TOPICS
TOPICS
Agencies, Congress urged to upgrade computer security planning
Federal agencies are failing to secure their computer networks because senior managers and congressional appropriators do not incorporate technology security into their long-term planning, lawmakers and e-government experts said this week.
Two lawmakers warned of dire consequences if the federal government does not shore up its information technology defenses.
"The time for discussion and debate now yields to a more important requirement for action," Rep. Adam Putnam, R-Fla., said at a hearing Tuesday. "We know that various terrorist groups are very sophisticated and [are] becoming more so each day."
Putnam serves as the chairman of the House Government Reform Subcommittee with oversight responsibility for e-government security issues.
In December 2003, Putnam's subcommittee graded federal agencies on their IT security, under guidelines laid out by the 2002 Federal Information Security Management Act. Of the 24 agencies surveyed, 14 received grades of D or F. The federal government received an overall grade of D, and only five agencies completed required inventory evaluations. Putnam said that agencies cannot develop comprehensive security plans if they do not know their technology assets.
"The fact that only five agencies really know what they own is very troubling," he said.
House Government Reform Committee Chairman Rep. Tom Davis, R-Va., said Monday that the nation could be hit with a "cyber Pearl Harbor" if IT security measures are not improved.
"We didn't expect them to score well [in the December grading], and they didn't disappoint," Davis said. He called for increased investment in IT security infrastructure, but acknowledged that the appropriations process "is always about the here and now."
Information network defenses require long-term investment and top-level attention, two e-government analysts said Tuesday at an IT security breakfast in Arlington, Va.
"You are not going to snap your fingers and have security overnight," said Michael Rasmussen, an analyst for the technology consulting firm Forrester Research.
Les Cashwell, of e-government consulting firm Cashwell & Associates, said that federal IT security efforts are plagued by a lack of attention from senior management, poor long-range planning and nonexistent security benchmarks.
In a report last year, the Office of Management and Budget said many agency officials do not understand their IT security responsibilities. Karen Evans, OMB's e-government administrator, said at the hearing Tuesday that agency chiefs are ultimately responsible for IT defenses but that "everyone has to play a part in the cybersecurity piece."
It is important to identify where the buck stops for information network security, Putnam argued. "Everybody's responsibility," he said, "is nobody's responsibility."
COMMENTS
- Looks like another job for Halliburton! GovExec.com reader Posted March 21, 2004 12:30 AM
- Congressmen and senior management also must remember you cannot just purchase security software to protect their Information Technology systems. They have to practice security day in and day out and that includes not outsourcing the IT work. Outsourcing jobs can result in work being done by members of foreign countries. For example, the Army contracted out the development of a new system to CSC. The development is years behind the delivery schedule and now it is coming out that CSC has further outsourced some of the work to workers in India and Pakistan. This is a mission critical Army system that controls very valuable supply information and there will be no control over who has access to this information or who the information is sold to. If this type of action is not a detrimental security risk to our national security then I do not know what is. When is the senior management and Congressmen going to start realizing that security is everyday and that all of the decisions they make are putting this country at risk. GovExec.com reader Posted March 18, 2004 8:28 AM
