Senators propose bills to boost IT security

Many agencies have turned the original intent of the Federal Information Security Management Act into a paperwork exercise, according to one senator who has introduced legislation to deal with the problem. Sen. Tom Carper (D-Del.) said instead of measuring whether agencies were improving security, the Office of Management and Budget and inspectors general have been measuring whether agencies produced the right documents. “Measuring an agency’s compliance does not stop the countless examples of data loss due to negligence or willful intent,” Carper said Sept. 11. With the information the government holds, many people, companies and agencies could face serious problems if data is stolen or is missing, he said. That day, Carper introduced the Federal Information Security Management Act of 2008 (), which would require agencies to prove they can properly secure sensitive information and people’s personal data. The bill would allow the Homeland Security Department to test civilian agencies’ security systems and evaluate the agencies’ responses. It also would create a chief information security officer council to strengthen the CISOs’ role in agencies. Carper, chairman of the Homeland Security and Governmental Affairs Committee’s Federal Financial Management, Government Information, Federal Services and International Security Subcommittee, has held oversight hearings to examine how agencies have reduced information security risks. Carper said he found several examples of foreign and domestic cyberattacks on U.S. information networks. The Senate Armed Services Committee has also proposed a way for the government to improve security while keeping up with the nimble and fast-moving technology world. The Senate’s fiscal 2009 National Defense Authorization Act () would create a permanent 1 percent tax on the Defense Department’s information systems security program and other programs focused on protecting its information. According to a report accompanying the legislation, the committee wrote that information technology evolves rapidly, and DOD has no way to keep pace with the important advances. The armed services committee wrote that DOD has no way to set aside money in anticipation of the developments. Officials have asked the Office of Management and Budget for a specific budget line item, but have received none. The committee wrote that those officials have a good argument for adding the set-aside funding to the budget. Today, the Senate was debating the authorization bill. Meanwhile, as IT goes deeper into all sectors of government, states are facing the many of the same issues as the federal government. “While there has been a tremendous amount of focus on protecting the federal government’s cyber infrastructure, I am concerned that not enough attention is being paid to protect state governments,” Sen. Norm Coleman (R-Minn.) said Sept. 10. He introduced the State Cyber Security Protection Act () that day. The bill would establish a pilot program within the Homeland Security Department to provide money to strengthen cybersecurity within state governments. The measure would authorize spending $25 million a year for two years. A state would be able to receive as much as $3 million, and the program would require the money be spread around to states with varying population level s to ensure both large and small states receive these resources, according to the bill. Gopal Khanna, chief information officer for Minnesota and vice president of the National Association of State Chief Information Officers, said unless the IT and network infrastructures the government systems are secure, the nation is not secure. “State IT networks and systems form a critical part of that larger infrastructure,” he said.