The federal government needs to set a better example in guarding against hackers, and Congress should crack down on agencies that don't employ sound security practices, the chairman and ranking member of the Senate Government Affairs Committee said Wednesday.
"Federal agencies continue to use a band-aid approach to computer security rather than addressing the systemic problems which make government systems vulnerable to repeated computer attacks," said committee chairman Fred Thompson, R-Tenn. "We have to do a better job of cracking the whip at the top."
At a press conference announcing that the committee will hold hearings on government computer security next week, Thompson and ranking member Sen. Joe Lieberman, D-Conn., touted their Government Information Security Act , S. 1993, a measure that would centralize government oversight of information security in the Office of Management and Budget.
Thompson also asserted that his committee had jurisdiction over the role of government computers in the President's recently announced national infrastructure protection plan. The Government Affairs Committee's entry into the information security melange pushes the number of committees dealing with the subject to a half-dozen in the Senate alone.
Other committees that have held hearings on the subject include Judiciary, Armed Services, the Special Committee on the Year 2000 Technology Program, the Joint Economic Committee and the Appropriations Committee.
Calling attention to the series of denial-of-service attacks experienced by some of the leading commercial Web sites in recent weeks, Thompson said he hoped the attacks were the "wake-up call needed to focus attention on the security of government computer systems."
He cited a 1998 General Accounting Office study that found significant security weaknesses at the 24 largest federal agencies. Of the agencies, 23 had significant weaknesses in access controls, 20 had significant weaknesses in service continuity controls, and 17 had weaknesses in developing security-wide planning and management systems.
"We don't want government to force companies to take better security precautions," said Lieberman. "But we can set an example. Regretfully, thus far, we have been a woefully poor example," he said.
Besides centralizing information security duties at the OMB, S. 1993 would require federal agencies to conduct annual audits of their information security plans and would require national security systems-long segregated from other government computer networks-to submit to the same requirements.
"From a management standpoint, there is no reason to keep government-wide controls and national security systems separate," said Thompson, who explained that although opposition from the Department of Defense is expected, he anticipated a possible compromise with the agency.