Agencies, Congress urged to upgrade computer security planning
Federal agencies are failing to secure their computer networks because senior managers and congressional appropriators do not incorporate technology security into their long-term planning, lawmakers and e-government experts said this week.
Two lawmakers warned of dire consequences if the federal government does not shore up its information technology defenses.
"The time for discussion and debate now yields to a more important requirement for action," Rep. Adam Putnam, R-Fla., said at a hearing Tuesday. "We know that various terrorist groups are very sophisticated and [are] becoming more so each day."
Putnam serves as the chairman of the House Government Reform Subcommittee with oversight responsibility for e-government security issues.
In December 2003, Putnam's subcommittee graded federal agencies on their IT security, under guidelines laid out by the 2002 Federal Information Security Management Act. Of the 24 agencies surveyed, 14 received grades of D or F. The federal government received an overall grade of D, and only five agencies completed required inventory evaluations. Putnam said that agencies cannot develop comprehensive security plans if they do not know their technology assets.
"The fact that only five agencies really know what they own is very troubling," he said.
House Government Reform Committee Chairman Rep. Tom Davis, R-Va., said Monday that the nation could be hit with a "cyber Pearl Harbor" if IT security measures are not improved.
"We didn't expect them to score well [in the December grading], and they didn't disappoint," Davis said. He called for increased investment in IT security infrastructure, but acknowledged that the appropriations process "is always about the here and now."
Information network defenses require long-term investment and top-level attention, two e-government analysts said Tuesday at an IT security breakfast in Arlington, Va.
"You are not going to snap your fingers and have security overnight," said Michael Rasmussen, an analyst for the technology consulting firm Forrester Research.
Les Cashwell, of e-government consulting firm Cashwell & Associates, said that federal IT security efforts are plagued by a lack of attention from senior management, poor long-range planning and nonexistent security benchmarks.
In a report last year, the Office of Management and Budget said many agency officials do not understand their IT security responsibilities. Karen Evans, OMB's e-government administrator, said at the hearing Tuesday that agency chiefs are ultimately responsible for IT defenses but that "everyone has to play a part in the cybersecurity piece."
It is important to identify where the buck stops for information network security, Putnam argued. "Everybody's responsibility," he said, "is nobody's responsibility."