Information Security

Security threats to the government's computer systems are significant and growing. The dramatic rise in computer interconnectivity, coupled with the popularity of the Internet, have made it easier for people to intrude into poorly protected systems and to obtain sensitive information, commit fraud, or disrupt operations. At the same time, the number of people with the skill to "hack" into computer systems is on the rise. Federal web sites have already had to deal with a spate of break-ins. Recently, the government had to cope with the threat of the "Melissa" computer virus. Although that incident caused relatively little damage, it is likely that the next virus will propagate faster, do more damage, and be harder to detect. Yet GAO and others have found that federal agencies are ill prepared to deal with these evolving threats. GAO urges the federal government to swiftly implement long-term solutions at both individual agencies and governmentwide to protect systems and sensitive data. In GAO's view, the Computer Security Enhancement Act of 1999 takes several positive steps toward addressing the proliferation of networked systems and the need for better protection over sensitive data belonging to both the government and the private sector. First, the bill requires the National Institute of Standards and Technology to provide guidance and assistance to federal agencies. Second, the bill requires the Commerce Department to establish a clearinghouse of information available to the public on information security threats. Third, the bill requires the National Research Council to assess the desirability of key public infrastructures and the technologies needed to establish such key infrastructures. Fourth, the bill establishes a panel to explore developing a national digital signature infrastructure. GAO also discusses what can be done to further strengthen security program management at individual agencies as well as governmentwide leadership, coordination, and oversight.

GAO noted that: (1) the dramatic increase of computer interconnectivity and the popularity of the Internet, while facilitating access to information, are factors that also make it easier for individuals and groups with malicious intentions to intrude into inadequately protected systems and use such access to obtain sensitive information, commit fraud, or disrupt operations; (2) attacks on and misuse of federal computer and telecommunications resources are of increasing concern because these resources are virtually indispensable for carrying out critical operations and protecting sensitive data and assets; (3) the need to protect sensitive data and systems must be weighed not only against cost and feasibility concerns but also the privacy and security interests of individual citizens, private businesses, as well as national security and law enforcement agencies; (4) while information vulnerabilities cannot be eliminated through the use of any single tool, cryptography can help businesses ensure the confidentiality and integrity of information in transit and storage and verify the asserted identity of individuals and computer systems; (5) the proposed act particularly focuses on the role the National Institute of Standards and Technology (NIST) plays in assisting federal agencies to protect their systems and promote technology solutions to security protection based on private sector offerings; (6) it is important to recognize that there is no legislative substitute that could be put in place to provide the increased management attention and due diligence necessary to implement and ensure the effectiveness of information security controls; (7) it is also important to ensure that NIST retain the ability to develop security standards for unclassified data and decide which industry standards are appropriate for federal agencies, and that agencies themselves consistently implement such standards; and (8) Congress needs to consider stronger measures that would ensure that executive agencies are: (a) carrying out their responsibilities outlined in laws and regulations requiring them to protect their information resources; (b) identifying and ranking the most significant information security issues facing federal agencies; (c) promoting information security risk awareness among senior agency officials whose critical operations rely on automated systems; (d) strengthening information technology workforce skills; (e) evaluating the security of systems on a regular basis; and (f) providing for periodically evaluating agency performance from a governmentwide perspective and acting to address shortfalls.