Feds make security recommendations to Hill

Feds make security recommendations to Hill

Ray Kammer

One suggestion calls for naming a cyberczar to lead the security charge

By Frank Tiboni

GCN Staff

Name a government systems security czar, change agencies' attitudes toward security and make the most of technical safeguards were among recommendations federal systems executives offered recently as ways to combat cyberattacks.

A security champion could call attention to the importance of government cybersecurity and help agencies find and use resources to counter threats, said Rep. Constance A. Morella (R-Md.), chairwoman of the House Science Subcommittee on Technology, which held a hearing last month on the state of government computer security.

Morella questioned officials from the National Institute of Standards and Technology, National Security Agency and General Accounting Office.

'The date for cybersecurity has long passed,' said Keith A. Rhodes, director of the Office of Computer and Information Technology Assessment in GAO's Accounting and Information Management Division. 'Computer security has been a problem since the first computer was turned on.'

Koskinen II?


Rhodes agreed that a security czar with overarching authority, similar to the position held by John A. Koskinen, chairman of the President's Council on the Year 2000 Conversion, would help. But he cautioned that the computer security problem does not have a fixed ending, as does the date code crisis.

The security czar 'would be an extraordinarily large czar because computer security is changing every day,' Rhodes said.

Agencies should be required to call in NIST and NSA, which are responsible for protecting sensitive unclassified systems under the Computer Security Act of 1987, when they experience a cyberattack, he said.

Rhodes submitted a report, Information Security: Recent Attacks on Federal Web Sites Underscore Need for Stronger Information Security Management, that documented how agencies tend to take three narrow approaches that hamper their security efforts:

  • They look at security from a system perspective instead of organizationwide.
  • They categorize information, such as classified or unclassified, which fails to encompass security across varying levels of risks.
  • They treat information security as a technical function instead of a management one.


The recent rash of viruses and Web site hacks have put a spotlight on computer security issues.

'Federal Web sites are high-profile Web sites,' said NIST director Raymond G. Kammer, in reference to hackers' fondness for defacing them.

A word of warning

The Office of Management and Budget last month sent a letter to agency heads cautioning them to continually assess their computer systems and to maintain adequate security. OMB Director Jacob J. Lew reminded agencies of the security resources available, such as NIST.

When agencies have requested support, NSA has quickly brought systems back online, helped evaluate attacks, offered countermeasures and provided in-depth analyses, testified Michael J. Jacobs, NSA's deputy director for information systems security.

NIST's Kammer recommended six ways agencies can augment computer security:

  • Develop and implement security policies and architectures.
  • Embrace obvious solutions including patches, virus detection tools and intrusion detection software, and firewalls.
  • Test systems continuously.
  • Configure systems with security in mind.
  • Buy independently evaluated and tested security tools.
  • Support security despite limited information technology budgets.



GCN staff writer Shruti Dat' contributed to this story.

inside gcn

  • Phishing

    Phishing is still a big problem, but users can help shrink it

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above