recognize their responsibility.

"[I] realize that this Congress has an obligation to supply adequate

funding to agencies so they might meet the requirements that we have imposed

on them," said subcommittee ranking member Rep. Jim Turner (D-Texas).

For his part, Horn said, "We need to be talking to the authorizers and

the appropriators so we make sure that what is needed [in resources and

funding] will be there."