House panel approves bill to boost computer security

Pointing to the dreaded Melissa computer virus and several recent hacker-attacks on federal Web sites, a House Science subcommittee on Wednesday approved bipartisan legislation to help federal agencies better protect their electronic information systems.

The bipartisan Computer Security Enhancement Act of 1999 (H.R. 2413), which quickly cleared the Technology Subcommittee by voice vote, would modify the Computer Security Act of 1987. The 12-year-old law requires the National Institute of Standards and Technology to provide federal civilian agencies with standards and guidelines for guarding sensitive but unclassified electronic data.

The bill would require NIST to promote the use of commercially available encryption products, in order to reduce the costs and increase the availability of data protection technologies for federal agencies.

Subcommittee Chairwoman Constance A. Morella, R-Md., noted that during several recent hearings on computer security issues, "we repeatedly heard that federal agencies are not doing enough to protect their critical information systems from attacks and corruption."

Bill sponsors also have pointed out that the General Accounting Office has identified information security as a high-risk issue throughout the federal government, issuing more than 30 reports over the past six years that detail serious shortfalls in computer security within major federal agencies.

The legislation would give the independent Computer System Security and Privacy Advisory Board a larger role in helping NIST to develop standards and guidelines for acquiring security products for federal computer systems.

But the bill would clarify that those standards and guidelines would not place any restrictions on the manufacture or use of encryption products within the private sector.

Another provision calls for a new NIST computer security fellowship program, to be funded at $250,000 in fiscal 2000 and $500,000 in fiscal 2001, for graduate and undergraduate students.

The legislation also would create a National Panel for Digital Signatures, to look into the development of a national digital signature infrastructure based on uniform standards.

During Wednesday's meeting, the subcommittee adopted, by voice vote, a managers amendment by Morella and Rep. James Barcia, D-Mich., the panel's ranking Democrat. The amendment would instruct NIST to evaluate the electronic data protection programs that federal civilian agencies currently use, and make recommendations to those agencies on how to improve their computer security systems.

The Morella-Barcia amendment also would require NIST to submit annual reports to Congress on federal agencies' progress in improving their electronic data security.

Morella said the amendment would further enhance NIST's role in protecting federal agencies' computer systems, without shifting any responsibility from the agencies.

"Ultimately, agencies bear the primary responsibility for maintaining the security of their information systems," Morella said.

The underlying bill would authorize $3 million in new funds in fiscal 2000 and $4 million in fiscal 2001 to help NIST carry out its new duties. But the amendment would not earmark any additional funds on top of that, even though it would place even more responsibilities on NIST.

That worried Barcia, even though he co-sponsored the amendment and voiced his "full support" for the bill.

"The issue of inadequate resources has been a major concern of [NIST] from the beginning," Barcia said.

Morella promised to work with Barcia and Rep. James Sensenbrenner, R-Wis., who chairs the full committee and is the bill's chief sponsor, to find ways to increase NIST's resources before the full committee takes up the legislation.