House Committee Gives Failing Grades to Government Agencies on Computer Security

(September 12, 2000) The House Government Management Subcommittee held a hearing on the lack of security of government computer systems. Rep. Horn issued a "report card" on the performance of government agencies in which the average grade was a "D-."

The House Government Reform Committee's Subcommittee on Government Management, Information and Technology held a hearing titled "Computer Security: How Vulnerable Are Federal Computers?" on Monday morning, September 11.

	Rep. Steve Horn (R-CA)

Rep. Steve Horn (R-CA), the Chairman of the Subcommittee, presided. He used the event to release his Report Card assigning letter grades to 24 federal agencies. Last year he issued report cards on agency progress in remediating Year 2000 technology problems.

The average grade was a D-, and many major departments failed. The Department of Justice received an F, as did the Labor, Agriculture, and Interior Departments. The Defense Department received a D+. In contrast, the Social Security Administration received a B, the highest grade given.

Rep. Horn stated that "as the federal government becomes increasingly dependent on computers and the Internet, its computer systems and the sensitive information they contain have come under an increasing number of attacks."

"In order to guarantee the integrity of Federal programs and to protect the personal privacy of all Americans, government leaders must focus their attention on the security of their vital computer systems," said Rep. Horn.

The Subcommittee heard from a large panel witnesses from the executive branch, as well as one witness each from the General Accounting Office (GAO) and the Cato Institute. The witnesses, in the order in which they spoke, were:

• John Spotila, Office of Management and Budget.
• Joel Willemssen, General Accounting Office.
• John Gilligan, CIO of the Department of Energy, and representative of the Chief Information Officers Council.
• John Dyer, CIO of the Social Security Administration.
• Daryl White, CIO of the Department of the Interior.
• Edward Hugler, Dep. Asst. Sec. for Admin. and Management, Department of Labor.
• Ira Hobbs, Deputy CIO, Department of Agriculture.
• Mark Tanner, Information Resources Manager of the FBI.
• Solveig Singleton, Director of Information Studies of the CATO Institute.

While Rep. Horn issued failing grades to most of the agencies represented by these witnesses, the hearing proceeding in a curteous and non-confrontational manner.

Joel Willemssen presented the GAO's report "Computer Security: Critical Federal Operations and Assets Remain at Risk." The report concludes that "federal computer security is fraught with weaknesses and that, as a result, critical operations and assets continue to be at risk."

The government witnesses testified that they take security and privacy seriously, and are taking efforts to improve computer security. Some said that the needed more money.

Solveig Singleton, from the Cato Institute, testified that a large part of the problem was that government agencies collect too much personal information. She then reviewed the scope of databases containing personal information, agency by agency.

The FBI representative, Mark Tanner, testified that most of its databases are offline, and hence do not pose a security threat. "most FBI systems are internal and not connected to non-secure/unclassified systems. This isolation permits some sense of comfort in that systems not connected to the outside are far less vulnerable to compromise and attack."

Singleton testified that one of the major threats to security is abuse of government records by the  government employees entrusted with them.

Rep. Horn sympathized with the agency witnesses who said that they needed more money to improve computer security. However, he also provided two other recommendations.

First, he said agencies could do better at exercising security precautions that require not additional funds, such as changing passwords regularly, and turning off computers when not in use.

Second, he said that this is the last month of the fiscal year, and many agency heads are now trying to figure out how to spend budget surpluses. Agency technology personnel should be contacting their superiors to request that some of these funds be allocated to computer security.

Rep. Jim Turner (D-TX), the ranking Democrat on the Subcommittee advocated creating a federal office of Chief Information Officer. He introduced HR 4670, the Chief Information Officer of the United States Act of 2000, on June 15, 2000.

Rep. Turner also encouraged government information officers to engage in "cross government initiatives."

Only two members of the Subcommittee participated in the hearing -- Rep. Horn and Rep. Turner.