| |
H.R. 3482, "The Cyber Security Enhancement Act of 2001"
May 2, 2002
Chairman Horn, Chairman Davis, and Subcommittee Members, thank you for the opportunity to testify on the vitally important issue of the security of government information systems. The Center for Democracy and Technology is a non-profit, public interest organization. Our core goals include enhancing privacy protections for individuals and preserving the democratic potential of the Internet. Among its various activities, CDT coordinates the Digital Privacy and Security Working Group (DPSWG), a forum for more than 50 computer, communications, and public interest organizations, companies and associations working on information privacy and security issues.
CDT focuses much of its work on the Internet because we believe that, more than any other medium, it has characteristics that are uniquely supportive of democratic values. The Internet has the power to enhance the delivery of government services, provide cost-efficiencies for the government, businesses and individuals, and facilitate interaction between government and its citizens. All one has to do is look at Thomas, the Web site of the Library of Congress, or consider how the Internet is being used in election campaigns to bring into the political process people never before involved in politics to see how the Internet has the potential to revitalize democracy and enhance trust in government. E-government is no longer a theory but a priority of the Administration and this Congress.
Looming over this democratic potential � and over the centrality of networked computer systems to almost all government functions, including national defense and public safety � is the vulnerability of computer networks. The insecurity of government computer systems and the lack of effective leadership and accountability within the Executive Branch on computer security is a longstanding problem. The deficiencies in government computer systems -- and the failure of agencies to rectify identified problems -- have been documented in numerous GAO studies and addressed by a series of legislative initiatives, dating back at least to the Computer Security Act of 1987.
Clearly, government computer security remains woefully deficient, and it is incumbent on the Congress to ask what can be done to build greater accountability into government computer security efforts. We commend you, Chairman Horn and Chairman Davis, for addressing in a serious and comprehensive fashion through this hearing and through H.R. 3844 what sometimes seems to be an intractable problem.
CDT's basic message today is that in developing and implementing policy solutions for the security deficiencies that exist in government computer systems today, it is imperative to recognize and preserve the open, decentralized, interactive, innovative, interactive, and user-controlled nature of this medium. We fully support the goal of improving the security of government computer systems. We urge you to create a standards and guidelines process for government computer systems that draws upon the expertise of the private sector and involves consultation with computer security and privacy experts from both for-profit and non-profit bodies. We offer some suggested changes to the specific language in the current draft of H.R. 3844 -- changes that we think will better serve, in a balanced way, the bill's goal of improving government computer security, while also addressing the abiding values of efficiency, privacy and openness.
A basic term in the bill is "information security," defined as "protecting information and information systems." Also, throughout the bill, there are references to "information collected or maintained by or on behalf of an agency," in addition to references to "information systems" (e.g., new 3533(a)(2)(A); new 3534(a)(1)(A)(i)). In addressing "information and information systems," the bill sweeps too broadly, seeming to cover all government information as well as government computer systems. By possibly encompassing all paper-based systems and information in general, the bill takes on issues not unique to the digital age, and the possibility of unintended consequences goes up dramatically. Furthermore, by sweeping in all government "information," the task becomes much more complicated and diffuse. There are a number of laws on information security, ranging from the Privacy Act to the rule on grand jury secrecy to the Internal Revenue Code's provision on tax returns, not to mention Executive Orders. We assume that it is not the purpose, and it should not be the effect, of this legislation to require development of government-wide standards that reconcile all those requirements or that undermine the values and interests served by other information management laws.
The urgent problem is not paper-based systems and not information per se. It is the networked nature of computer systems, where damage can be done remotely and entire operations can be brought to a halt by denial of service. September 11 and the ongoing threat of international terrorism only heightens the urgency of addressing these problems.
It is our recommendation, therefore, that the bill be amended to delete general references to "information" and instead focus on computer systems or computerized information systems, which is where the documented problems exist that require focused attention and better accountability. We believe that the term "computer security"" is clearer and more focused than the term "information security," which suggests a host of other concerns.
The bill seems to elevates a single concern - security - in isolation from other values and objectives that government information systems must serve. The bill should explicitly recognize the need in policies, standards and guidelines to maximize four objectives: security; government efficiency (which depends on easy to use, interoperable, networked computer systems); the public's right to know, which includes e-government, a major separate initiative of the Administration and the Congress; and privacy.
The bill, probably unintentionally, seems to equate security with secrecy. It defines security as protecting information and information systems "from unauthorized use, disclosure, disruption, modification or destruction." It is not clear whether "unauthorized" modifies the whole series of words, or only "use." This formulation might be read to imply that "disclosure," like "disruption," is always to be avoided. (Is there "authorized disruption?") The Computer Security Act's language is clearer: "loss or unauthorized modification or disclosure." The problem here is related to the first one we mentioned: the coverage of information as well as information systems. It would be highly undesirable to define security as preventing disclosure of information. The language in the rest of the definition � framing security as the assurance of the integrity and availability of information as well as protecting confidentiality where that is appropriate (e.g., personally identifiable information) -- is appropriate. Sometimes, the disclosure of information can improve security. For example, H.R. 4598, the Homeland Security Information Sharing Act, a bill introduced in the House last week, would promote the sharing of homeland security information -- including classified information -- between federal intelligence and law enforcement agencies and state and local entities. The bill notes that classified information can be shared either by granting security clearances to appropriate state and local personnel, or else by declassifying the information, redacting it, or otherwise adapting it for dissemination.
Finally, in this regard, it should be made clear that the bill has no implications for the Freedom of Information Act. Any questions or concerns about FOIA should be addressed separately, and not conflated with the issues of computer security.
Another concern with the bill is the elimination of privacy from the responsibilities of the Computer System Security and Privacy Advisory Board (CSSPAB). CSSPAB has been useful for a number of years by virtue of being, as far as I know, the only ongoing advisory organization in the Federal government that has responsibility for studying privacy issues. At the current time, when there are so many important privacy issues facing the government and the private sector, it is inadvisable to reduce the Federal government's ability to address privacy issues. Privacy is an essential element of trust in computer systems, and it is important to have available to the government a body of diverse experts who consider privacy and security issues together.
This is all the more important because the current Administration has not yet created a systematic means of addressing privacy concerns raised by the government's information activities. The prior Administration created the position of Chief Counselor for Privacy within OMB, created a Privacy Subcommittee of the Chief Information Officers' Council, and took other actions to improve the protection of personal information held by federal agencies. Meanwhile, there were numerous and bipartisan efforts in Congress to protect privacy, including in government information systems. The bipartisan Congressional Privacy Caucus, for instance, is headed by Senators Shelby and Leahy and Congressman Barton and Markey. In recent years, Congress has enacted the Children's Online Privacy Protection Act, the privacy provisions in the Gramm-Leach-Bliley Act, new privacy protections under the Drivers' Privacy Protection Act, and an appropriations provision limiting the use of cookies on Federal web sites. Pending legislation includes measures specifically directed at Federal government computer systems, including two bills that would require Federal agencies to conduct privacy impact assessments: the Federal Agency Privacy Protection Act, introduced by Rep. Barr bill (for government regulations) and the E-Government Act (S.803) introduced by Senators Lieberman and Burns, which was passed unanimously by the full Senate Governmental Affairs Committee on March 21and would require privacy impact assessments for system procurements.
Computer security and privacy issues are inextricably intertwined -- good data handling practices should both keep intruders out and set forth policies for which people should be authorized to access personal information. Security has been a recognized element of fair information practices since the 1970s. The current bill would not ensure that vital concerns about privacy are included within the government's handling of information technology issues.
The privacy function of CSSPAB, at a minimum, should be retained. The Board should include balanced representation from the information/software industry, library community, and privacy advocates, not just security experts. In addition, the bill should include provisions that bring privacy and other important aspects of information policy into the development of security standards. One model might be the standards of the Gramm-Leach-Bliley banking reform act, which specifically linked privacy and security.
The bill sets up a process for setting government wide minimum standards but does not sufficiently recognize that there is an increasingly widely accepted set of practices developed by the private sector that agencies ought to be adopting in the interim.
Government promulgation of standards for computer and communications equipment is fraught with risks. The government must adopt a balanced approach, for, while the government has the authority - and a pressing need - to get its own computer security house in order, the design of computer and communications equipment and standards rests mainly with the private sector. The private sector must be in charge of protection of computer systems in the private sector. This involves two complimentary principle: First, it should be clear that the standards that will be developed under this bill are not intended to directly or indirectly influence private sector standards or product design. Second, working in consultation with the private sector will help ensure that the government is not developing standards that are out of step with the rapid evolution of technology. The private sector has a great deal to contribute to the government process. At CDT, we see every day how companies are trying to balance security, privacy, openness and efficiency. The development of standards and guidelines by NIST and the Director of OMB should involve at a minimum consultation with private sector experts, including those that advocate the privacy rights of citizens. It should draw fully on the standards and best practices that are being developed by the private sector.
Again, Chairman Horn and Chairman Davis, we congratulate you for your leadership on this crucial issue of government computer security. We would be pleased to work with you to improve this bill so that it that focuses in a balanced way on the specific challenges of building accountability into the procedures for improving the security of Federal government computer systems.