Data breaches raise more questions about computer security law

Recently reported breaches compromising sensitive data held by four agencies have officials looking at ways to improve federal information security laws.

Security experts and former government officials started pointing fingers at alleged weaknesses in the 2002 Federal Information Security Act earlier this year. In recent interviews, some said they believe that the incidents could lead to changes in the law.

Alan Paller, director of research at the SANS Institute in Bethesda, Md., a nonprofit cybersecurity research organization, called the compromise of personnel records of 1,500 Energy Department employees revealed last week, combined with last month's theft of personal data on 26.5 million people from a Veterans Affairs Department employee's home, "an indictment of FISMA."

In two unrelated incidents, laptop computers containing the personal information -- including Social Security numbers, birthdates and names -- of about 200 employees at the Social Security Administration and the Internal Revenue Service were lost recently.

FISMA requires agencies to identity and categorize risks to their information technology systems and then implement security controls based on those risks.

Paller said agencies are using their technology security funds to pay independent contractors to write FISMA-required reports as part of the certification and accreditation process, leaving little money for implementing actual security measures. A certification and accreditation process is necessary, but it should be continuous and automated, Paller said.

"There was a thought that to check security, you had to check with people and talk to people, but because most attacks are done by systems, you need systems to check the security," Paller said. "The VA spent tens of millions of dollars certifying and accrediting these systems, and they are not secure."

A VA spokesman said that the agency received $77 million for information security in fiscal 2006 and $78 million has been proposed for fiscal 2007.

Paller and Bruce Brody, vice president for information security at the Reston, Va-based market research firm INPUT and associate deputy assistant secretary for cyber and information security at the VA from 2001 to 2004, have been critical of FISMA in the past, and both met with staffers from the House Government Reform Committee recently to discuss possible changes to the law.

Brody, who also served as chief information security officer at the Energy Department until December 2005, said that the Energy security breach occurred during his tenure at the agency, but within the National Nuclear Security Administration, which is autonomous from the department under the National Nuclear Security Act.

Paller said he believes that effective reform is possible, but Brody said the policy and legislative communities are unlikely to get the changes right unless information security practitioners are involved.

Clay Johnson, the Office of Management and Budget's deputy director for management, said last week OMB has 95 percent of the laws and policies it needs to hold agencies accountable for locking down their information systems, but "extra teeth" may be needed. He did not specifically refer to FISMA.

Johnson said in testimony before the House Government Reform Committee that the administration believes it generally has good policies and laws for protecting data, but is "prepared to take more action as necessary."

In a request for comment on the matter, OMB gave no indication that changes to FISMA are being considered.

OMB spokeswoman Andrea Wuebker said that FISMA was established to ensure that agencies meet consistent standards for security requirements for information systems. Agencies are responsible for ensuring that they are FISMA compliant and that their employees are trained to work with tough security measures, Wuebker said.

"Sound standards and policies are in place, and OMB works with agencies to make sure practices match these policies," Wuebker said.