Industry gives government low cyber security grades
The Cyber Security Industry Alliance (CSIA) has given the government low grades on its cyber security. The Alliance has called on the federal government to significantly bolster its efforts to ensure the security of sensitive information, to improve the security and resiliency of the critical information infrastructure and to increase federal information assurance in 2007 — all areas CSIA graded in 2006 with a “D.”
CSIA’s latest annual report, the “2007 Agenda for U.S. Government Action,” identifies specific actions for Congress and the Administration to focus on to improve information security for citizens, industry and governments globally.
“While the government has taken some positive steps forward to improve the state of information security, action has been decidedly mixed,” says Liz Gasster, acting executive director and general counsel of CSIA. “CSIA commends the government for moving forward on several key initiatives including the Senate’s ratification of the Council of Europe’s Convention on Cyber Crime and the appointment of an Assistant Secretary for Cyber Security and Telecommunications. However, we are discouraged by Congress’ inability to pass a comprehensive federal law to protect sensitive personal information, even in the face of more than 100 million Americans having their data records exposed.”
One year ago, CSIA called on the Administration and Congress to enhance the nation’s information security by acting on 13 critical recommendations to protect against cyber threats. CSIA’s Federal Progress Report graded the government on its follow-through on 2006 recommendations. Rather than grade each specific initiative, CSIA offers a composite grade for each area to provide a more holistic view of how the government is performing:
* Security of Sensitive Information: Congress ratified the Council of Europe Convention on Cyber Crime but failed to pass a comprehensive law to protect sensitive personal information. Grade: D
* Security and Resiliency of Critical Information Infrastructure: The Department of Homeland Security (DHS) appointed an Assistant Secretary for Cyber Security and Telecommunications and implemented programs such as LOGIIC and Cyber Storm, but has not offered a clear agenda on the Department’s top cyber security R&D priorities or established a survivable emergency coordination network to handle a large-scale cyber security disaster. Grade: D
* Federal Information Assurance: Government continues to offer a mixed bag of successes and failures, with progress within OMB and implementation of HSPD-12, but much improvement is needed in the areas of using the power of procurement, resolving systemic telework issues, and releasing information on the cost of cyber attacks. Grade: D
In its 2007 Agenda for U.S. Government Action, CSIA calls on the Administration and Congress to implement the following recommendations to help improve the privacy, reliability and integrity of information:
* Security of Sensitive Information: Pass a comprehensive federal law to secure sensitive personal information and notify consumers in case of a breach. This data security legislation should apply equally to all government and private sector entities that collect, maintain or sell significant numbers of records containing sensitive personal information, and require organizations to establish reasonable security measures to ensure the confidentiality and integrity of sensitive personal information, in order to minimize the likelihood of a breach.
* Security and Resiliency of Critical Information Infrastructure: DHS should quickly establish cyber security and telecommunications priorities that address situational awareness, emergency communications and recovery and reconstitution and that ensure appropriate funding is in place to support these programs. In the event of a major information infrastructure attack or disruption, an integrated, dedicated system should be implemented to monitor the information infrastructure.
* Federal Information Assurance: Congress and the Administration should work together to strengthen the Federal Information Security Management Act (FISMA). To effectively establish and maintain a comprehensive information security program, the power of federal CIOs should be strengthened so that they can better enforce authority concerning budgets and personnel resources. Federal agencies should increase their assessments and testing of information security controls, and acquisition regulations should be revised to ensure that all federal contractors comply with FISMA requirements. In addition, all agencies establish a common requirement to notify citizens in case of a breach of sensitive personal information.
To obtain a full copy of CSIA’s Federal Progress Report for 2006 and 2007 Agenda for U.S. Government Action, please visit: www.csialliance.org/resources/pdfs/CSIA_06Report_07Agenda_US_Govt.pdf