Where's the money?
It's a story federal information technology managers are all too familiar with: Congress mandates that they must secure their networks from cyberattacks, but fails to appropriate the money needed to properly safeguard systems.
The latest story of shortfalls in IT security spending — and this one is especially troubling — comes from the National Nuclear Security Administration (NNSA). This Energy Department agency was formed in 2000 to manage programs in nuclear weapons, nuclear nonproliferation and naval reactors. Its mission represents "the most significant information and physical security challenge in the nation, if not the world," according to a former information assurance expert at the National Security Agency.
With that kind of security risk, the nation should expect the agency to have the necessary funding to properly secure its IT systems. It doesn't. Of the $72 million NNSA has requested from Congress for cybersecurity for fiscal 2003, the agency expects to get only $66 million, according to a DOE official. The official, however, says the agency needs an additional $30 million — almost 50 percent more — to do the job right.
Security experts say NNSA's situation is not unique; it occurs at agencies across the government and private sector. Information systems that support the foundations of the economy are at high risk, and despite the events of Sept. 11, 2001, they remain so.
However, not all the news is bad. Last month, the Defense Department issued its first-ever wireless security policy, which officials hope will prevent unauthorized users from gaining access to classified information. DOD officials view the increasing use of wireless devices and networks as a potential security threat and are taking progressive steps to secure them.
Congress should do the same before a cyber disaster occurs. Cybersecurity may not have the same sizzle as physical security in that you can't see a firewall or a public-key infrastructure, but Americans can get burned just the same.