Congress takes up cybersecurity
Critics say White House needs to spend more to carry out programs
- By Patience Wait
- Jan 14, 2002
Lawmakers are moving to beef up the nation's information security with legislation that would provide more than $870 million over five years for a wide range of research and education grants.
The Cybersecurity Research and Development Act, introduced Dec. 4 by Rep. Sherwood Boehlert, R-N.Y., and five co-sponsors, would allocate more than $560 million to the National Science Foundation. With the funds, the foundation would administer grants for educational programs and basic research on computer security techniques and technologies, including authentication, encryption, intrusion detection, reliability, privacy and confidentiality.
The legislation also would provide nearly $310 million to the National Institute of Standards and Technology for research on cybersecurity.
Boehlert, who chairs the House Science Committee, said the government spends only $60 million a year on cybersecurity research and development, a "woefully inadequate investment."
The bill comes amid criticism by some industry officials that the Bush administration is not devoting sufficient resources to cybersecurity.
"What we're hearing out of the administration is there needs to be better management of resources, not more dollars," said Harris Miller, president of the Information Technology Association of America, Arlington, Va. "I just don't agree with them."
Miller said many agency chief information officers privately say they need more funding to carry out needed cybersecurity programs.
However, he expressed confidence that Richard Clarke, the president's special adviser on cybersecurity, will persuade the administration to allocate the necessary funding.
"I'm almost certain there's going to be a supplemental appropriations bill next year," he said.
As the House takes up the Boehlert bill, Rep. Tom Davis, R-Va., chairman of the House Government Reform subcommittee on technology and procurement policy, is preparing legislation to reauthorize the Government Information Security Reform Act, a law requiring federal agencies to report on their security measures.
This time, however, Davis plans to give the law some teeth by requiring NIST to establish minimum IT standards that all agencies must follow. The legislation also would require the Office of Management and Budget director to make the standards compulsory and binding: No more could there be a waiver of standards set by the Computer Security Act.
On the Senate side, Sens. Bob Bennett, R-Utah, and John Kyl, R-Ariz., have co-sponsored legislation, the Bennett-Kyl bill, that would create limited exemptions to antitrust and Freedom of Information Act laws to encourage companies to share information regarding cyberattacks and security measures with each other and with the government.
Many companies have been reluctant to cooperate and share with the government for fear that attorneys interested in litigation could get access to the information through the Freedom of Information Act. Companies also were reluctant to share information with each other, fearing prosecution under anti-trust laws.
Bill Poulos, a vice president of the U.S. government group for Electronic Data Systems Corp., Plano, Texas, said the goals of the Bennett-Kyl bill are at the top of his priority list. Companies should be shielded from frivolous lawsuits, he said, "when companies are coming together to enhance the security of the entire community, private and public." Poulos also said the government needs to provide more funding for cybersecurity.
"Up until Sept. 11, there just wasn't much going on," he said. "There was legislation and some requests in the budget, but it was peanuts."
Industry experts said training, internal processes and technology are major areas to be addressed in tightening cybersecurity.
As much as 75 percent to 80 percent of cybersecurity threats come from inside a network, said Mike McConnell, vice president of Booz-Allen & Hamilton and former director of the National Security Agency.
Much of that risk would be minimized if companies and agencies trained employees in the need for security and protocols. Other aspects of the human element include forming a vulnerability assessment team, an investigation component and an emergency response plan.
Organizations also must put into place policies that ensure all processes, such as acquisition and integration of new hardware and software, are done with an eye on maintaining information security, risk assessment and performance measurements.
Then comes the investment in the right technology. "Most security technology purchases have been reactive," said Arthur Coviello, president and chief executive officer of RSA Security Inc., Bedford, Mass. A particular kind of security measure is put in place only after there has been some kind of damage or attack of that type.
The need for improved security among the agencies was highlighted by recent report cards issued by Rep. Stephen Horn, R-Calif., chairman of the House Government Reform subcommittee on government efficiency, financial management and intergovernmental relations. Information compiled for Horn and released Nov. 9 indicates that 16 out of 24 major federal agencies ? including the departments of Defense, Commerce, Justice, Treasury and Transportation ? received an F.
"We are facing an awareness that the Internet is at risk," said Sen. George Allen, R-Va., at a press conference Dec. 11. Allen said the Energy Department headquarters detected 2,800 viruses in inbound e-mail during the week of Sept. 10-14; the next week, more than 29,000 viruses were found.
"It could be a coincidence," Allen said. "I think there could be more to it."
However the government and private sector attack the problem of information security, many in Congress and industry contend the administration must step up its spending on research, education and training.
"There has been a disconnect between government rhetoric on security and the allocation of resources," ITAA's Miller
Staff Writer Patience Wait can be reached at email@example.com.