Information Security: Comments on Proposed Government Information Act of 1999 (Testimony, 03/02/2000, GAO/T-AIMD-00-107). Pursuant to a congressional request, GAO discussed S. 1993, the Government Information Security Act of 1999 and it's impact on strengthening the information security practices throughout the federal government, focusing on: (1) potential improvements in federal agency performance in addressing computer security issues; (2) the need for better-defined control standards; and (3) centralized leadership. GAO noted that: (1) the nation's computer-based infrastructures are at increasing risk of severe disruption; (2) the dramatic increase of computer interconnectivity has provided pathways among systems that can be used to gain unauthorized access to data and operations from remote locations; (3) government officials are increasingly worried about attacks from individuals and groups with malicious intentions, such as terrorists and nations engaging in information warfare; (4) s. 1993 provides opportunities to address this problem; (5) it updates the legal framework that supports federal information security requirements and addresses widespread federal information security weaknesses; (6) the bill provides for a risk-based approach to information security and independent annual audits of security controls; and (7) it approaches security from a governmentwide perspective, taking steps to accommodate the significantly varying information security needs of both national security and civilian agency operations. --------------------------- Indexing Terms ----------------------------- REPORTNUM: T-AIMD-00-107 TITLE: Information Security: Comments on Proposed Government Information Act of 1999 DATE: 03/02/2000 SUBJECT: Computer security Information systems Data integrity Internal controls Confidential communication Information resources management Computer viruses Information leaking Computer crimes Computer software verification and validation IDENTIFIER: Melissa Computer Virus ****************************************************************** ** This file contains an ASCII representation of the text of a ** ** GAO Testimony. ** ** ** ** No attempt has been made to display graphic images, although ** ** figure captions are reproduced. Tables are included, but ** ** may not resemble those in the printed version. ** ** ** ** Please see the PDF (Portable Document Format) file, when ** ** available, for a complete electronic file of the printed ** ** document's contents. ** ** ** ****************************************************************** * For Release on Delivery Expected at 10 a.m. Thursday, March 2, 2000 GAO/T-AIMD-00-107 information security Comments on the Proposed Government Information Security Act of 1999 Statement of Jack L. Brock Director, Governmentwide and Defense Information Systems Accounting and Information Management Division Testimony Before the Committee on Governmental Affairs, U.S. Senate United States General Accounting Office GAO Mr. Chairman and Members of the Committee: I am pleased to be here to discuss S. 1993, the Government Information Security Act of 1999, which seeks to strengthen information security practices throughout the federal government. Such efforts are necessary and critical. Our work has shown that almost all government agencies are plagued by poor computer security. Recent events such as the denial of service attacks last month indicate the damage that can occur when an organization's computer security defenses are breached. However, Mr. Chairman, let me emphasize that the potential for more serious disruption is significant. As I stated in recent testimony, our nation's computer-based infrastructures are at increasing risk of severe disruption. The dramatic increase of computer interconnectivity, while beneficial in many ways, has provided pathways among systems that, if not properly secured, can be used to gain unauthorized access to data and operations from remote locations. Government officials are increasingly worried about attacks from individuals and groups with malicious intentions, such as terrorists and nations engaging in information warfare. S. 1993 provides opportunities to address this problem. It updates the legal framework that supports federal information security requirements and addresses widespread federal information security weaknesses. In particular, the bill provides for a risk-based approach to information security and independent annual audits of security controls. Moreover, it approaches security from a governmentwide perspective, taking steps to accommodate the significantly varying information security needs of both national security and civilian agency operations. Mr. Chairman, I would like to discuss how these proposals can lead to substantial improvements in federal agency performance in addressing computer security issues. In addition, I would like to raise two additional concerns-the need for better-defined control standards and centralized leadership-that, if addressed, could further strengthen security practices and oversight. These two concerns merit further attention as the Committee moves ahead with its work in this area. Information Security Improvements Are Urgently Needed Our most recent individual agency review of the Environmental Protection Agency (EPA), corroborated our governmentwide analysis. Overall, we found that EPA's computer systems and the operations that rely on these systems were highly vulnerable to tampering, disruption, and misuse. EPA's own records identified several serious computer incidents in the last 2 years that resulted in damage and disruption to agency operations. Moreover, our tests of computer-based controls concluded that computer operating systems and the agencywide computer network that support most of EPA's mission-related and financial operations were riddled with security weaknesses. EPA is currently taking significant steps to address these weaknesses. However, resolving EPA's information security problems will require substantial ongoing management attention since security program planning and management to date have largely been a paper exercise doing little to substantively identify, evaluate, and mitigate risks to the agency's data and systems. Any fixes made by EPA to address specific control weaknesses will be temporary until these underlying management issues are addressed. EPA is not unique. Within the past 12 months we have identified significant management weaknesses and control deficiencies at a number of agencies that effectively undermine the integrity of their computer security operations. * In August 1999, we reported that pervasive weaknesses in Department of Defense information security continue to provide both hackers and hundreds of thousands of authorized users the opportunity to modify, steal, inappropriately disclose, and destroy sensitive DOD data. Among other things, these weaknesses impaired DOD's ability to control physical and electronic access to its systems and data; ensure that software running on its systems is properly authorized, tested, and functioning as intended; and resume operations in the event of a disaster. * In May 1999, we reported that, as part of our tests of the National Aeronautics and Space Administration's (NASA) computer-based controls, we successfully penetrated several mission-critical systems, including one responsible for calculating detailed positioning data for each orbiting spacecraft and another that processes and distributes the scientific data received from these spacecraft. Having obtained access, we could have disrupted ongoing command and control operations and modified or destroyed system software and data. * In August 1999, an independent accounting firm reported that the Department of State's mainframe computers for domestic operations were vulnerable to unauthorized access. Consequently, other systems, which process data using these computers, could also be vulnerable. A year earlier, in May 1998, we reported that our tests at State demonstrated that its computer systems and the information they maintained were very susceptible to hackers, terrorists, or other unauthorized individuals seeking to damage State operations or reap financial gain by exploiting the department's information security weaknesses. * In October 1999, we reported that serious weaknesses placed sensitive information belonging to the Department of Veterans Affairs (VA) at risk of inadvertent or deliberate misuse, fraudulent use, improper disclosure, or destruction, possibly occurring without detection. Such findings were particularly troublesome since VA collects and maintains sensitive medical record and benefit payment information for veterans and family members and is responsible for tens of billions of dollars of benefit payments annually. Although the nature of operations and related risks at these and other agencies vary, there are striking similarities in the specific types of weaknesses reported. The following six areas of management and general control weaknesses are repeatedly highlighted in our reviews. * Entitywide Security Program Planning and Management. Each organization needs a set of management procedures and an organizational framework for identifying and assessing risks, deciding what policies and controls are needed, periodically evaluating the effectiveness of these policies and controls, and acting to address any identified weaknesses. These are the fundamental activities that allow an organization to manage its information security risks cost effectively, rather than reacting to individual problems ad hoc only after a violation has been detected or an audit finding has been reported. Despite the importance of this aspect of an information security program, we continue to find that poor security planning and management is the rule rather than the exception. Most agencies do not develop security plans for major systems based on risk, have not formally documented security policies, and have not implemented programs for testing and evaluating the effectiveness of the controls they rely on. * Access Controls. Access controls limit or detect inappropriate access to computer resources (data, equipment, and facilities) thereby protecting these resources against unauthorized modification, loss, and disclosure. They include physical protections, such as gates and guards, as well as logical controls, which are controls built into software that (1) require users to authenticate themselves through passwords or other identifiers and (2) limit the files and other resources that an authenticated user can access and the actions that he or she can execute. In many of our reviews we have found that managers do not identify or document access needs for individual users or groups, and, as a result, they provide overly broad access privileges to very large groups of users. Additionally, we often find that users share accounts and passwords or post passwords in plain view, making it impossible to trace specific transactions or modifications to an individual. Unfortunately, as a result of these and other access control weaknesses, auditors conducting penetration tests of agency systems are almost always successful in gaining unauthorized access that would allow intruders to read, modify, or delete data for whatever purposes they had in mind. * Application Software Development and Change Controls. Application software development and change controls prevent unauthorized software programs or modifications to programs from being implemented. Without them, individuals can surreptitiously modify software programs to include processing steps or features that could later be exploited for personal gain or sabotage. In many of our audits, we find that (1) testing procedures are undisciplined and do not ensure that implemented software operates as intended, (2) implementation procedures do not ensure that only authorized software is used, and (3) access to software program libraries is inadequately controlled. * Segregation of Duties. Segregation of duties refers to the policies, procedures, and organizational structure that help ensure that one individual cannot independently control all key aspects of a process or computer-related operation and thereby conduct unauthorized actions or gain unauthorized access to assets or records without detection. For example, one computer programmer should not be allowed to independently write, test, and approve program changes. We commonly find that computer programmers and operators are authorized to perform a wide variety of duties, thus providing them the ability to independently modify, circumvent, and disable system security features. Similarly, we have also identified problems related to transaction processing, where all users of a financial management system can independently perform all of the steps needed to initiate and complete a payment. * System Software Controls. System software controls limit and monitor access to the powerful programs and sensitive files associated with the computer systems operation, e.g., operating systems, system utilities, security software, and database management systems. If controls in this area are inadequate, unauthorized individuals might use system software to circumvent security controls to read, modify, or delete critical or sensitive information and programs. Such weaknesses seriously diminish the reliability of information produced by all of the applications supported by the computer system and increase the risk of fraud, sabotage, and inappropriate disclosures. Our reviews frequently identify systems with insufficiently restricted access which makes it possible for knowledgeable individuals to disable or circumvent controls in a wide variety of ways. * Service Continuity Controls. Service continuity controls ensure that critical operations can continue when unexpected events occur, such as a temporary power failure, accidental loss of files, even a major disaster such as a fire. For this reason, an agency should have (1) procedures in place to protect information resources and minimize the risk of unplanned interruptions and (2) a plan to recover critical operations should interruptions occur. At many of the agencies we have reviewed, we have found that plans and procedures are incomplete because operations and supporting resources had not been fully analyzed to determine which were most critical and would need to be restored first. In addition, disaster recovery plans are often not fully tested to identify their weaknesses. As a result, many agencies have inadequate assurance that they can recover operational capability in a timely, orderly manner after a disruptive attack. Unfortunately, in addressing these problems, agencies often react to individual audit findings as they are reported, rather than addressing the systemic causes of control weaknesses-namely, poor agency security planning and management. S. 1993 recognizes that this approach is unworkable in today's environment. S. 1993 Proposals Can Lead to Improved Information Security Management * following a risk-based approach to information security, * performing independent annual audits of security controls, and * approaching security from a governmentwide perspective taking into account the varying information security needs of both national security and civilian agency operations. If effectively implemented, these proposals should help federal agencies improve their information security practices and considerably strengthen executive branch and congressional oversight. The first improvement area would require a risk management approach to be implemented jointly by agency program managers and technical specialists. Instituting such an approach is important since agencies have generally done a very poor job of evaluating their information security risks and implementing appropriate controls. Moreover, our studies of public and private best practices have shown that effective security program management requires implementing a process that provides for * assessing information security risks to program operations and assets and identifying related needs for protection, * selecting and implementing controls that meet these needs, * promoting awareness of risks and responsibilities, and * implementing a program for routinely testing and evaluating policy and control effectiveness. The key to this process is recognizing that information security is not a technical matter of locking down systems, but rather a management problem that requires understanding information security risks to program operations and assets and ensuring that appropriate steps are taken to mitigate these risks. Thus, it is highly appropriate that S. 1993 requires a risk management approach that incorporates these elements. The second proposed improvement area is the requirement for an annual independent audit of each agency information security program. Individually, as well as collectively, these audits can provide much needed information for improved oversight by the Office of Management and Budget (OMB) and the Congress. Our years of auditing agency security programs have shown that independent tests and evaluations are essential to verifying the effectiveness of computer-based controls. Audits can also evaluate agency implementation of management initiatives, thus promoting management accountability. Moreover, an annual independent evaluation of agency information security programs will help drive reform because it will spotlight both the obstacles and progress toward improving information security, much like the financial statement audits required by the Chief Financial Officers Act of 1990. Agency financial systems are already subjected to such evaluations as part of their annual financial statement audits. However, I would like to note that for agencies with significant nonfinancial operations, such as the departments of Defense and Justice, the requirement for annual independent information security audits would place a significant new burden on existing audit capabilities. Accordingly, making these audits effective will require ensuring that agency inspectors general have sufficient resources to either perform or contract for the needed work. Third, S. 1993 takes a governmentwide approach to information security by accommodating a wide range of information security needs and applying requirements to all agencies, including those engaged in national security. Under current law, distinctions between national security systems and all other government systems have tended to frustrate efforts to establish governmentwide standards and to share information security best practices. S.1993 should help eliminate these distinctions and ensure the development of common approaches across government for the protection of similar risks, regardless of the agencies involved. This is important because the information security needs of civilian agency operations and those of national security operations have converged in recent years. In the past, when sensitive information was more likely to be maintained on paper or in stand-alone computers, the main concern was data confidentiality, especially as it pertained to classified national security data. Now, virtually all agencies rely on interconnected computers to maintain information and carry out operations that are essential to their missions. While the confidentiality needs of these data vary, all agencies must be concerned about the integrity and the availability of their systems and data. It is important for all agencies to understand these various types of risks and take appropriate steps to manage them. Strengthening Security Control Standards and Leadership Also Merits Attention First, there is a need for better-defined security control standards. Currently, agencies have wide discretion in deciding what computer security controls to implement and the level of rigor with which they enforce these controls. However, as mentioned earlier, our audit work has shown that agencies have generally done a poor job of evaluating risks and implementing effective controls. Moreover, these audits have shown that agencies need more specific guidance on the controls that are appropriate for the different types of information that must be protected. Current OMB and National Institute of Standards and Technology (NIST) guidance is not detailed enough to ensure that agencies are making appropriate judgments in this area and that they are protecting the same types of data consistently throughout the federal community. More specific guidance could be developed in two parts: * A set of data classifications that could be used by all federal agencies to categorize the criticality and sensitivity of the data they generate and maintain. These classifications could range from noncritical, publicly available information requiring a relatively low level of protection to highly sensitive and critical information that requires an extremely high level of protection. Intermediate classifications could cover a range of financial and other important and sensitive data that require significant protection but not at the very highest levels. It would be important for these data classifications to be clearly defined and accompanied by guidelines regarding the types of data that would fall into each classification. * A set of minimum mandatory control requirements for each classification. Such control requirements could cover issues such as (1) the strength of system user authentication techniques (e.g., passwords, smart cards, and biometrics) for each classification, (2) appropriate types of cryptographic tools for each classification, and (3) the frequency and rigor of testing appropriate for each classification. We believe that requiring the development of these standards, particularly with minimum mandatory control requirements, is the most important addition that could be made to your legislation. More precisely defined standards will provide common measures that can guide agencies in developing needed controls and improve the consistency and value of audits and evaluations. Second, there is a need for strong, centralized leadership for information security across government. Under current law, responsibility for guidance and oversight of agency information security is divided among a number of agencies, including OMB, NIST, the General Services Administration (GSA), and the National Security Agency. Other organizations are also becoming involved through the administration's critical infrastructure protection initiative, including the Department of Justice and the Critical Infrastructure Assurance Office. While some coordination is occurring, overall, this has resulted in a proliferation of organizations with overlapping oversight and assistance responsibilities. Lacking is a strong voice of leadership and a clear understanding of roles and responsibilities. Having strong, centralized leadership has been critical to addressing other governmentwide management challenges. For example, vigorous support from officials at the highest levels of government was necessary to prompt attention and action to resolving the Year 2000 problem. Similarly, forceful, centralized leadership was essential to pressing agencies to invest in and accomplish basic management reforms mandated by the Chief Financial Officers Act. To achieve similar results in information security, the federal government must have the support of top leaders and more clearly defined roles for those organizations that support governmentwide initiatives. We believe serious consideration should be given in your legislation to clarify the roles of organizations responsible for governmentwide information security efforts, for example, the roles of OMB, NIST, and GSA and to create a national Chief Information Officer to provide higher visibility and more effective central leadership of information security. Mr. Chairman and Members of the Committee, this concludes my testimony. We look forward to working with the Committee to advance the issues discussed today as well as to address our technical comments, which we have provided separately. I would be happy to answer any questions you may have. (511184) Orders by Internet For information on how to access GAO reports on the Internet, send an e-mail message with "info" in the body to: Info@www.gao.gov or visit GAO's World Wide Web home page at: http://www.gao.gov Web site: http://www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov 1-800-424-5454 (automated answering system) *** End of document. *** answering system)