[Dataloss] Data breaches raise more questions about computer security law

security curmudgeon jericho at attrition.org
Tue Jun 13 15:27:23 EDT 2006 

Courtesy WK/ISN:

---------- Forwarded message ----------

http://www.govexec.com/dailyfed/0606/06126p1.htm

By Daniel Pulliam
dpulliam at govexec.com
June 12, 2006

Recently reported breaches compromising sensitive data held by four 
agencies have officials looking at ways to improve federal information 
security laws.

Security experts and former government officials started pointing fingers 
at alleged weaknesses in the 2002 Federal Information Security Act earlier 
this year. In recent interviews, some said they believe that the incidents 
could lead to changes in the law.

Alan Paller, director of research at the SANS Institute in Bethesda, Md., 
a nonprofit cybersecurity research organization, called the compromise of 
personnel records of 1,500 Energy Department employees revealed last week, 
combined with last month's theft of personal data on 26.5 million people 
from a Veterans Affairs Department employee's home, "an indictment of 
FISMA."

In two unrelated incidents, laptop computers containing the personal 
information -- including Social Security numbers, birthdates and names -- 
of about 200 employees at the Social Security Administration and the 
Internal Revenue Service were lost recently.

FISMA requires agencies to identity and categorize risks to their 
information technology systems and then implement security controls based 
on those risks.

Paller said agencies are using their technology security funds to pay 
independent contractors to write FISMA-required reports as part of the 
certification and accreditation process, leaving little money for 
implementing actual security measures. A certification and accreditation 
process is necessary, but it should be continuous and automated, Paller 
said.

"There was a thought that to check security, you had to check with people 
and talk to people, but because most attacks are done by systems, you need 
systems to check the security," Paller said. "The VA spent tens of 
millions of dollars certifying and accrediting these systems, and they are 
not secure."

A VA spokesman said that the agency received $77 million for information 
security in fiscal 2006 and $78 million has been proposed for fiscal 2007.

Paller and Bruce Brody, vice president for information security at the 
Reston, Va-based market research firm INPUT and associate deputy assistant 
secretary for cyber and information security at the VA from 2001 to 2004, 
have been critical of FISMA in the past, and both met with staffers from 
the House Government Reform Committee recently to discuss possible changes 
to the law.

Brody, who also served as chief information security officer at the Energy 
Department until December 2005, said that the Energy security breach 
occurred during his tenure at the agency, but within the National Nuclear 
Security Administration, which is autonomous from the department under the 
National Nuclear Security Act.

Paller said he believes that effective reform is possible, but Brody said 
the policy and legislative communities are unlikely to get the changes 
right unless information security practitioners are involved.

Clay Johnson, the Office of Management and Budget's deputy director for 
management, said last week OMB has 95 percent of the laws and policies it 
needs to hold agencies accountable for locking down their information 
systems, but "extra teeth" may be needed. He did not specifically refer to 
FISMA.

Johnson said in testimony before the House Government Reform Committee 
that the administration believes it generally has good policies and laws 
for protecting data, but is "prepared to take more action as necessary."

In a request for comment on the matter, OMB gave no indication that 
changes to FISMA are being considered.

OMB spokeswoman Andrea Wuebker said that FISMA was established to ensure 
that agencies meet consistent standards for security requirements for 
information systems. Agencies are responsible for ensuring that they are 
FISMA compliant and that their employees are trained to work with tough 
security measures, Wuebker said.

"Sound standards and policies are in place, and OMB works with agencies to 
make sure practices match these policies," Wuebker said.

More information about the Dataloss mailing list