OMB orders agencies to boost spending on computer security

The Office of Management and Budget will require federal agencies to submit budget plans that include funds for boosting computer security because the government has continued to get failing grades in that area, a key administration official said Tuesday.

White House cybersecurity adviser Richard Clarke told attendees of the Business Software Alliance global technology summit in Washington that if agencies do not submit fiscal 2003 budgets with cybersecurity plans, OMB will set security budgets for them. The requirements will be outlined in letters OMB director Mitch Daniels is sending to all Cabinet heads this week, he said.

Clarke said he met with California Republican Steve Horn, chairman of the House Government Reform Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations, on Monday.

"Horn recently scored the agencies for computer security and gave them F, F, F. And he asked me what I thought of those grades and I said, 'I thought you were too kind," Clarke said. "The government has to set a better example."

Horn's second annual report card on computer security at 24 federal departments and agencies gave the Commerce, Defense, Energy, Justice, Labor and Treasury departments F's.

During his speech, Clarke outlined the lessons he learned from the Sept. 11 terrorist attacks. He said that the United States has smart enemies who understand the nation's reliance on technology and that they know how to use this fact against America. He said the nation's enemies are looking for the "fissures" and openings in the "seams" of U.S. computer networks to exploit.

Clarke urged the information technology and critical infrastructure sectors to work closely with the government to pinpoint computer vulnerabilities and close them before they are attacked. He recommended a dozen changes that could eliminate weaknesses in computer security.

First, he said, IT designers must begin incorporating security as key parts of their products. Rather than seeing security as an add-on product, he suggested that network builders include it in the network from beginning to end.

The tech industry should develop a checklist of computer-security practices, like the checklist developed by the Business Software Alliance, Clarke said. There also should be a better system of distributing and implementing security patches.

Clarke said his biggest worry is a distributed denial-of-service attack, and he suggested that Internet router manufacturers work to develop a product that is more resistant to such attacks. He said providers of high-speed digital subscriber lines should package the service with firewalls to prevent hackers from accessing home computers and using them for attacks.