Government Begins Computer Security Program
WASHINGTON (AP) _ The federal government’s computers should be ″a model for security and reliability,″ officials participating in a program aimed at safeguarding sensitive information were told today.
About 700 officials from agencies throughout the government gathered at National Bureau of Standards headquarters in suburban Gaithersburg, Md., to receive formal guidelines for implementing the program, which is being undertaken despite budgetary uncertainties.
James Burrows, director of the NBS Institute for Computer Sciences and Technology, told the meeting that ″we must make the federal government’s computers a model for security and reliability.″
Charged with overseeing the computer security program are the National Bureau of Standards, a unit of the Commerce Department, and the Pentagon’s National Security Agency, which for years has issued regulations for protecting classified information.
Other lead agencies for the program are the White House Office of Management and Budget and the Office of Personnel Management.
About 700 officials from agencies throughout the government were slated to gather today at NBS headquarters in suburban Gaithersburg, Md., to receive formal guidelines for implementing the new program, which is being undertaken despite budgetary uncertainties.
The effort is mandated by legislation signed into law early this year by President Reagan requiring that agencies establish computer security training and awareness programs, identify sensitive computer systems, prepare security plans for each system and submit those plans to NBS and NSA for advice and comment. The plans are due by Jan. 1, 1989.
Stuart Katzke, chief of NBS’ computer security division, said the security plans should help deal with unauthorized computer system break-ins by ″hackers″ as well as the threat posed by so-called computer viruses - small strings of computer code that can cause computer programs to go haywire.
″I think that if the planning activity is done properly and the agencies look at the threats, the risks and so forth, they should look at things like viruses and hackers,″ he said.
The computer security program faces a possible budget squeeze because Congress so far has been unwilling to vote the additional $3 million for NBS requested by the Reagan administration to pay for implementing the program.
A fiscal 1989 bill passed by the House includes no extra money for the program, while companion legislation approved by a Senate appropriations panel would provide only $1 million. Capitol Hill proponents of the computer security program are expected to press for full funding on the Senate floor and in a Senate-House conference.
Dennis Steinauer, another NBS official, said the computer security program would eventually involve tens of thousands of computer users throughout the federal government, reached by establishing new training programs or upgrading existing ones.
The objective, he said, is ″to make sure that users of computer systems, in particular those that handle sensitive information, understand what the threats and vulnerabilities are, and what the things are that they need to do and can do in order to provide protection.″
″It’s long been contended by most people in the computer and information security business that the No. 1 problem is that people simply aren’t aware that there is a problem - and those that are aren’t sure what to do about it,″ Steinauer said.
The computer security program was the focus of a Washington symposium convened last month by the Institute of Electrical and Electronics Engineers, attended by more than 30 leading security experts in industry and government from the United States, Canada and Britain.
John M. Richardson, chairman of the IEEE’s Committee on Communications and Information Policy, said that at the June 21 meeting there was ″general agreement that NBS is better matched to deal with the civilian agencies and the private sector than the NSA is.″
He noted that ″the business of dealing with a different plan for each computer system in the civilian side of government is a massive job. ... It will be hard to do by next January.″
Richardson said that in identifying sensitive information in their computer systems, ″agency heads should exercise extreme restraint and should make the designation according to publicly disclosed criteria.″
Such restraint, he said, would help avoid problems comparable to the ″overclassification″ of national security information.
″Whenever you protect something, you abridge access to it,″ Richardson said. ″It’s inevitable. A fundamental principle in our society is that you want to abridge access as little as possible.″