Hill staff give federal technology legislative update

Cybersecurity dominated a panel discussion by Congressional staffers on information technology-related issues Tuesday.

"Cybersecurity is a hot topic," said panel moderator David McClure, associate director for information technology management issues at the General Accounting Office. "There are pockets of excellence in the federal government. But some offices and agencies are very weak."

Rep. Tom Davis, R-Va., is actively creating legislation on computer security and capitalizing on the lesson learned from dealing with the Y2K problem, said Melissa Wojciak, staff director for the House Government Reform Committee District of Columbia Subcommittee. Davis last month introduced H.R. 4246, the Cyber Security Information Act of 2000, which includes language ensuring private sector information sharing on security.

The panel also focused on the computer security woes of the Environmental Protection Agency, which recently shut off its connection to the Internet because of security holes in its infrastructure. "EPA had known for year that it had a security problem and had incidents reported to it by the Federal Bureau of Investigation and the Secret Service," said Amit Sachdev, counsel for the House Committee on Commerce. "The agency had tremendous weaknesses."

But now, after a thorough GAO audit of its systems and procedures, EPA is doing much better and the Commerce Committee is very pleased with EPA's progress, Sachdev said. GAO's final report is expected out within the next 45 days. "EPA had a good security staff and was buying good technology," Sachdev said. But there was often a disconnect between the security staff and those who wrote policy, Sachdev said.

Greenwalt echoed this and applied it to the rest of the government. "There is a heck of a lot of policy and technology out there," said William Greenwalt, a professional staff member with the Senate Armed Services Committee. "The challenge is managerial and involves bringing disparate entities in line and enforcing standards."

"A lot of policies are not being coordinated and implemented throughout the government," Wojciak said.

Government agencies are required to follow a number of security policy directives. These include the 1987 Computer Security Act, 1998's Presidential Decision Directive 63 and Appendix III to the Office of Management and Budget's Circular A-130.

The staffers repeatedly mentioned the importance of training computer security workers. GAO's McClure agreed. "Security requires people power. Even good intrusion detection systems are not enough," McClure said. People must be skilled at reading server logs-an unglamorous task that requires good training, McClure said.

Finally, the panelists agreed that momentum is building in support of a governmentwide federal chief information officer. No less than three bills under consideration by Congress now call for the position to be created.

The panelists all expressed concern about the level of power and support such an official would receive from departmental and agency CIOs. The Y2K czar position was effective because it oversaw a central issue, Greenwalt explained. The panelists did not know if that meant a security czar was forthcoming, but they all agreed the lessons learned from Y2K could be applied to cybersecurity.

"Information security is a concern," Greenwalt said. "Agencies did this great work identifying and inventorying systems for Y2K." But whether those inventories and contingency plans gather dust remains to be seen, Greenwalt said.

The staffers gave their presentations as part of the Armed Forces Communications and Electronics Association, Bethesda Chapter's monthly breakfast.