Rep. mulls grading agencies on security

The head of a technology lobbying group last week suggested that Rep. Stephen Horn (R-Calif.) should apply the same grading system used to evaluate agencies on fixing computers for the Year 2000 problem to agencies' efforts to protect their computer systems from hackers.

Harris Miller, president of the Information Technology Association of America, told Horn that the grading system he developed for rating agencies' progress in fixing Year 2000 bugs "has been a tremendous tool for focusing attention on the [Year 2000] problem."

Harris, testifying at a joint House hearing of the subcommittee on Government Management, Information and Technology, and the Science Committee's Technology subcommittee, suggested that Horn could use several criteria for the grading process, including reports of intrusion and how much an agency spends on computer security. "The report card can help turn the attention toward the problem,'' Harris said. "Make no mistake about it: Information security is the next Year 2000 issue for the IT community and its users."

Horn, chairman of the Government Management Subcommittee, has not decided whether to grade agencies on how well their systems are secured. But computer security is clearly on the subcommittee's agenda.

"The rush to solve the Year 2000 problem may have created another more insidious and potentially troubling problem," Horn said in his opening remarks. "We will discuss the danger that government agencies, corporations and individuals are now more vulnerable to computer fraud, whether it is in the form of electronic robberies or information warfare."

Attention has been focused on computer security since the Gartner Group Inc. released a report in April concluding that more than $1 billion may be stolen by hackers through lapses in computer security directly resulting from Year 2000 remediation efforts. According to Gartner Group, in the case of the potential $1 billion electronic theft or fraud, the motive will likely be one of greed combined with a highly skilled software engineer who feels unappreciated or under-recognized.

"The concern involves something called 'trap doors' - computer coding that can give unscrupulous contractors access to the sensitive information in a computer long after their Year 2000 work is completed," Horn said. "From bank accounts and intellectual property to medical records and defense secrets, companies and government agencies have given contractors the keys that unlock an enormous storehouse of information.''

Miller said government and industry must work to find common ground on information security to address the concerns of law enforcement while respecting constitutional rights to privacy.

"Threats come in many forms: mischief-minded hackers, disgruntled employees, cyberterrorists and rogue nations," Miller said. "This issue is bigger than Y2K and has the potential for greater long-term vulnerabilities if industry and government do not find ways to work together now."

Horn and Rep. Constance Morella, (R-Md.), chairwoman of the technology subcommittee, held the joint hearing to focus on how the federal government and corporations protect their computer systems.

"The most effective theft and fraud deterrent is the perception that there are very high levels of security," said Joe Pucciarelli, vice president and research director at Gartner Group. "Procedure reviews must limit the ability of a single individual to make changes or initiate activities without a second person participating in the process.''

For the federal government, witnesses suggested creating a computer security czar whose role would be to help agencies protect their systems. The security czar's responsibilities should be similar to those of John Koskinen, chairman of the President's Council on Year 2000 Conversion. "The [computer security] czar must have direct access to the executives," Miller said. "That person must have access to the cabinet, vice president and president, like Koskinen."

Pucciarelli suggested that agencies' inspectors general could help agencies protect systems by keeping top management updated on security issues. But the inspectors general should be accountable to someone such as a computer security czar, he said.