Security gets thorough Hill vetting

'There is very little indication that anyone takes the security threat seriously.'

'Rep. Adam Putnam

J. Adam Fenster

Members of Congress feel 'bipartisan frustration' at the slow pace of improvement in federal IT security, Rep. Adam Putnam (R-Fla.) said last month. 'There is very little indication that anyone takes the security threat seriously.'

At a hearing of the Select Homeland Security Subcommittee on Cybersecurity, Science and R&D, witnesses challenged Congress to do more to improve software and hardware quality.

And at a hearing of Putnam's House Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, members interrogated inspectors general and CIOs about the results they're seeing from the Federal Information Security Management Act.

Homeland Security subcommittee witnesses were in what Bruce Schneier called 'violent agreement' about threats to the U.S. information infrastructure. Schneier is chief technology officer of Counterpane Internet Security Inc. of Cupertino, Calif., and the author of books on cybersecurity.

Richard Pethia, director of the CERT Coordination Center at Carnegie Mellon University, and Alan Paller, director of research at the SANS Institute of Bethesda, Md., endorsed Schneier's plea to leverage government buying power. They said setting requirements could go a long way to improving commercial software.

Paller predicted the Energy Department soon will announce a contract with Oracle Corp. that requires security certification for software configurations.

Agency liability

Imposing liability on agencies that run unsecured systems 'will instantly improve security, because it will be in people's own best interest to secure their systems,' Schneier said. 'Software security costs money, and if we don't make it in their best interest to spend it, they won't.'

When questioned by the Government Reform subcommittee about compliance with the Federal Information Security Management Act, executive branch witnesses said some progress has been made in the past year, but significant weaknesses remain.

'The challenge is that there is a lot of work and it takes time,' said Mark A. Forman, administrator for electronic government and IT at the Office of Management and Budget.

Commerce Department IG Johnnie E. Frazier said his department had to overcome a history of neglect. Before FISMA's predecessor, the Government Information Security Reform Act, 'IT security was simply not on the radar screen,' he said.

Subcommittee members pressed witnesses about whether they had adequate resources to comply with FISMA.

'I think we're fine with resources,' Forman said.

But other witnesses complained of being stretched thin to meet information security mandates. Frazier said four full-time employees were doing independent evaluations of systems security assessments at Commerce. 'Our resources are very limited,' he said.

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above