The Senate Governmental Affairs Committee on Thursday approved legislation (S. 1993) to provide "a comprehensive framework" for protecting federal computer records against cyber-attacks by outside hackers.
The bill also seeks to guard against unauthorized disclosures caused by accidental or careless procedures in handling and protecting information.
Co-sponsored by Committee Chairman Fred Thompson, R-Tenn., and Ranking Democrat Joseph Lieberman of Connecticut, the bill passed by voice vote. The Clinton Administration had worked with the committee to iron out some issues in the original version of the bill, according to committee aides.
When the bill was first introduced last Nov. 19, Thompson complained that "federal agencies continue to use a band-aid approach to computer security rather than addressing the systemic problems which make government systems vulnerable to repeated computer attacks."
"Hopefully, the recent breaches of security at the various 'dot.com' companies is the wake-up call needed to focus attention on the security of government computer systems," Thompson said.
At that time, Lieberman also observed, "Government computers are rife with sensitive information ... on national security, the strength of our economy, transportation and communications systems and the personal lives of millions of citizens"-as well as the mechanisms for controlling weapons of mass destruction, tracking the offensive movements of enemy states and controlling the economy and threats to public health. All these appeared vulnerable to computer hijacking, he said.
Yet, Lieberman said, the General Accounting Office had found that a test unit it set up could crack computerized information systems controlling spacecraft and information gleaned by space exploration, obtain access to State Department networks, veterans' records, tax records and benefit and demographic information. In some cases, the test unit found it would have been able to alter the information in these systems if it wanted to do mischief, he said.
Thompson said the weaknesses of the computer information system were essentially a management issue.
To correct this, the bill approved Thursday would set up a tight chain of command and responsibility for strengthening and protecting computer records. It would stretch from the director of the Office and Management and Budget at the top to individual departments and agencies below. Each one's progress in developing plans to strengthen computer security and protecting information would be monitored peridiodically by an outside agency, such as the GAO.
Each government agency would have to develop a security plan, switch to procedures identified as "best practices,"and make sure the relevant employees are properly informed and trained, under the bill.
At the head of this chain of command would be the OMB director. Under him, Thompson explained at Thursday's committee meeting, the deputy OMB director for management "will be responsible for seeing that agencies do what they should in non-defense areas," and the Secretary of Defense and the Director of Central Intelligence would have similar responsibility with regard to national security, defense and other "classified information systems."
"They must adopt progams and plans that will make us secure," Thompson added.
Thompson said the GAO would monitor the various computer security programs at departments and agencies annually. "This will make it as secure as possible," said Lieberman: "an annual plan and independent audit" of each agency.
According to the committee, the bill, as approved, would:
- Establish clear federal agency accountability for information security.
- Require each agency to have an annual independent evaluation.
- Give the Defense Secretary and CIA director responsibility for national security and other classified information system security. (Addition of this provision was one of the major changes made in the original bill by the substitute text, staff aides said.)
- Give agency managers flexibility to attract the "best and brightest technology talent through the use of scholarships, fellowships and federal service agreements." (This was another major change made by the substitute text, the aides said.)
- Focus on the importance of training programs.
An amendment by Sen. Daniel Akaka, D-Hawaii, added by voice vote, would require agencies to report on the time periods and resources needed to implement agencywide security programs.