Cybersecurity legislation gets mixed reviews
Government and industry officials on Thursday hailed a bill aimed at ensuring that federal agencies maintain strong information security but questioned certain aspects of the measure.
Two House Government Reform subcommittees--Government Efficiency, Financial Management and Intergovernmental Relations, and Technology and Procurement Policy--held a joint hearing on the bill, H.R. 3844, which would permanently reauthorize the Government Information Security Reform Act (GISRA) and implement additional computer-security measures for federal agencies.
Mark Forman, e-government chief for the Office of Management and Budget, said the administration is still developing its position on the legislation. He said the continued strong role of the National Institute of Standards and Technology in information security is "critical." NIST will help agencies conduct security reviews for submission to OMB.
Robert Dacey, director of information security at the General Accounting Office, agreed that continuation of GISRA is "essential" but said the administration should do more to obtain technical expertise to protect computer systems and to make sure sufficient resources are available.
But certain changes should be made to the legislation, some panelists said.
The bill, for instance, calls for an information-emergency response center. But Daniel Wolf, information assurance director for the National Security Agency, said yet another incident-response center like those housed at NSA, the Defense Department and the FBI's National Infrastructure Protection Center would add "unnecessary redundancy."
The Commerce Department, meanwhile, does not want the measure to transfer authority on security standards from NIST to OMB. Ron Miller, chief information officer of the Federal Emergency Management Agency, suggested that the bill should include a stronger link between security requirements for information technology and the capital planning process, and that there should be more focus on retaining IT professionals and individual accountability for security.
"It would be very useful if the federal government provided IT security training in perhaps the same way that it offers standardized training in technology subjects, management skills, leadership development and other professional disciplines," Miller said.
Miller also said effective cybersecurity will require a coordinated effort with the White House Office of Homeland Security to link the federal government with other governmental and industry representatives.
Jim Dempsey, deputy director for the Center for Democracy and Technology, also said the measure should not eliminate the Computer System Security and Privacy Advisory Board, which has served as an advisory group for the federal government on privacy issues.
"At the current time, when there are so many important privacy issues facing the government and the private sector, it is inadvisable to reduce the federal government's ability to address privacy issues," Dempsey said.
Dempsey said the legislation also would not address enough privacy concerns and should include provisions to bring privacy and other aspects of information policy into the development of security standards. He said government should look to privacy practices currently employed by the private sector as a model.
A Davis spokesman said the goal is to get the bill marked up in the full House Government Reform Committee within two weeks.
GAO and the subcommittees released a report (GAO-02-407) detailing what other actions are necessary to fully implement GISRA and other information security reforms.