Critical Infrastructure Protection
Fundamental Improvements Needed to Assure Security of Federal Operations Gao ID: T-AIMD-00-7 October 6, 1999Since the early 1990s, an explosion in computer interconnectivity, particularly the growth in Internet use, has revolutionized the way that the government and the world communicate and do business. The benefits have been enormous. Without proper safeguards, however, this widespread interconnectivity poses enormous risks to critical operations and infrastructures in such areas as telecommunications, power distribution, law enforcement, national defense, and other government services. This testimony discusses efforts by federal agencies to deal with computer security issues. Recent audits by GAO and agency inspectors general show that the government is not adequately protecting critical federal operations and assets from computer attacks. This testimony provides greater detail on these problems and discusses broader issues that need to be considered as a national strategy for critical infrastructure protection is being considered.
GAO noted that: (1) reports issued by GAO and various Inspectors General over the last 5 years describe persistent computer security weaknesses that place federal operations at risk of disruption, fraud, and inappropriate disclosures; (2) GAO's most recent analysis, of reports issued during fiscal year 1999, identified significant computer security weaknesses in 22 of the largest federal agencies; (3) these included weaknesses in: (a) controls over access to sensitive systems and data; (b) controls over software development and changes; and (c) continuity of service plans; (4) this body of audit evidence led GAO, in February 1997 and again in January 1999, to designate information security as a governmentwide high-risk area in reports to Congress; (5) while a number of factors have contributed to weak federal information security, the fundamental underlying problem is poor security program management; (6) weaknesses continue to surface because agencies have not implemented a management framework for overseeing information security on an agencywide and ongoing basis; (7) to provide greater assurance that critical infrastructure objectives can be met, GAO believes that actions are needed in seven key areas; (8) it is important that the federal strategy delineate the roles and responsibilities of the numerous entities involved in federal information security and related aspects of critical infrastructure protection; (9) agencies need more specific guidance on the controls that they need to implement; (10) implementing such standards for federal agencies would require developing: (a) a single set of information classification categories for use by all agencies to define the criticality and sensitivity of the various types of information they maintain; and (b) minimum mandatory requirements for protecting information in each classification category; (11) routine periodic audits must be implemented to allow for meaningful performance measurement; (12) it is important for agencies to have the technical expertise they need to select, implement, and maintain controls that protect their computer systems; (13) agencies must have resources sufficient to support their computer security and infrastructure protection activities; and (14) there is a need to more comprehensively monitor and develop responses to intrusions, viruses, and other incidents that threaten federal systems.