9 Hot Trends for '99

nferris@govexec.com

A

fter years of neglect, information security suddenly is a hot topic. In fact, hardly a day goes by without a news report of some breach. The Chernobyl and Melissa viruses, Serbian hackers waging infowar against NATO's networks, and careless handling of sensitive data at national laboratories made headlines this spring, for instance.

The problem is much bigger than the headlines would suggest. The annual Computer Security Institute survey of corporations and government agencies this year found 78 percent of the 521 respondents reporting computer security problems in the last 12 months. "Insider abuse of network access" and virus contamination were the most common problems, the survey indicated, but one in four of the respondents said their systems had been penetrated by an outsider.

The federal government is no less vulnerable than the private sector. The General Accounting Office, in a September 1998 report (GAO/AIMD-98-92), said virtually every federal agency is at risk. GAO identified three kinds of vulnerabilities:

  • Fraud and misuse of federal assets;

  • Inappropriate disclosure of sensitive information;
  • Disruption of critical operations.

Like most other analyses, the GAO report bemoaned the lack of solid data on the problem. Although the watchdog agency has found significant security weaknesses in every agency it audits closely, its report said "it is likely that the full extent of control problems at individual agencies has not yet surfaced."

As agencies connect their systems and give employees and the public access to more information, the risks are growing. What's more, the widespread federal adoption of commercial standards such as Microsoft Windows and the World Wide Web makes it easier for intruders, as well as authorized individuals, to penetrate systems.

GAO called for more central oversight of information security by the Office of Management and Budget, but OMB responded that agencies must take responsibility for their own programs and data. "The greatest challenge to enhancing information security programs and developing a workable infrastructure protection program is to ensure that protection efforts are 'owned' by the program and business managers at the agencies who are accountable for the success of their entire program, including security," wrote G. Edward DeSeve, then acting deputy director of OMB for management.

Meanwhile, the Clinton administration's fiscal 2000 budget calls for $1.46 billion in spending, a 40 percent increase, to defend the nation's critical infrastructure against cyberattack. "This investment will help secure computer systems and networks that are potentially vulnerable to computer attack," according to a news release from the Critical Infrastructure Assurance Office (CIAO).

CIAO was established under the aegis of the National Security Council to coordinate the implementation of Presidential Decision Directive 63, which requires federal agencies to protect themselves against cyberattack and calls for creation of a national protection plan.

The directive also led to establishment of a new FBI office, the National Infrastructure Protection Center (NIPC), to foster information-sharing among agencies and with the private sector. The NIPC also coordinates the federal response to incidents.

Other federal efforts to bolster communications security are under way as well. For example, the National Institute of Standards and Technology and other agencies are continuing to work on a widely acceptable format for universal digital signatures. These are software-based mechanisms for assuring the recipient of an e-mail message or other electronic file that the apparent sender was, indeed, the source and that the file was not modified in transit. Digital signature issues have both policy and technology elements.

However many new programs and policies are in place, cyberspace is unlikely to be a safe environment soon. It's more likely that reports of security problems will continue to multiply until, like shoplifting at shopping malls, they hardly count as news.