Government Executive - Authors - Rebecca S. Weiner

Watchdog criticizes federal response to e-mail virus

Rebecca S. Weiner — Fri, 19 May 2000 00:00:00 -0400

Most federal agencies were squarely hit by the "ILOVEYOU" virus because of a lack of coordinated notice from federal officials and a lack of internal communication, Congress' watchdog told the Senate Banking Financial Institutions Subcommittee Thursday.

"The incident was a good lesson learned, but an expensive lesson learned," said Jack Brock, the General Accounting Office's director of government and information systems. "It pointed to a lack of coordinated oversight. Agencies need to do more."

While the private sector Financial Services Information Sharing and Analysis Center discovered the virus at 3 a.m. EDT and immediately sent an alert to its members on May 4, the FBI's National Infrastructure Protection Center did not issue a notice until 11 a.m. and didn't follow up with advice on how to handle the virus until 10 p.m., according to GAO.

Only seven of 20 agencies interviewed by GAO were spared widespread infection by the e-mail virus, Brock told the subcommittee. The Health and Human Services Department was hit with about 3 million ILOVEYOU messages, taking the agency six days to restore department-wide e-mail communications. The Veterans Health Administration received 7 million messages and spent 240 work hours to recover.

At the Defense Department, an official told GAO that if the attack had occurred over a substantial period of time, the department would have had to call on reservists to cover for military personnel correcting the virus problem.

"It was private industry that had the first alert going out, not the federal government," said Subcommittee Chairman Bob Bennett, R-Utah. "It's clear the government can learn something from the private sector."

Treasury Assistant Secretary Gregory Baer suggested more interagency information sharing as a preventative measure against future attacks as he praised the financial services industry for its quick response.

John Hamre, president of the Center for Strategic and International Studies and former deputy defense secretary, said the incident should serve as a warning to government leaders and CEOs that computer security needs to be taken seriously. He added that without last year's Y2K remediation efforts, the fallout could have been much worse.

"This is an electronic Paul Revere," he told National Journal's Technology Daily.

Bennett suggested that Thursday's hearing, which was cut short because of procedural wrangling on the Senate floor, would be the first of many on coordinated critical infrastructure protection. Bennett leads a working group on computer security issues for the Senate, but he said a similar leadership post is needed in the executive branch to coordinate security efforts.

]]>

FCC transforms mission from policy to enforcement

Rebecca S. Weiner — Mon, 01 May 2000 00:00:00 -0400

Federal Communications Commission officials said Friday the agency is still on track to meet its five-year deadline for transforming itself into an enforcement agency rather than one that doles out rules, 18 months into the effort.

"The chairman has asked us to move from rulemaking to enforcing the rules we make," said Kathy Brown, chief of staff for FCC Chairman William Kennard, at a forum held to highlight the status of the strategic plan. "We're holding ourselves to our goals."

Last year, Kennard issued a strategic five-year plan for reforming the agency, just as Capitol Hill lawmakers were exerting pressure on the FCC to change its ways. While lawmakers have backed off their plans to radically reorganize the agency, FCC officials say they're on track to meeting their goal.

Brown said the major hurdles to reform are funding and workload.

"You need money to do it," she said. "The workload also is a hurdle. We have such a load it's hard to plan for the future."

FCC senior managers have been assigned to a handful of steering committees to take a more systematic approach to reform. FCC Secretary Magalie Salas, who heads the Digital Age Steering Committee, said the panel has focused on two out of the four goals-revamping the agency's Web page and job training-in the initial stage of implementing the strategic plan. The committee has postponed the more difficult task of reorganizing the FCC's infrastructure to reflect convergence in the communications industries and creating a "faster, flatter more functional agency."

"We could not work on everything detailed in the strategic plan," she said. "We thought we'd choose two."

The Competition Steering Committee is studying broadband, biennial rules review and merger issues. Bob Pepper, chief of the office of plans and policy, said the committee is working to include the status of mergers on the agency's Web site so the public can more easily track the FCC's progress.

"We're trying to make this an open and as public a process as possible," Pepper said.

Other committees are studying public access to new technologies and spectrum management.

]]>

FDA seeks regulatory role on the Internet

Rebecca S. Weiner — Tue, 28 Mar 2000 00:00:00 -0500

House Commerce Committee Chairman Tom Bliley, R-Va., questioned the Food and Drug Administration's effectiveness at regulating online pharmacies by demanding that the agency prove it is using current enforcement tools before asking for expanded authority to monitor Internet drug sales.

"I have become increasingly troubled that the FDA is failing to fulfill its current regulatory obligations," he said in a March 23 letter sent to the agency. "But more troubling, I understand that FDA is drafting a legislative proposal to give itself even more responsibilities under the Federal Food and Drug and Cosmetic Act-in particular, the responsibility to certify all Internet pharmacies."

Bliley specifically wants to know how many enforcement actions the FDA has taken, the details of the agency's newly created Internet Action Plan, and the amount of funding the agency has shifted to Internet enforcement efforts.

The FDA has limited oversight over Internet drug sales since state boards regulate U.S. and foreign pharmacies are out of the agency's regulatory reach. The Clinton administration is asking for $10 million in fiscal 2001 to allow the FDA to monitor online pharmacies.

A House Commerce Committee spokesman said Monday that Bliley's request could generate another hearing on the issue. The committee's Subcommittee on Oversight and Investigations held a hearing last summer.

"We have concerns," the spokesman said. "They're working on legislation to give them more authority and they're not exercising their current obligations. It's ridiculous to through new regulations on top of old."

]]>

Critics question EPA decision to shut down Web sites

Rebecca S. Weiner — Tue, 22 Feb 2000 00:00:00 -0500

Environmentalists and public interest groups were outraged Friday over the Environmental Protection Agency's decision to take down its Web site and e-mail service earlier in the week after being pressured to do so by House Commerce Committee Chairman Tom Bliley, R-Va.

"It's curious that last week hackers temporarily shut down Yahoo and eBay, and Mr. Bliley effectively did that to the EPA," said Paul Orum, coordinator of the Working Group on Community Right-To-Know, which advocates for public disclosure from the EPA. "Maybe the hackers should quit giving ideas to Mr. Bliley."

EPA says it was forced to shutter both its public and private Web sites and external e-mail because the committee had publicized an oversight hearing on the agency's computer security weaknesses. The committee cancelled its Thursday hearing, and instead held a news conference to release General Accounting Office findings outlining the agency's security problems. The agency said it is working to restore access to the public sight as soon as possible.

"It's outrageous the public can't get information they need," said Rick Blum, policy analyst for OMB Watch.

Blum said his group has received complaints from people who have tried to access the EPA site, but couldn't get in, including a man in Alaska trying to get information on landfills for a public hearing. He added that both the agency and the House Commerce Committee are to blame.

"I find it troubling that the government would essentially hold a gun to another agency's head and threaten to out it," he said. "Clearly the EPA should have been addressing its computer security problems a long time ago, but it's important to not make this into a political tool."

While committee Democrats could not defend lax EPA computer security, they were not pleased with how the situation was handled.

"Did this solve the problem or create publicity?" asked Deputy Minority Staff Director Dennis Fitzgibbons. "This smacks of a publicity stunt."

]]>

EPA shuts Web sites amid charges of lax security

Rebecca S. Weiner — Fri, 18 Feb 2000 00:00:00 -0500

Weaknesses in the Environmental Protection Agency's computer security system point to a general lack of Clinton administration oversight to protect sensitive information, a House Commerce Committee spokesman charged Thursday.

"It was good political theater for the President to hold a summit on computer security, but his own house is not in order," said spokesman Steve Schmidt. Committee Chairman Tom Bliley, R-Va., "feels it important that the American people should know the administration has failed on security issues."

EPA pulled down its public and private Web sites Wednesday night, shuttering all but the agency's internal e-mail system, out of fear of a possible hacking attack against the agency since the committee had scheduled a Thursday hearing on its security weaknesses.

"The hearing was cancelled because it would have attracted a lot of media attention," Schmidt said at a media briefing Thursday afternoon to release a General Accounting Office study examining the EPA's security weaknesses. "We knew they would be hacked into immediately."

An EPA statement confirmed the agency's fears of a hacking attack.

"The decision to temporarily close access to the Web site was made after a meeting Wednesday in which computer security experts warned that the public attention brought to the agency's potential computer vulnerabilities made the EPA a likely target for hackers," an EPA statement said. "We are taking all necessary steps to prevent unauthorized access to our systems."

GAO essentially hacked into EPA's sites to point out weaknesses in its system. The congressional watchdog agency has been working with EPA for years to correct the weaknesses.

"EPA cannot ensure the protection of sensitive business and financial data maintained on its larger computer systems or supported by its agency wide network," according to David McClure, GAO's associate director of Governmentwide and Defense Information Systems, in testimony for the committee's cancelled hearing.

Schmidt said the committee gave no assurances to the EPA that the GAO's findings would not be released if it took down its Web site. GAO's final report on the matter is expected by the summer.

Schmidt added that the committee is considering asking GAO to conduct similar hacking tests on other agencies under the committee's jurisdiction.

Bliley and the agency have had a tenuous relationship. Last year, the committee chairman introduced legislation that would have prevented the EPA from publicly disseminating so-called "risk management assessment" plans for the 66,000 chemical plants electronically. Congress reached a compromise to delay the information's release for one year.

]]>

House bids adieu to the Y2K problem

Rebecca S. Weiner — Fri, 28 Jan 2000 00:00:00 -0500

The billions of dollars and work hours spent preventing major Y2K computer breakdowns was well-spent, Capitol Hill lawmakers and government officials said Thursday in what they billed as the House's last Y2K hearing.

"Some critics now question whether the high cost of this massive effort was necessary," said Rep. Steve Horn, R-Calif., chairman of the House Government Reform Committee's technology subcommittee. "Was that money well spent? Of course it was."

Horn said he plans to use the information gathered from four years worth of Y2K hearings and apply it to his panel's investigation of computer security issues. He announced at the hearing that he plans to start holding hearings on computer security issues next month.

"Security is an issue beyond Y2K," said White House Y2K czar John Koskinen. "It's important to know who is working on your system."

Fernando Burbano, State Department chief information officer and head of the CIO Council's Critical Infrastructure Protection Subcommittee, said federal Y2K preparations were a "prerequisite" for federal infrastructure protection.

"Y2K preparation efforts increased the level of interagency cooperation and coordination between the public and private sectors," Burbano said. "This same working-level teamwork will be required to effectively implement critical infrastructure protection plans."

Koskinen, who was called out of retirement from the Office of Management and Budget by President Clinton, said he doesn't know what his plans for the future are, but he is sure the President's Council on Year 2000 Conversion will "go out of business" in March.

"I'm not retiring, but I have no plans yet," Koskinen told National Journal's Technology Daily. "I refer to it as trying to figure out what I'll be when I grow up."

He added that the government's Critical Infrastructure Assurance Office (CIAO) would continue independent of the Y2K council, but will build upon the public-private partnerships established to monitor for Y2K breakdowns.

Joel Willemssen, General Accounting Office director of Civil Agencies Information Systems, said that while there were some Y2K problems reported by the Defense and Health and Human Services departments, government systems generally performed well.

"Y2K served as a notice to many for how much we rely on information technology to deliver key services," he said.

]]>

Y2K czar calls for computer security funding

Rebecca S. Weiner — Mon, 06 Dec 1999 00:00:00 -0500

Y2K repair efforts have magnified the need for further government computer security efforts that should be federally funded, Y2K czar John Koskinen said Friday.

"We have to continue to reinforce the importance of the issue," he said at a Federal Reserve Board workshop on computer security.

Koskinen said that the emergency fund Congress approved for federal Y2K repairs was essential, and that lawmakers should continue to focus on technology needs after the 2000 date change happens.

"The emergency fund was clearly a major part of our ability to get things done," he said. "My hope is it would be included in the budget process."

Koskinen said that about $250 million would be left over from the $3.35 billion Congress approved last year for emergency Y2K fixes. He said he would work with the Office of Management and Budget to ensure federal agencies can tap into the remaining funds to fix unforeseen Y2K problems after the date change.

"If there are unexpected problems, we will be able to use the funds," he said.

]]>

ATF puts database software on the beat

Rebecca S. Weiner — Wed, 01 Dec 1999 00:00:00 -0500

Putting database software on the beat, the Bureau of Alcohol, Tobacco and Firearms (ATF) on Tuesday unveiled a national online system that will track crime weapons in an effort to crack down on illegal gun trafficking.

Treasury Secretary Lawrence Summers said ATF's Online LEAD program puts technology to work for law enforcement by quickly compiling gun data so agents can identify trends more quickly.

"This is in many way the most important and effective law enforcement," Summers said. "It's preventative."

The online database is only available via a closed ATF intranet that federal agents can access through its 331 field offices. Local and state law enforcement agencies that want access to the gun information would have to contact a field office and have an ATF agent call up the data. Prior to the new system, the ATF would ship diskettes with database information to its field offices.

ATF has tested the system since February in about 10 field offices. Agents can trace serial numbers on guns to the manufacturer, wholesaler, retailer and the first person that legally bought the weapon. It also can sort data by ZIP code so the agency can target hot spots for gun trafficking.

ATF officials emphasized that the information is stored on a stand-alone system and that data is encrypted before being sent over the agency's closed system.

"We have to be careful in sharing data so we don't jeopardize an investigation," said Wally Nelson, ATF's deputy assistant director for firearms, explosives and arson.

ATF Director John Magaw emphasized that the database is not a national gun registry, and that only guns recovered from crime scenes or those involved in crimes are included.

"There is no national registry," he said. "This has to be a crime gun and there has to be a serial number. It's only crime guns we're interested in."

]]>

Y2K costs government, businesses $100 billion

Rebecca S. Weiner — Thu, 18 Nov 1999 00:00:00 -0500

American businesses and the government will spend more than $100 billion preparing for the 2000 date change, money that should protect the U.S. economy from any Y2K-related economic hits, Commerce Secretary William Daley said Wednesday.

"Obviously, this is a lot of money," Daley said. "But the potential cost of not doing anything was far greater."

The $100 billion figure-or $365 per citizen-covers Y2K repairs started in 1995 through 2001. The Commerce Department's Economics and Statistics Administration, which prepared the cost report, estimates spending beyond the 2000 date change to cover unexpected breakdowns and glitches.

The government has spent about $8 billion, out of the $100 billion total, in its Y2K repair efforts.

Robert Shapiro, Commerce's undersecretary for economic affairs, said the study found that major U.S. trading partners are also well prepared for the date change, therefore Y2K should not negatively impact the U.S. economy.

"We do not expect Y2K problems at home or abroad to throw U.S. economic growth off course," he said. "Firms in competitive markets have spent a great deal of resources fixing the problem."

Still at risk are "hundreds of thousands" of small businesses that have not aggressively made Y2K fixes to their computer systems, White House Y2K chief John Koskinen said. He added that their lack of preparation isn't expected to dent the economy, but it could hurt their livelihood.

"While it won't effect the economy, they could lose customers and go out of business," Koskinen said. "There's still time, but we're getting to the point where it could be too late to start."

Daley added that Commerce has sent out 500,000 Y2K preparation kits to small businesses and associations internationally. Additionally, Congress passed legislation that would give small businesses access to loans though the Small Business Administration to fund Y2K fixes.

]]>

Federal Y2K center almost ready for prime time

Rebecca S. Weiner — Tue, 16 Nov 1999 00:00:00 -0500

The nearly $50 million federal Y2K Information Coordination Center (ICC) is not ready for prime time yet, but federal Y2K czar John Koskinen said he expects everything to be running in time to test the center and be on alert for the 2000 date change by early next month.

Koskinen led a Monday tour of the center, showing off the main information coordination room replete with 98 workstations, nine wall-mounted flat television screens and a glassed in "war room" in which Koskinen and other top federal agency officials will collect, organize and distribute information on how the world's computer systems are faring during the date change.

"The challenge to the federal government is to deal with a volume of information we've never dealt with before," Koskinen said.

The ICC formally will open for business, from 8:00 a.m. to 8:00 p.m., on Dec. 28, and switch to a 24-hour operation, staffed with workers from federal agencies, on Dec. 30. That shift will run through the New Year's weekend and until the business day begins on Jan. 3. Koskinen said the center would then go back to a reduced schedule, until Feb. 29, in which it will be on alert for the leap year.

A core staff of 30 will work at the ICC, with 200 workers expected to work during its peak hours. The center will then go back to its core staff and phase out by June. It's unclear what will happen to the $49 million center after that.

"It's a question we're taking a look at with a number of agencies," Koskinen said.

Concerns were raised earlier this year that the system could be used to carry out, in part, a Clinton Administration cyberterrorism proposal that would call for the creation of a Federal Intrusion Detection Network to track government computer networks.

Koskinen said the Critical Infrastructure Assurance Office (CIAO), one of the federal agencies working on the cyberterrorism project, has moved into the same building as the ICC to see how the Y2K operation works. Private industries in core operations, such as telecommunications and energy, have agreed to report to their respective regulating agencies the Y2K status of their companies' operations, thus allowing the ICC to track public and private systems for Y2K glitches or breakdowns.

"They're looking at the physical capacity of this center," he said. "The templating of information and the partnerships we've formed will put us in good stead in the future."

A spokesman for the Senate's special Y2K committee said Co-Chairman Sen. Robert Bennett, R-Utah, would have an interest in seeing the ICC continue in its emergency monitoring capacity if it works this December.

"He would be among those in favor of keeping the operation alive for other emergencies if it proves effective for Y2K," said spokesman Don Meyer. "We're generally in favor of seeing it have a life after Y2K."

]]>

Y2K chief: Internet to function just fine

Rebecca S. Weiner — Wed, 18 Aug 1999 00:00:00 -0400

The disparate nature of the Internet makes it difficult to tell for sure whether networks are Y2K ready, but that structure also is its greatest protection from glitches caused by the 2000 date change, said the White House's Y2K chief John Koskinen Tuesday.

"The basic core of the Internet appears likely, extremely likely, to function without problems," said Koskinen, who chairs the President's Council on Year 2000 Conversion.

Koskinen added that since there are thousands of Internet service providers (ISPs) in the United States, it's difficult to determine whether they are all prepared. But redundancy in the system will allow data to bypass areas that face temporary breakdowns. Koskinen recently convened a meeting with ISP representatives to determine the Internet's Y2K readiness.

Because of the newness of the Internet, its systems aren't plagued by older programming methods that created the potential for Y2K breakdowns, said Barbara Dooley, president of the Commercial Internet eXchange.

"Because it was developed in the '80s and '90s, it is not saddled with legacy mainframe problems," she said.

Donald Heath, president and CEO of the Internet Society, said standardized procedures, developed relatively recently, should insulate the system from any major Y2K breakdowns. "The Internet should bend, not break," he said.

Jason Zigmont, board member of the Internet Service Providers Consortium, said ISPs are flexible and face downed phone lines and power outages regardless of the 2000 date change.

"These interruptions can happen any day on the Internet, even on Jan. 1, 2000," he said.

ISPs are voluntarily posting the state of their Y2K readiness on a NetY2K.org, Zigmont said.

Koskinen warned that individuals could find the Internet slower if everyone logs on to see if the system is working. He has issued similar warnings about the telephone and 911 emergency systems.

"If everybody decides for fun to log on, you're likely to find some problems," he said. "That's not a Y2K problem, that's a millennium celebration problem."

Heath said that standard Internet protocols should ensure that international Internet servers shouldn't face any major breakdowns. But the systems are susceptible to other non-network problems, such as telephone and power outages.

]]>

FCC chief unveils reorganization plan

Rebecca S. Weiner — Fri, 13 Aug 1999 00:00:00 -0400

The Federal Communications Commission would transform itself into an enforcement body rather than a rulemaking one under a plan Chairman William Kennard forwarded to Congress Thursday.

Kennard's main five-year goals for the FCC include: streamlining the agency to be more responsive to converging technologies, promoting competition in communications markets, increasing access to advanced technologies, fostering a consumer-friendly marketplace, and managing the broadcast spectrum.

Other proposals include asking Congress to exempt the FCC from open meeting requirements so it could "make its decisions faster and with greater efficiency." "A lot of people at the industry forum said that while the Sunshine Act is well intentioned, it makes it harder for the commissioners to enter the debate early in the process," an FCC official said Thursday.

Officials emphasized that the plan is a "work in progress" crafted after getting input from forums held with industry and consumer advocates earlier this year. The next step is to get congressional feedback.

While a number of reforms can be done internally at the FCC, Congress would need to consent to adding two new proposed bureaus for enforcement and public information. The agency has been under fire from Congress for being too bloated and too-heavy handed in regulating communications services.

Rep. Billy Tauzin, R-LA, who heads the House Commerce Committee's telecommunications subcommittee, said Kennard's plan is a start, but doesn't go far enough. Tauzin created a FCC reauthorization taskforce earlier this year to study how the agency's authority could be pared back.

The proposal is "a growing recognition that the FCC, as presently structured, simply isn't working anymore," Tauzin said in a statement.

Tauzin spokesman Ken Johnson said FCC reauthorization legislation should be ready sometime in the fall.

Despite plans to streamline operations and ultimately reorganize bureaus to manage functions rather than industry sectors, officials see no reduction in funding requests for the near future. Converging technologies, such as cable, phone, and wireless offering Internet services, make the agency's traditional structure less flexible to respond to the new market.

"We need the tools to implement this plan. There are clearly budget needs," the FCC official said. "Twenty-five years ago there were three [TV] networks and AT&T. Now there are thousands of companies."

Yet the agency wants more freedom to buy out employees so it can change its current staffing structure and use more outside consultants. The FCC official said restructuring the agency wouldn't necessarily shrink the agency's staff, but rather change "the mix."

"It's not that there will be fewer people, they will be doing different things," the official said.

]]>

Gore appoints new federal e-commerce director

Rebecca S. Weiner — Thu, 12 Aug 1999 00:00:00 -0400

Vice President Al Gore has tapped Commerce Department senior advisor Elizabeth Echols to manage the administration-level Electronic Commerce Working Group.

Echols, in the newly created executive director position, will coordinate the administration's electronic commerce policy among federal agencies, including the deployment of high-speed Internet services, crafting online consumer protections and creating a global e-commerce framework.

"The hot issues right now are broadband deployment, Internet taxes, WTO and a whole host of content issues," said Echols, who will handle a number of the day-to-day duties for the group.

The working group is headed by David Beier, Gore's chief domestic policy advisor, and Sally Katzen, counselor to the director of the Office of Management and Budget.

Echols most recently advised Commerce Secretary William Daley on Internet and e-commerce issues.

The working group is different from another panel created by President Clinton over the weekend. That new group, to be headed by the attorney general, is charged with determining whether new laws or regulations are needed to punish the illegal sale of guns, drugs, explosives and pornography on the Internet.

Echols said that although the two groups play different roles, they would likely coordinate some of their efforts.

]]>

Y2K czar says feds can't fix state, local problems

Rebecca S. Weiner — Fri, 06 Aug 1999 00:00:00 -0400

The federal government can prod and educate local governments and small businesses to ready themselves for the 2000 date change, but it can't do the work for them, said White House Y2K czar John Koskinen Thursday as he released his penultimate assessment on the country's Y2K readiness.

"It's hard for us to reach out and touch everyone," Koskinen said. "We're worried about those local governments, particularly those who want to wait and see what happens."

The most recent data the White House Council on Year 2000 Conversion has for the nation's counties are from April. Koskinen's group relies on information collected and reported by national associations and industry groups to keep track of non-federal Y2K remediation efforts.

The National Association of Counties is considering doing another survey in the fall, but hasn't made a decision yet. The most recent data from April shows that 74 percent of 500 counties surveyed have Y2K plans, but only 51 percent had completed an assessment of their potential Y2K problems, and only 27 percent had completed testing. Fifty-eight percent of counties still did not have contingency plans when surveyed this spring.

Koskinen said the reason for the council's push for local Y2K meetings has been to get local officials to take a more active role in preparing for the 2000 date change.

"We're beyond awareness, we're beyond remediation, we're beyond surveys," he said.

Koskinen added that the federal government has no authority to force small businesses and governments to fix their systems, and therefore they can't depend entirely on Washington to fix problems that could arise on Jan. 1.

"In this case, emergency preparedness starts at the local level," he said. "We are not going to be able to fly blankets to everyone in the United States."

Overall, financial institutions, electric power, telecommunications, and air travel should weather the date change without major problems, Koskinen said. In addition to small governments and businesses, though, elementary, secondary and higher education systems and local health care facilities still lag in preparedness.

Education Secretary Richard Riley sent a letter to all colleges and universities on Thursday urging them to speed up Y2K preparations, and said he is considering requiring them to participate in data exchange testing with the department. So far only 22 of 5,800 postsecondary institutions in the federal student aid programs have tested their systems with the departments.

]]>

Computer security threats go beyond Y2K

Rebecca S. Weiner — Thu, 05 Aug 1999 00:00:00 -0400

While year 2000 remediation efforts could make the government and corporations more vulnerable to attacks on their technology infrastructures, computer security risks will stretch beyond the 2000 date change, a panel of IT experts told House lawmakers Wednesday.

The House Y2K Working Group, headed by Reps. Steve Horn, R-CA, and Connie Morella, R-MD, based their fears of Y2K-related computer security threats on a Gartner Group study that predicts that by 2004 there will be at least one reported loss of $1 billion or more related to Y2K repair efforts.

"While the vast majority of these contractors are honest and trustworthy people, even a few unscrupulous operators could create significant problems," Horn said.

Wayne Bennett, a Boston attorney who focuses on technology issues, said that companies have faced computer security risks ever since they installed the machines, and that the Y2K issue has actually illustrated the vulnerability of the technology infrastructure.

"In fact, such a fraud at some point is inevitable," he said. "But is it more likely now? I doubt it."

Harris Miller, president of the Information Technology Association of America (ITAA), urged lawmakers to continue funding the Critical Information Infrastructure Assurance Program (CIIAP) office at the Commerce Department's National Telecommunications Information Administration, to help government and private industry address computer security concerns.

The House Appropriations Committee, citing a lack of funds for new programs, zeroed out proposed spending for next year for the Federal Intrusion Detection Network (FIDNET), a computer security program drafted by the National Security Council that has raised privacy concerns by civil liberties groups. The CIIAP office is part of a network of government agencies developing a security strategy.

ITAA heads an industry panel-which also includes the U.S. Telephone Association and the Telecommunications Industry Association-that is working with Commerce to develop methods to protect the country's technology infrastructure.

Miller said industry groups are more comfortable working with Commerce than other law enforcement agencies like the FBI.

"A well prepared and informed private sector can work with government to find the proper balance which optimizes the government's need to protect the critical infrastructure with business' need to manage risks appropriately," Miller said.

]]>

Feds draw lessons for computer security from Y2K

Rebecca S. Weiner — Fri, 30 Jul 1999 00:00:00 -0400

Federal officials assured Senate lawmakers Thursday that the estimated $40 million being spent on a Y2K Information Coordination Center (ICC) is an investment in the government's future efforts to monitor the nation's computer infrastructure against cyberterrorism threats.

"We must consider whether spending $40 to $50 million dollars for such a brief period is wise," said Sen. Robert Bennett, R-Utah, at a hearing of the Senate's special Y2K committee. "Congress has a responsibility to make sure that the purpose and scope of the ICC is viable."

White House Y2K czar John Koskinen said efforts to coordinate federal, state, local and private sector emergency communications would help educate officials on how to handle potential future cyber attacks.

"The Y2K problem provides us with an illustration of our reliance on technology," he said. "This is not a one-time only issue. The infrastructure will continually be vulnerable to attack."

Koskinen said he has been working directly with Richard Clarke, the national coordinator for infrastructure protection for the National Security Council (NSC), to develop the ICC. He said the NSC will take lessons learned from the ICC and incorporate them into a broader federal plan to protect the country's technology infrastructure.

Administration security officials have been working since 1998, when President Clinton issued a directive ordering agencies to cooperate with one another and to work with private industry on a plan to ensure the security of critical networks and essential government services.

John Tritak, director of the Critical Infrastructure Assurance Office, said there is a "natural relationship" between the ICC and the counter-cyberterrorism efforts his office is working on.

"Maximum value should be extracted from the ICC experience," he said. "Certain Y2K efforts have taught us a lot about our risks."

Koskinen said the ICC will gather information from global posts, as well as from major industry sectors within the United States, and post big-picture analysis of the Y2K situation on a regular basis starting Dec. 30. He emphasized that the ICC is not a decision-making body, and will not be providing technical assistance to "reconstitute" computer systems that crash. Federal agencies in charge of individual economic sectors will provide hands-on support, as well as industry associations. In areas of overlap, the NSC and State Department will have teams to help fix the problem.

"The ICC will be focused on how to best share information on the status of system operations to increase the likelihood that expert assistance is available to those who are in need and requesting help," Koskinen said.

Full-scale tests of the ICC will begin in November, Koskinen said, with the center starting 24-hour operations on Dec. 30. It will be active through the first two weeks of January and scale back to with a small core staff working through June.

]]>

FCC says 'unregulation' boosted Internet growth

Rebecca S. Weiner — Tue, 20 Jul 1999 00:00:00 -0400

Thirty years of "unregulation" of data services by the Federal Communications Commission has fostered the hyper growth of the Internet, concludes a report by FCC staff released Monday.

While the current path has served the telecommunications industry, the working paper by the FCC's Office of Plans and Policy warns that the convergence of data, video and phone services pose a challenge for the agency.

"The FCC has met the introduction of new communications technologies with the right attitude: let the marketplace, not the government, pick the winners and losers among new services," the study says.

The paper's conclusions mirror statements made by FCC Commissioner William Kennard, that the agency has no interest in regulating the Internet. The report, however, reflects the views of individual staff members and is not a formal statement by the commission.

The study recommends that the FCC not impose "legacy" regulations on new technologies. Some groups have argued that high-speed cable networks should be open to competing Internet service providers, similar to telephone networks.

"New technologies, while perhaps similar in appearance or in functionality, should not be stuffed into what may be ill-fitting regulatory categories in the name of regulation," the study says.

The study attributes the success of the Internet to an open system, while at the same time recommending that high-speed cable networks be left to develop without interference.

"The difference between the open system in the 1960s and now was there was only one pipe into the home," said Jason Oxman, the study's author. "Today, we are in a different environment. There are four to five different pipes into the home under development."

The paper also recommends continued deregulation of current legacy systems, such as the telephone network, and that the agency keep an eye out for anticompetitive practices.

There are currently five bills in Congress that would affect the deployment of high-speed Internet services, as well as an effort to reauthorize the agency this year. While the FCC maintains its hands-off approach, different industry interests have called for a variety of regulatory changes, ranging from giving the Baby Bells relief from parts of the 1996 Telecommunications Act to forcing cable networks to open to competitors.

]]>

Half of big cities lagging in Y2K efforts

Rebecca S. Weiner — Thu, 15 Jul 1999 00:00:00 -0400

The nation's largest cities are lagging in preparing themselves for the 2000 date change, according to a new study by Congress's watchdog group.

Only one city, Boston, is Y2K ready, while half of the remaining cities plan to be ready by Sept. 30, and the remainder between Oct. 1 and Dec. 31, according to a General Accounting Office report scheduled to be released Thursday. While most cities have completed work on transportation and telecommunications systems, few have finished upgrading water treatment systems, public buildings and emergency services.

In a number of cities, services such as electric power and healthcare facilities are operated by counties or states.

The 10 cities that expect to be ready by Dec. 31 include: Los Angeles, Chicago, Phoenix, San Antonio, Detroit, San Francisco, Baltimore, Columbus, Ohio, El Paso, Texas, and Washington, D.C.

The GAO report was prepared for the Senate's special Year 2000 committee. The panel, headed by Sens. Robert Bennett, R-UT, and Christopher Dodd, D-CT, has held a number of hearings over the past two years studying various aspects of Y2K readiness.

While federal programs are expected to be ready for the date change, officials are concerned that state and local organizations haven't prepared enough to handle Y2K-related glitches early next year.

A recent National League of Cities survey of 400 cities found that 92 percent of their critical systems will be Y2K-compliant by Jan. 1, 2000. Two-thirds of the cities have contingency plans, and of those that don't, 48 percent say they are planning to develop one.

]]>

People, not computers, may be worst Y2K problem

Rebecca S. Weiner — Fri, 09 Jul 1999 00:00:00 -0400

Former military and intelligence officials warned Thursday that people, not computers, might be the source of the worst year 2000 problems.

"We expect that a certain number of people are going to short circuit," said Neil Livingstone, CEO of Global Options, a crisis management company. "The millennium has a powerful pull on a lot of people."

Livingstone warned that while companies have focused on repairing their computers to fix the Y2K glitch, they haven't paid enough attention to the ripple effect of Y2K crises outside of the United States.

"Prudent companies need to look beyond fixing their own computers," he said.

Global Options, a crisis management company organized to "resolve difficult business problems" such as kidnapping, terrorism, and cyberwar, is recommending that companies focus on damage control, prepare for problems outside the company's control, identify potential threats, establish a command center, and stock up on supplies and equipment.

Livingstone warned that terrorists, apocalyptic cults and hackers could use the 2000 date change to attack when companies, governments and the public are most vulnerable.

"Because there's so much significance attached to the year 2000, this is an invitation to terrorists and crazies to come out with the biggest bomb," he said.

Jack Gribben, spokesman for the President's Council on Year 2000, said that the council has warned that hackers couldn't pick a worse time to try to break into computer systems, and doesn't expect a rampant problem.

"So many people are going to be on call looking for anything to come up," he said. Other senior advisers to Global Options include Admiral William Crowe, former chairman of the Joint Chiefs of Staff, and John Dalton, former Secretary of the Navy.

]]>

Bill would create DOJ cyber-crimefighting fund

Rebecca S. Weiner — Wed, 07 Jul 1999 00:00:00 -0400

Sen. Patrick Leahy, D-Vt., wants to arm state and local law enforcement officials with tools to fight cybercrime through a new $25 million federal grant program.

S. 1314 would establish a Justice Department-administered grant program that would let states tap into federal funds to provide training to help enforce state cybercrime laws. States would be allowed to choose from private training programs or administer their own.

The Computer Crime Enforcement Act, introduced July 1, also would fund education and enforcement of computer crimes. Issues range from training law enforcement how to collect online evidence to educating the public about secure networks.

The Federal Bureau of Investigation and the San Francisco-based Computer Security Institute found that 62 percent of information security officials reported computer security breaches during the past year. These break-ins, from inside and outside of the companies surveyed, resulted in $123 million in losses from fraud, information theft, sabotage, computer viruses and stolen laptops.

The survey also found that companies are reporting cybercrimes to the police more often, creating the need for new police training. Of those surveyed, 32 percent said they reported serious incidents, up from 17 percent in prior studies.

Sens. Mike DeWine, R-Ohio, and Chuck Robb, D-Va., also have signed on to the bill, which has been sent to the Senate Judiciary Committee for review.

]]>

Senate Y2K report a big seller

Rebecca S. Weiner — Tue, 06 Jul 1999 00:00:00 -0400

The special report of the Senate committee on the year 2000 problem hasn't broken Amazon.com's "Hot Books" list - but it is selling better than Independent Counsel Ken Starr's report to Congress.

A Tennessee publisher of religious books and Bibles has repackaged the report issued by Sens. Robert Bennett, R-Utah, and Christopher Dodd, D-Conn., and is selling at half of the government's price at Amazon.com.

Thomas Nelson publishers have added a forward by Y2K doomsayer Gary North, a move that bothers the Senate committee. North has his own Y2K Web site, which says he is regarded as an "apocalyptic fanatic."

"The whole thing is a little strange," said committee spokesman Don Meyer. "Obviously, it's in the public domain, but we feel strangely violated."

Meyer added that the committee "won't get a cent from it," either.

The Government Printing Office sells a printed version of the report for $16. Or it can be downloaded for free from their Web site. Government documents are not copyrighted, so other publishers are free to repackage and sell them.

Andrew Sherman, GPO's director of Congressional and Public Affairs, said the report has been selling "briskly," and added that in the first three days of its release this spring, 700 copies were ordered by the public.

"Pat Robertson's 700 Club talked about it a lot on its network," Sherman said. "I'm not sure the committee foresaw that particular interest in the issue."

]]>

Y2K czar calls for local discussions

Rebecca S. Weiner — Tue, 25 May 1999 00:00:00 -0400

Asserting that some of the most serious risks of year 2000 computer problems are at the local level, White House Y2K czar John Koskinen is distributing free tool kits to help local leaders build a platform for conversations about year 2000 preparations.

"The goal of the campaign is not to be cheerleaders or to present a false sense of security," Koskinen said Monday. "This is a national campaign for local conversations. This is not the government coming in and telling communities what to do."

The President's Council on Year 2000 Conversion is distributing the kits, which include a guidebook on how to kick off local Y2K discussions and a list of frequently asked questions and answers about the issue.

At least 12 "community conversations" have been scheduled for this summer, with state governments taking the lead. Other industry sectors, including banking and healthcare, are also sponsoring events.

Koskinen said if a sizable number of communities hold Y2K discussions, it could "encourage laggards" to start addressing the issue.

"Our concern is the people who say it's not a big deal," he said. "Ultimately the problem gets solved at the local level."

Koskinen also praised new legislation introduced by Rep. Harold Ford, D-TN, that would designate July as "National Y2K Disclosure Month." H.R. 1884 would require federal agencies to disclose their Y2K readiness and contingency plans, and would encourage local communities to disclose their readiness as well. Ford had originally proposed a bill calling for a national Y2K testing day that was criticized by Koskinen for being impractical.

The kits can be ordered online at www.y2k.gov or by calling the federal Y2K hotline at (888) USA-4-Y2K (888-872-4925).

]]>

Senators want NATO to target Y2K

Rebecca S. Weiner — Wed, 21 Apr 1999 00:00:00 -0400

Sens. Robert Bennett, R-Utah, and Christopher Dodd, D-Conn., warned top North Atlantic Treaty Organization officials Tuesday that Y2K computer glitches could hurt ongoing and future peacekeeping missions.

"Y2K failures both in NATO systems and those of member nations could impact logistic support and force management," wrote Bennett and Dodd, who lead the Senate's special Y2K committee. "Y2K failures could substantially impede NATO, potentially compromising missions."

NATO leaders will be in Washington later this week to commemorate the 50th anniversary of the organization. Bennett and Dodd sent their letter to NATO Secretary-General Javier Solana, European Allied Commander Gen. Wesley Clark and U.S. NATO representative Alexander Vershbow.

Bennett and Dodd worry that NATO command and communications systems may not be ready for the 2000 date change. They urged NATO leaders to address the issue at this week's summit. "While information technology managers may be able to assure that components of critical systems are operations, orchestrating the broad contingency plans that would be required in the event of a failure is something only a commander can accomplish."

The Defense Department still has 156 mission-critical computers it needs to address and was only 72 percent Y2K compliant by the federal government's March 31 deadline.

]]>

Y2K czar warns of funding cuts

Rebecca S. Weiner — Thu, 15 Apr 1999 00:00:00 -0400

Federal agencies could have to stop paying for Y2K contracts they "could legally stop," and give the money back to Congress under a controversial emergency appropriations bill, the Clinton administration's Y2K czar said Wednesday.

The Senate bill, S. 544, would divert emergency Y2K funding to a bill that would appropriate $2.4 billion for Central American hurricane victims, among other things. The proposal asks for $973 million back from the Y2K fund, although there is only $500 million left unspent.

White House Y2K czar John Koskinen told National Journal's Technology Daily that if the funds were taken back, it would be "inconsistent with how Congress has acted so far."

The House version, H.R. 1141, would provide $1.3 billion in emergency funding, but would not dip into the emergency Y2K funds that were appropriated last year.

Sen. Robert Bennett, R-Utah, who chairs the Senate Y2K committee, called the Senate plan "shortsighted," and said he's talking with Senate Appropriations Committee Chairman Ted Stevens, R-Alaska, to fix the situation.

"I cannot think of anything more distressing than to have the federal government not be compliant and the reason be that we ran out of money," Bennett said Wednesday at a hearing on federal Y2K readiness.

Congress last year approved a total of $3.25 billion for federal Y2K repair efforts, with $1.1 billion dedicated to Y2K repairs for the Defense Department. Sen. Phil Gramm, R-Texas, successfully added the provision to S. 544 as an amendment that called for using unspent emergency funds from last year to offset costs for this year's emergency spending bill.

At hearings earlier this year, Stevens assured Koskinen that money should not be an obstacle to the federal government as it prepares for the 2000 date change. This pledge could come into play when House and Senate lawmakers meet to hammer out a compromise emergency spending plan.

]]>

OMB official: Senate set to grab Y2K money

Rebecca S. Weiner — Wed, 14 Apr 1999 00:00:00 -0400

The Senate is making a grab for $973 million in emergency Y2K funding that Congress appropriated last year, an Office of Management and Budget official told House lawmakers Tuesday.

OMB Acting Deputy Director for Management Deidre Lee urged House lawmakers to block the Senate move in conference negotiations over the fiscal 1999 emergency supplemental appropriations bill, S. 544.

"Not only would it eliminate the remaining balance in the emergency fund, but it would also force agencies to stop planned and ongoing procurements for Y2K-related activities," she said at a joint hearing held by the House Government Reform and Science committees on federal Y2K readiness.

Rep. Stephen Horn, R-Calif., chairman of the House Government, Management, Information and Technology Subcommittee, told National Journal's Technology Daily that Lee's claims are "demagoguery" by the Clinton administration, and declined further comment.

Rep. Connie Morella, R-Md., who heads the House Science Committee's technology subcommittee, said this was the first she had heard of Y2K funding being eliminated through the emergency appropriations bill.

"I think we need to contact [Sen.] Bob Bennett and find out what's happening over there," she told National Journal's Technology Daily, referring to the head of the Senate special Y2K committee.

"Everything is on the table," said Don Meyer, spokesman for the Senate Y2K committee. "There's only about $500 million left, and we'd like to see that preserved."

S. 544 would appropriate $2.4 billion to provide, in part, disaster assistance to hurricane victims in Central America. The House version, H.R. 1141, would provide $1.3 billion in emergency funding.

Congress last year approved a total of $3.25 billion for federal Y2K repair efforts, with $1.1 billion dedicated to Defense Department Y2K fixes.

Senate Appropriations Committee Chairman Ted Stevens, R-Alaska, has said he's willing to forward funding to help federal Y2K efforts, although his panel voted to take back what's left of last year's emergency funding. Calls to the Appropriations Committee were not returned.

OMB had not distributed all of the funds, and White House Y2K czar has repeatedly said that no further federal funding would be needed beyond the 1998 emergency funds.

]]>