Security takes the stage
Thomas R. Temin
From lawyers alley along Washington's K Street to Capitol Hill, and from chief information officers' suites to agencies' most distant bureaus, a consensus is emerging that security is the Next Big Thing in the federal systems arena.
The presumption is that all year 2000 date code work will end within a few months, leaving everyone with lots of time and money to devote to making systems more secure.
Just to make sure, Rep. Steve Horn is thinking about creating a report card program to grade agencies on their computer security initiatives, as he did for their date code efforts [GCN, Aug. 23, Page 1]
The California Republican's report cards, although hokey, deserve some credit for keeping attention on the issue. Most agencies' systems managers were on top of the 2000 problem, but perhaps the cranky Horn's report cards prodded the few who weren't.
Repairing faulty date code has its subtleties, but basically a system will either process date-dependent code properly or it won't. So although the job was voluminous, it had well-defined parameters.
The same cannot be said of computer security. Whether an agency has adequate systems security is a far harder thing to measure, as Horn himself acknowledges. It may, in fact, be impossible to measure.
Web site hacking, password file cracking, data theft, viruses and denial-of-service attacks differ technically and require different defenses. What's more, remedies vary among operating systems, network protocols and applications. When you fix one security hole, new ones open up.
Of course agencies need to get real about security. It isn't an application you can buy and paste in, nor does it have a deadline after which you can say, 'This system is secure.'
To foster security, Horn and his colleagues could do more than issue report cards. How about passing legislation making digital signatures legal? Or why not overrule the administration's cryptography policy so agencies can put in place security mechanisms that the public can trust?
The report cards are a nice idea, but there's plenty more that Congress can do to ensure the protection of federal systems and data.Thomas R. Temin