Congress Scrutinizes Information Security Efforts

August 2004
By Maryann Lawlor
E-mail About the Author


Rep. Adam Putnam (R-FL) (c), chairman of the U.S. House of Representatives Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, convenes the first meeting of the Corporate Information Security Working Group. The group met for nearly four months and has made several recommendations on how to secure critical infrastructure in the private sector.

Majority of federal agencies flunk cybersecurity 101.

U.S. legislators are fighting to secure information systems on two fronts: the federal government and the private sector. And, they are worried that the government is underachieving badly at a most crucial time for information security.

Concerns about the enormous impact of a system compromise that results in altered, corrupted or stolen data have prompted the U.S. House of Representatives Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census to continue monitoring agencies’ efforts to secure their systems. On the commercial side, the subcommittee chairman enlisted industry’s help and is evaluating recommendations about how to improve the security of the roughly 85 percent of U.S. critical infrastructure owned by the private sector.

The idea of issuing federal computer security report cards was initiated four years ago by former Rep. Stephen Horn (R-CA) when he chaired the House Subcommittee on Government Management, Information and Technology. In 2003, the grades were based on the Federal Information Security Management Act (FISMA) for the first time. Despite these regular evaluations, most government agencies received either below average or failing grades.

The two organizations that received a grade of A were the Nuclear Regulatory Commission and the National Science Foundation. The Social Security Administration and the Department of Labor received a B+ and B, respectively. Six organizations received grades in the C- to C+ range. These include the Department of Education, the Department of Commerce and the Small Business Administration. Another six organizations were graded in the D- to D+ range, including the Defense Department, the Office of Personnel Management and NASA. The departments of Energy, Justice and State were among the eight organizations that received a grade of F.

According to Rep. Adam Putnam (R-FL), chairman of the House Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, a majority of federal agencies are receiving poor grades on their annual FISMA scorecard for several reasons. For example, only five of the 24 organizations evaluated have completed reliable inventories of their critical information technology assets.

“This is very troubling considering we are at least four years into this process and still we have far too many agencies with incomplete inventories. How can you secure what you don’t know you have? How can you complete a certification and accreditation process absent a completed inventory?” he offers.

A number of the evaluations also revealed that agencies are not properly documenting their efforts to achieve compliance with FISMA requirements. The overall grades of agencies would improve if strategic components, such as staff training programs and the associated documentation, were implemented, Putnam says.

Agencies’ inspectors general (IGs) also play a critical role in receiving a passing grade. Putnam shares that in three agencies—the Defense Department, the Department of Veterans Affairs and the Treasury Department—the IGs did not submit independent reports in a timely manner. The congressman believes this is a serious problem. “Their independent verification is vital, particularly in light of the fact that there were significant differences between many of the agencies and their IGs,” he states. Seven agencies received grades based on their IG’s report that differed from the internal staff evaluation by two or more letter grades.

Putnam reveals that several overriding themes emerged as subcommittee members compared the information security efforts of agencies receiving good grades to those that did not. Organizations that earned good grades had developed a full inventory of their critical information technology assets and identified critical infrastructure and mission-critical systems. They also had maintained strong incident identification and reporting procedures and implemented tight controls over contractors. In addition, they developed and executed robust plans of actions and milestones to help eliminate security weaknesses and documented the implementation of actions to achieve FISMA objectives.

Although the grading system may seem a bit trite, Putnam asserts that the shrinking time cycle between vulnerability identification and the capability to exploit it heightens the need to protect information systems.

Information security also is a matter of maintaining the public’s trust. “The public has an expectation that information provided to the government will be protected and that privacy will be maintained. It is incumbent upon the federal government to meet those legal and moral expectations through a vigilant stewardship that demands that all reasonable measures be implemented and maintained in a timely and productive manner,” he states.

The congressman acknowledges that the evaluations show that the 24 federal agencies reported that more of their systems meet key Office of Management and Budget performance measures. For example, of the total number of systems reported, those assessed for risk increased from 65 percent to 78 percent. The number of systems with a contingency plan in place grew from 55 percent to 68 percent.

“However,” Putnam warns, “reported results varied widely among individual agencies, with some agencies reporting that less than half of their systems met these requirements. Even with these improvements, until agencies have reliable inventories of their systems, we will not truly know the security status of the agencies.”

Many government agencies outsource their computer system security work. Verizon Federal Network Systems’ security operations centers are located throughout the United States and provide defense, intelligence and government agencies with network security support.
The subcommittee staff has met with all of the agencies to review their 2003 results and their plans for addressing deficiencies. “There is evidence that agencies are taking this issue much more seriously and are taking aggressive steps to change the culture to one that includes security as a primary focus alongside the functionality requirements of federal information systems. I am optimistic that the 2004 scorecard will show significant improvement,” Putnam says.

In addition to concerns about federal agencies’ information systems, Putnam also has initiated an effort to improve security in the private sector. After meeting with industry leaders in both the technical and nontechnical sectors, he determined that information security was not a high priority in many companies. “The issue of information security is still viewed by many as primarily a technology issue as opposed to a management and governance issue. Therefore, the matter is not being reviewed sufficiently or considered at the ‘C’ level of management,” he relates.

As a result, the congressman is working to increase the importance of information protection and to identify how to hold companies accountable for protecting their systems. Last fall, he drafted the Corporate Information Security Accountability Act of 2003, which would require publicly traded companies to include a status report on their corporate information security plans as part of their annual filing with the Securities and Exchange Commission.

“Prior to filing the legislation, I solicited feedback from a number of private sector individuals, companies and trade associations. Following a review of that constructive feedback, and confirming that a private sector-driven market-based initiative was always the desired preference, I decided to postpone the introduction of my proposed legislation while challenging the private sector to identify an alternative approach to improve information security dramatically throughout corporate America,” Putnam explains.

To solicit additional input about a corporate strategy, the congressman convened a group of 25 senior business leaders and formed the Corporate Information Security Working Group (CISWG). The group’s members also include representatives from government agencies and academia.

After working with the group, Putnam was even more convinced that every business must practice at least basic information security. “Additionally, manufacturers of software and hardware products have a responsibility to continue to consider the quality and security of products that they offer to the marketplace in response to consumer expectations on behalf of users—from the most sophisticated enterprise to the most unsophisticated home user,” he says.

The CISWG recommends action in procurement practices, awareness and education, incentives and best practices. Under the procurement topic, the group recommends enforcement of FISMA’s provisions that require federal agencies to establish and enforce minimum security configurations standards. It also suggests an exemption from U.S. antitrust laws for critical infrastructure industry groups that agree on obligatory security specifications for the software and hardware they purchase.

As part of its awareness and education recommendations, the group advocates that a small business guide book for cybersecurity be created that explains risks in terms that persuade small business owners to take action. For large corporations, the group encourages an increased distribution of existing documents that explain the importance of information security. The group also suggests the creation of an information security guide aimed at corporate executives to increase understanding at the higher echelons of companies. To heighten security awareness in the home-user sector, the CISWG recommends that the government build relationships with organizations and corporations that specialize in reaching the mass market.

The CISWG’s private sector recommendations in the area of incentives include refining the efforts to establish generally accepted measurement tools to assess corporate and individual cybersecurity based on widely accepted best practices or standards. Coherent programs should be developed that use these tools to set up programs of qualification, compliance and/or certification. Additionally, the group suggests that third-party designations be established that identify qualified, certified and/or compliant organizations. Another suggestion proposes that the insurance industry modify the degree of availability and cost of cyber-risk insurance based on how well a company exercises information security best practices.

Putnam is impressed by the CISWG’s effort. “This body of work, which is represented in the reports and recommendations, contains innovative and creative approaches utilizing a variety of tools to achieve a private-sector driven market-based approach. … I am presently evaluating the CISWG work product along with the work of various working groups attached to the National Cyber Security Summit to identify similar or complementary recommendations. I am also considering other elements that may be contained in a corporate information security action plan in lieu of legislation.

“The CISWG recommendations include several potential legislative initiatives, such as an amendment to the Clinger-Cohen Act, that would explicitly identify information security as a component that must be evaluated in the information technology investment decision making and strategic planning for federal agencies. I have already begun the process of drafting such an amendment, and I am working on an initiative that could be pursued in the very near future,” Putnam reveals.

The congressman notes that a number of the recommendations will require additional work, and virtually all CISWG members are willing to continue with the effort. However, he points out that the group strived to reach a consensus on a set of recommendations, but it did not achieve unanimity on all of them. Some members were concerned that a number of recommendations were not fully mature and require additional discussion and debate. The group will be reconvened to continue the work, he says.

Putnam believes more research is needed in the area of tools to build trustworthy networked computer systems. “Researchers have argued that there is a need to design secure systems from the bottom up because it is much harder to lay security on top of an already unsecured product. We need to focus on longer term efforts such as research into cybersecurity vulnerabilities and dynamic solutions for these problems. We need to find better ways to transfer research results into commercially available products as well,” he says.

One area of particular importance is in developing more secure supervisory control and data acquisition systems, Putnam contends. These industrial control systems support most of the infrastructure in the United States today, including the processes that manage the water supply and treatment plants, control the pipeline distribution system and electric power grid, and operate nuclear and chemical power plants.

“The nation’s health, wealth and security rely on these systems, but until recently, computer security for these systems has not been a major focus. As a result, these systems, on which we rely so heavily, are undeniably vulnerable to cyberattack or terrorism. We have to do a better job of finding ways to protect them,” Putnam states.

The congressman also is concerned about the security aspect of computer systems development. He points out that the most significant sources of vulnerabilities are flaws in software and hardware products. “Accordingly, it will require a concentrated research and development effort to identify more productive tools for evaluating and testing code and for improving quality assurance processes and procedures,” he concludes.

Enjoyed this article? SUBSCRIBE NOW to keep the content flowing.