Government, industry debate cybersecurity remedies

During an oversight hearing on federal agencies' progress in securing their systems, members of the House Committee on Government Reform's Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census noted a measured improvement in the computer security of 24 agencies but chastised the groups for moving too slow. Although network security increased on average for the federal agencies in 2003, only half of the federal groups had completed basic security assessments of every system on their networks.

"Our government has taken very dramatic steps to increase our physical security, but protecting our information networks has not progressed commensurately, either in the public or private sector," subcommittee chair Adam Putnam, D-Fla., said in a statement. "We are collectively not moving fast enough to protect the American people and the U.S. economy from the very real threats that exist today."

The government debate took place as five industry working groups are preparing to release their interim reports on how to improve private sector Internet security. Two working groups--one focusing on security awareness for home users and small businesses and the other focusing on a workable cybersecurity warning system--will release their initial recommendations Thursday. A third report, on technical standards, will be released March 31, and two final reports, on improving software development practices and on ways of making boardrooms more responsible for information security, will arrive April 6.

The reports are the latest efforts by private industry, which owns and operates nearly 85 percent of the critical infrastructure in the United States, to convince Congress to refrain from introducing legislation that would mandate a solution to companies' security woes. The working groups, founded in December during the first National Cyber Security Summit, were formed largely to forestall a bill that would have required companies to release the results of a security audit in their quarterly filings to the Securities and Exchange Commission.

Putnam took the federal agencies to task for their security shortcomings, which resulted in the groups getting a collective D for 2003 based on assessments done by the Office of Management and Budget and the General Accounting Office. The grades were based on information security reports required under the Federal Information Security Management Act, which establishes detailed security regulations for agencies to follow. Private companies have no such obligations.

Only two agencies, the Nuclear Regulatory Commission and the National Science Foundation, received a grade of A. Fourteen other agencies improved their grades, while two, the Department of Health and Human Services and the National Aeronautics and Space Administration, lost ground. Overall, the government earned a D on this year's report card. In 2002, it was given an F.

The Department of Homeland Security itself, which is now a year old, failed the audit. However, Putnam largely gave the group a bye.

"While the DHS had a failing grade, we recognize the difficult organization that took place and we expect significant improvement next year," Putnam said in a statement.

The industry working group drafting guidelines for an effective early warning system will be able to point on Thursday to some solid progress. In late January, the Department of Homeland Security inaugurated a cyberalert system that warns the average citizen and technical computer users alike of security threats. The system relies on the expertise of many security companies.

It's not clear yet, however, whether the system has helped raise security awareness.