nformation technology has enabled government agencies and departments to work more efficiently. But with the productivity improvements have come new risks to the confidentiality, integrity, reliability and availability of government information, which increasingly resides on computer systems. Threats range from human error to theft, vandalism, organized crime, terrorist operations, power outages, natural disasters and international cyber warfare (Attempts by hostile nations to disrupt critical computer networks).
New computing technologies and methods have introduced new vulnerabilities. The move toward decentralized, networked computing systems has multiplied points of access, as has the trend of making more government information and services available to the public through the Internet. Portable computing, telecommuting and remote access services have also spread the problem beyond the office doors. And in a fast-changing marketplace, immature technologies such as Java are being implemented before their effects on security are well understood.
The culprits also have more technology at their disposal. Automated hacker tools allow relative novices to attack thousands of computer systems at a time. "The sophistication and severity of attacks has gotten worse," says Kathy Fithen, a manager at the federally funded Computer Emergency Response Team Coordination Center (CERT/CC) in Pittsburgh, Pa.
Although these trends also affect the private sector's computer systems, some consider government to be more at risk because it's in the public eye and because of the sheer number of computers it uses. Because classified information is protected much more rigorously, the primary risks are to unclassified information the government uses in its day-to-day operations. But much unclassified information is nevertheless sensitive or private.
Last year the General Accounting Office, relying on data supplied by the Defense Information Systems Agency, reported that the Defense Department suffered about 160,000 successful Internet-based attacks on its unclassified computer systems in 1995. And within the last year, there have been numerous high-profile desecrations of government Web sites, including incidents at NASA, the CIA, the Justice Department and the Air Force. A recent Computer Security Institute survey showed that many more breaches go unreported.
The most highly publicized computer security breaches are hacker attacks, but security experts say the biggest dangers, both accidental and deliberate, to information technology resources are within the organization. Threats range from employees choosing easily guessable passwords, not backing up data, or leaving connected computers unattended, to "disgruntled LAN [local area network] managers with a nefarious bent," says Don Heffernan, assistant chief information officer for the General Services Administration.
Unfortunately, such threats can never be entirely eliminated. "You can't obtain complete security for any cost," says Robert H. Anderson, head of the information sciences group at Rand Corp., a Santa Monica, Calif., think tank. But the risks can be reduced by changing information-handling procedures, raising user awareness and applying the right combination of security-related products and services.
The government has recently taken steps to counter computer security threats. Last year, the Office of Management and Budget modified Circular 130-A, which defines minimum security controls for federal computer systems. The circular now requires agencies to have both security plans and computer incident response teams. The Federal Computer Incident Response Capability (FedCIRC) was established to help civilian agencies start incident response programs, conduct security evaluations, and educate them on trends, tools and relevant technologies. Also, the National Institute of Standards and Technology will soon issue a policy and planning guidance document.
An executive order last July created the President's Commission on Critical Infrastructure Protection, a government-industry group charged with recommending a national strategy for protecting "critical infrastructures," including essential government operations.
The General Services Administration's Security Infrastructure Program Management Office helps agencies implement data-security solutions. Meanwhile, many security experts stress the need for additional training for those charged with maintaining system security. As computer systems grow more complex, maintaining their security "is becoming a full-time job," Anderson says.
Fortunately security-related products are becoming more interoperable, more user-friendly and easier to administer. Their prices have also dropped somewhat. But security products should be considered only as a component of an overall security solution. The following pages describe some of the latest products and services available to security professionals.