Fed cybersecurity doesn't hack it
- By Diane Frank
- Sep 18, 2000
Report card on computer security
A congressional report card released last week on information security gave
federal agencies generally lousy grades, but the only agreement among government
officials is that the marks were deserved, not how to improve them.
Rep. Stephen Horn (R-Calif.) issued the security grades to focus attention
on the lack of security practices in most areas of the federal government.
The governmentwide grade, according to Horn's evaluation, is a D-minus.
And while the highest grade was a B for the Social Security Administration,
seven agencies flunked, including the departments of Health and Human Services,
Agriculture, Justice, Labor and Interior.
"This report card sets a baseline for future oversight and also serves
as a wake-up call for agencies," Horn said.
But even after directives from President Clinton and new policies from
the Office of Management and Budget, everybody agreed that a wake-up call
is in order.
"This may bring the one thing that is missing most often, even today,
which is senior management interest and support," said Glenn Schlarman,
a security policy analyst with OMB's Office of Information and Regulatory
But officials added that recent history shows the necessary attention
is fleeting and that the grades do not help agencies address the basic problems
of ongoing information security management.
Horn's staff worked with the General Accounting Office to get a fair
picture by combining GAO and agency inspectors general audits with agencies'
own responses to a six-page questionnaire on their security systems, practices
and policies. But many agencies said the report card does not reflect their
"I am disappointed with the grade we received today, and in some way
dismayed by it," said Edward Hugler, deputy assistant secretary for administration
and management at Labor.
Since a Labor inspector general security audit last year, the department
has taken a number of steps to correct the problems identified, including
developing a computer security handbook for employees.
Every agency official at Horn's hearing said one key to their improvement
is Congress' willingness to fund the security requests in the fiscal 2001
budget. "The teacher can't issue report cards criticizing the student but
then not offer them the learning and resources to succeed," said Franklin
Reeder, chairman of the Computer System Security and Privacy Advisory Board,
a government/industry group that advises agencies and Congress.
In the past two years, Congress has failed to fund nearly all of the
White House's civilian cybersecurity initiatives, even a well-supported
program to educate and hire information security professionals. So although
agencies deserve their failing grades, so does Congress for its inaction,
said Richard Clarke, national coordinator for security, infrastructure protection
and counterterrorism at the National Security Council.
"So far, I think we're going to have to give them an incomplete because
their semester ends in about 20 days, but then, if it's not funded, I think
we're going to have to give them an F," Clarke said.
Some lawmakers said they recognize their responsibility.
"[I] realize that this Congress has an obligation to supply adequate
funding to agencies so they might meet the requirements that we have imposed
on them," said subcommittee ranking member Rep. Jim Turner (D-Texas).
For his part, Horn said, "We need to be talking to the authorizers and
the appropriators so we make sure that what is needed [in resources and
funding] will be there."