2 March 2000
Source: http://www.gao.gov/new.items/ai00107t.pdf


[12 pages]

United States General Accounting Office

GAO

Testimony

Before the Committee on Governmental Affairs, U.S. Senate

For Release on Delivery
Expected at
10 a.m. Thursday, March 2, 2000

INFORMATION SECURITY

Comments on the
Proposed Government
Information Security Act of
1999

Statement of Jack L. Brock
Director, Governmentwide and Defense Information Systems
Accounting and Information Management Division


GAO/T-AIMD-00-107


Mr. Chairman and Members of the Committee:

I am pleased to be here to discuss S. 1993, the Government Information Security Act of 1999, which seeks to strengthen information security practices throughout the federal government. Such efforts are necessary and critical. Our work has shown that almost all government agencies are plagued by poor computer security. Recent events such as the denial of service attacks last month indicate the damage that can occur when an organization's computer security defenses are breached. However, Mr. Chairman, let me emphasize that the potential for more serious disruption is significant. As I stated in recent testimony, our nation's computer-based infrastructures are at increasing risk of severe disruption. The dramatic increase of computer interconnectivity, while beneficial in many ways, has provided pathways among systems that, if not properly secured, can be used to gain unauthorized access to data and operations from remote locations. Government officials are increasingly worried about attacks from individuals and groups with malicious intentions, such as terrorists and nations engaging in information warfare.1

____________________

1 Critical Infrastructure Protection: Comments on the National Plan for Information Systems Protection (GAO/T-AIMD-00-72, February 1, 2000).

S. 1993 provides opportunities to address this problem. It updates the legal framework that supports federal information security requirements and addresses widespread federal information security weaknesses. In particular, the bill provides for a risk-based approach to information security and independent annual audits of security controls. Moreover, it approaches security from a governmentwide perspective, taking steps to accommodate the significantly varying information security needs of both national security and civilian agency operations.

Mr. Chairman, I would like to discuss how these proposals can lead to substantial improvements in federal agency performance in addressing computer security issues. In addition, I would like to raise two additional concerns---the need for better-defined control standards and centralized leadership---that, if addressed, could further strengthen security practices and oversight. These two concerns merit further attention as the Committee moves ahead with its work in this area.

Information Security Improvements Are Urgently Needed

Improvements in agency information security practices are sorely needed. Our October 1999 analysis of our own and inspector general audits found that 22 of the largest federal agencies were not adequately protecting critical federal operations and assets from computer-based attacks.2 Highlighting attention to this problem over the past 12 months was the disruption of operations at some government agencies caused by the Melissa computer virus as well as a series of federal web site break-ins. As in past analyses, we concluded that addressing this widespread and persistent problem would require significant management attention and action within individual agencies as well as increased coordination and oversight at the governmentwide level.

____________________

2 Critical Infrastructure Protection: Comprehensive Strategy Can Draw on Year 2000 Experiences (GAO/AIMD-00-1, October 1, 1999).

Our most recent individual agency review of the Environmental Protection Agency (EPA), corroborated our governmentwide analysis.3 Overall, we found that EPA's computer systems and the operations that rely on these systems were highly vulnerable to tampering, disruption, and misuse. EPA's own records identified several serious computer incidents in the last 2 years that resulted in damage and disruption to agency operations. Moreover, our tests of computer-based controls concluded that computer operating systems and the agencywide computer network that support most of EPA's mission-related and financial operations were riddled with security weaknesses. EPA is currently taking significant steps to address these weaknesses. However, resolving EPA's information security problems will require substantial ongoing management attention since security program planning and management to date have largely been a paper exercise doing little to substantively identify, evaluate, and mitigate risks to the agency's data and systems. Any fixes made by EPA to address specific control weaknesses will be temporary until these underlying management issues are addressed.

____________________

3 Information Security: Fundamental Weaknesses Place EPA Data and Operations at Risk (GAO/ T-AIMD-00-97, February 17, 2000).

EPA is not unique. Within the past 12 months we have identified significant management weaknesses and control deficiencies at a number of agencies that effectively undermine the integrity of their computer security operations.

____________________

4 DOD Information Security: Serious Weaknesses Continue to Place Defense Operations at Risk (GAO/ AIMD-99-107, August 26, 1999).

5 Information Security: Many NASA Mission-Critical Systems Face Serious Risks (GAO/AIMD-99-47, May 20, 1999).

6 Audit of the Department of State's 1997 and 1998 Principal Financial Statements, Leonard G. Birnbaum and Company, LLP, August 9, 1999.

7 Computer Security: Pervasive Serious Weaknesses Jeopardize State Department Operations (GAO/ AIMD-98-145, May 18, 1998).

8 Information Systems: The Status of Computer Security at the Department of Veterans Affairs (GAO/ AIMD-00-05, October 4, 1999).

Although the nature of operations and related risks at these and other agencies vary, there are striking similarities in the specific types of weaknesses reported. The following six areas of management and general control weaknesses are repeatedly highlighted in our reviews.

Unfortunately, in addressing these problems, agencies often react to individual audit findings as they are reported, rather than addressing the systemic causes of control weaknesses---namely, poor agency security planning and management. S. 1993 recognizes that this approach is unworkable in today's environment.

S. 1993 Proposals Can Lead to Improved Information Security Management

S. 1993 starts with the basic premise that computer security can only work within agencies if a strong management framework is in place. The bill, in fact, incorporates the basic tenets of good security management found in our report on security practices of leading organizations prepared at your request in 1998.9 The bill proposes improvements in three significant areas:

____________________

9 Information Security Management: Learning From Leading Organizations (GAO/AIMD-98-68, May 1998).

If effectively implemented, these proposals should help federal agencies improve their information security practices and considerably strengthen executive branch and congressional oversight. The first improvement area would require a risk management approach to be implemented jointly by agency program managers and technical specialists. Instituting such an approach is important since agencies have generally done a very poor job of evaluating their information security risks and implementing appropriate controls. Moreover, our studies of public and private best practices have shown that effective security program management requires implementing a process that provides for . assessing information security risks to program operations and assets and identifying related needs for protection, . selecting and implementing controls that meet these needs,

The key to this process is recognizing that information security is not a technical matter of locking down systems, but rather a management problem that requires understanding information security risks to program operations and assets and ensuring that appropriate steps are taken to mitigate these risks. Thus, it is highly appropriate that S. 1993 requires a risk management approach that incorporates these elements.

The second proposed improvement area is the requirement for an annual independent audit of each agency information security program. Individually, as well as collectively, these audits can provide much needed information for improved oversight by the Office of Management and Budget (OMB) and the Congress. Our years of auditing agency security programs have shown that independent tests and evaluations are essential to verifying the effectiveness of computer-based controls. Audits can also evaluate agency implementation of management initiatives, thus promoting management accountability. Moreover, an annual independent evaluation of agency information security programs will help drive reform because it will spotlight both the obstacles and progress toward improving information security, much like the financial statement audits required by the Chief Financial Officers Act of 1990.

Agency financial systems are already subjected to such evaluations as part of their annual financial statement audits. However, I would like to note that for agencies with significant nonfinancial operations, such as the departments of Defense and Justice, the requirement for annual independent information security audits would place a significant new burden on existing audit capabilities. Accordingly, making these audits effective will require ensuring that agency inspectors general have sufficient resources to either perform or contract for the needed work.

Third, S. 1993 takes a governmentwide approach to information security by accommodating a wide range of information security needs and applying requirements to all agencies, including those engaged in national security. Under current law, distinctions between national security systems and all other government systems have tended to frustrate efforts to establish governmentwide standards and to share information security best practices. S.1993 should help eliminate these distinctions and ensure the development of common approaches across government for the protection of similar risks, regardless of the agencies involved.

This is important because the information security needs of civilian agency operations and those of national security operations have converged in recent years. In the past, when sensitive information was more likely to be maintained on paper or in stand-alone computers, the main concern was data confidentiality, especially as it pertained to classified national security data. Now, virtually all agencies rely on interconnected computers to maintain information and carry out operations that are essential to their missions. While the confidentiality needs of these data vary, all agencies must be concerned about the integrity and the availability of their systems and data. It is important for all agencies to understand these various types of risks and take appropriate steps to manage them.

Strengthening Security Control Standards and Leadership Also Merits Attention

While S. 1993 would update the current legislative framework for computer security, two important considerations not addressed in the bill-- the need for better-defined security control standards and the need to clarify and strengthen leadership for information security across government--are critical to strengthening security practices and oversight. I would like to discuss these in more detail as they complement the goals of S. 1993 and could significantly enhance its provisions.

First, there is a need for better-defined security control standards. Currently, agencies have wide discretion in deciding what computer security controls to implement and the level of rigor with which they enforce these controls. However, as mentioned earlier, our audit work has shown that agencies have generally done a poor job of evaluating risks and implementing effective controls. Moreover, these audits have shown that agencies need more specific guidance on the controls that are appropriate for the different types of information that must be protected. Current OMB and National Institute of Standards and Technology (NIST) guidance is not detailed enough to ensure that agencies are making appropriate judgments in this area and that they are protecting the same types of data consistently throughout the federal community.

More specific guidance could be developed in two parts:

We believe that requiring the development of these standards, particularly with minimum mandatory control requirements, is the most important addition that could be made to your legislation. More precisely defined standards will provide common measures that can guide agencies in developing needed controls and improve the consistency and value of audits and evaluations.

Second, there is a need for strong, centralized leadership for information security across government. Under current law, responsibility for guidance and oversight of agency information security is divided among a number of agencies, including OMB, NIST, the General Services Administration (GSA), and the National Security Agency. Other organizations are also becoming involved through the administration's critical infrastructure protection initiative, including the Department of Justice and the Critical Infrastructure Assurance Office. While some coordination is occurring, overall, this has resulted in a proliferation of organizations with overlapping oversight and assistance responsibilities. Lacking is a strong voice of leadership and a clear understanding of roles and responsibilities.

Having strong, centralized leadership has been critical to addressing other governmentwide management challenges. For example, vigorous support from officials at the highest levels of government was necessary to prompt attention and action to resolving the Year 2000 problem. Similarly, forceful, centralized leadership was essential to pressing agencies to invest in and accomplish basic management reforms mandated by the Chief Financial Officers Act. To achieve similar results in information security, the federal government must have the support of top leaders and more clearly defined roles for those organizations that support governmentwide initiatives. We believe serious consideration should be given in your legislation to clarify the roles of organizations responsible for governmentwide information security efforts, for example, the roles of OMB, NIST, and GSA and to create a national Chief Information Officer to provide higher visibility and more effective central leadership of information security.

In conclusion, we support S. 1993. It provides ingredients essential to reforming agency information security practices and governmentwide oversight. In particular, it recognizes the highly networked nature of the federal computing environment; it calls for a more comprehensive, risk- based framework toward information security management; and it provides for annual independent audits of security programs. Basically, the bill provides a better management framework for addressing information security issues and provides a mechanism for independently checking how those issues are being addressed. As we noted, this objective could be further strengthened by requiring better-defined security control standards and strengthening governmentwide leadership. Mr. Chairman and Members of the Committee, this concludes my testimony. We look forward to working with the Committee to advance the issues discussed today as well as to address our technical comments, which we have provided separately. I would be happy to answer any questions you may have.

(511184)


HTML by Cryptome.