Washington, DC — Senate Governmental Affairs Chairman Fred Thompson (R-TN) and Ranking Member Joseph I. Lieberman (D-CT) announced today that the Committee will hold a March 2 hearing to discuss the security of the federal government?s information systems.
“We know that federal agencies continue to use a band-aid approach to computer security rather than addressing the systemic problems which make government systems vulnerable to repeated computer attacks,” said Thompson. “Hopefully, the recent breaches of security at the various ?dot.com? companies is the wake-up call needed to focus attention on the security of government computer systems. This Committee has been looking at the federal government’s use of computers since the passage of the Brooks Act in 1965. Since I became chairman of the Committee in 1997, we heave heard from security experts, senior government officials and the General Accounting Office about the persistent security risks associated with the government?s information holdings.”
Senator Lieberman added, “The simple and frightening fact is, government computer systems are vulnerable to the kinds of attacks e-businesses have been suffering lately – and worse. Lax government computer security threatens our national security, our transportation and emergency services, our banking and finance. And if this weren’t cataclysmic enough, it also leaves the most personal information of all our taxpayers – our veterans, our elderly, our sick – vulnerable to exposure and exploitation. Scores of government systems have already been hacked although fortunately, none of the intrusions to date has been damaging. But let’s face it: it’s only a matter of time.”
The March 2 hearing will explore the human side of computer security as it relates to successfully implementing a sound government computer security program.
On November 19, 1999, Thompson and Lieberman introduced S. 1993, the Government Information Security Act that provides a framework for how the government could make its systems more secure while simultaneously providing continuous, uninterrupted services to the public. The legislation is based on Governmental Affairs Committee hearings and a GAO best practices study.
Activities of the Governmental Affairs Committee
on Government Information Security
1. GAO Report to the Ranking Minority Member, June 1995, Committee on Governmental Affairs: Department of Energy: Procedures Lacking to Protect Computerized Data
2. GAO Report to Congressional Requesters, May 1996, Information Security: Computer Attacks at Department of Defense Pose Increasing Risks
3. Hearings Before the Permanent Subcommittee on Investigations of the Committee on Governmental Affairs, 104th Congress, Second Session, May 22, June 5 and July 16, 1996: Security in Cyberspace
4. GAO Report to Congressional Requesters, September 1996, Information Security: Opportunities for Improved OMB Oversight Of Agency Practices
5. GAO Report to the Ranking Minority Member, Committee on Governmental Affairs, April 1997, IRS Systems: Tax Processing Operations and Data Still at Risk Due to Serious Weaknesses
6. GAO Executive Guide, May 1998, Information Security Management: Learning from Leading Organizations
7. GAO Report to the Committee on Governmental Affairs, May 1998, Computer Security: Pervasive, Serious Weaknesses Jeopardize State Department Operations
8. GAO Report to the Committee on Governmental Affairs, May 1998, Weak Computer Security Practices Jeopardize Flight Safety
9. Hearing Before the Committee on Governmental Affairs, May 19, 1998, Weak Computer Security in Government: Is the Public at Risk?
10. Hearing Before the Committee on Governmental Affairs, June 24, 1998, Cyber Attack: Is the Nation at Risk?
11. Report to the Committee on Governmental Affairs, September 1998, Information Security: Serious Weaknesses Place Critical Federal Operations and Assets at Risk
12. Hearing Before the Committee on Governmental Affairs, September 23, 1998, Information Security
13. Report to the Committee on Governmental Affairs, May 1999, Information Security: Many NASA Mission-Critical Systems Face Serious Risks
14. GAO High Risk Series, January 1999, Resolving Serious Information Security Weaknesses
15. GAO Supplement to GAO?s May 1998 Executive Guide on Information Security Management, November 1999, Information Security Risk Assessment: Practices of Leading Organizations
THE GOVERNMENT INFORMATION SECURITY ACT
SENATOR FRED THOMPSON
SENATOR JOSEPH I. LIEBERMAN
The Government Information Security Act, a bill to protect Federal government information systems from cyberattack:
Gives the Office of Management and Budget additional information security duties to enhance governmentwide oversight of Federal agencies;
Improves Federal agency performance in protecting information by making agencies accountable for their information security programs;
Requires agencies to have an annual independent audit of their information security programs and practices;
Creates governmentwide controls over Federal information systems, including national security systems;
Highlights the importance of information technology training of government workers.