U.S. Federal Cybersecurity Today
Computer security regulations have come a long way from their early beginnings. Even before the Federal Information Security Management Act (FISMA), there was the Computer Security Act of 1987 (CSA). The Computer Security Act was enacted by the 100th United States Congress in response to a lack of computer security protection measures, and a strong need for internal computer security governance for U.S. Federal agencies.
Although the U.S. Federal Government relied heavily on organizations such as the National Security Agency (NSA) for computer security guidance, it was evident that there was a strong need for computer security standards and governance across all federal agencies.
What we know today as U.S. Federal cybersecurity is vastly different than it was 33 years ago. Not only has the complexity of systems grown, but what started off as a simple research project in the early 1980s has vastly evolved into what people know as the internet. This adds to the complexity of systems, as well as increasing the scope, exposure, and attack surface of those systems.
Although information security principles remain the same, cyberspace continues to present challenges and obstacles that federal agencies must overcome.
The History of U.S. Federal Cybersecurity
Rapid Expansion of Automated Data Processing
The use of U.S. Federal computer systems was magnified by the Paperwork Reduction Act of 1980, which aimed to create an efficient means of storing information for federal agencies.
According to the CSA, by the mid-1980s, the U.S. Federal Government was the largest single user of information systems. The authors of the CSA drew upon various sources, including a 1985 report by the General Services Administration (GSA). This report, (which is now only available in microfiche), stated that the federal government possessed close to 20,000 computer systems, ranging from medium to large. The federal government’s reliance on computer systems was proliferating so much, that in 1986 over 15 billion dollars was spent on automated data processing equipment. As the U.S. Federal Government’s digital scope continued to grow, the need to secure information became an increasing concern.
Before the official drafting of the CSA, there were hearings related to computer security crimes. For example, in 1984. John Tompkins, chairman of the Task Force on Computer Crime of the American Bar Association, commented about a survey that was conducted by the American Bar Association (ABA) on the status of computer-related crimes in government and industry. The survey included respondents from 13 federal agencies, as well as 28 state and local agencies. The survey results indicated that insiders are more likely to conduct fraud and abuse of computer systems. The survey also revealed that security systems used by federal, state, and local agencies are often vulnerable and do not provide adequate protection. Lastly, the survey indicated that a lack of security awareness and concern were contributing to security issues.
During the 1984 hearings, another study was conducted by Richard Kusserow, Inspector General for the Department of Health and Human Services (HHS). Kusserow’s study yielded results that were similar to the ABA study. The results showed that awareness and training controls were lacking and that insider threats were often the perpetrators. Additionally, internal security controls did not provide commensurate protection concerning asset value and potential impacts of unauthorized disclosure, and information integrity.
Evaluation of the State of Computer Security
As if the findings of the ABA, and the HHS weren’t convincing enough, the General Accounting Office (GAO) revealed the results of a 1985 survey of 17 federal agencies on the status of computer security. The GAO survey results concluded that each of the 25 systems evaluated across the 17 agencies is vulnerable to fraud and abuse.
Additionally, the GAO revealed that most federal agencies do not use a risk-based approach to implement computer security controls. The GAO categorized computer security safeguards into three categories, including physical, technical, and administrative controls. The GAO stated that there is a lack of management oversight, coordination, and approach to ensuring the security of federal computers.
As a result of all these findings, it was requested that the GAO conduct an evaluation of security control implementations across 9 federal agencies to determine security control effectiveness. The GAO assessors quickly identified a lack of practical guidance for evaluating the implementation of security controls during system development.
According to the GAO, none of the 9 agencies included security controls in system requirements. Furthermore, the study concluded that none of the 9 agencies evaluated address the sensitivity of the information to be stored, processed, or transmitted by computer systems. The study also concluded that 8 of the 9 federal agencies were not conducting a risk analysis of their computer systems.
Enacting the Computer Security Act of 1987
In response to a growing fear of security threats to the U.S. Federal Government, the Computer Security Act (CSA) of 1987 was signed into law on June 11, 1987. The purpose of the CSA was to improve the security of federal information systems. One of the specific objectives was to assign responsibility for developing federal computer security standards and guidelines to the National Bureau of Standards (NBS) to ensure that federal agencies implement cost-effective, commensurate security and privacy protection for federal information systems. Additionally, the CSA requires federal agencies to develop security and privacy plans for all information systems containing sensitive information that could adversely harm the national interests or activities of federal programs.
Computer Security Governance
Establishing governance for the security of federal systems was crucial to achieving the necessary levels of protection. The CSA directed the National Bureau of Standards (NBS) to develop validation procedures to determine compliance and effectiveness of the implemented security standards and guidelines. The NBS was also directed to provide technical assistance and support to agencies when implementing these standards and guidelines. By performing research on threats and vulnerabilities, the NBS would develop cost-effective means in providing risk-based protection using security techniques and defenses.
Risk analysis is a prime factor in providing adequate levels of protection for federal computer systems. With the Computer Security Act, agency heads can apply more stringent controls in a manner deemed cost-effective to further compensate the baseline standards developed by the National Bureau of Standards. The decision to apply a higher level of security controls should be based on the asset value and the potential adverse impacts that a security incident could have on national interests or federal agency missions and objectives. The combination of the overall threat event likelihood and potential associated adverse impact is used to determine the level of risk associated with a vulnerability ranging from “negligible” to “severe or catastrophic”. These aspects of risk analysis can lead to cost-effective security implementations.
33 years since the passage of the CSA, responsibilities and oversight for cybersecurity have shifted to the Federal Information Security Management Act (FISMA) of 2002. FISMA 2002 was superseded by the Federal Information Security Modernization Act of 2014. Responsibilities for federal computer security standards and guidelines have also shifted from the National Bureau of Standards to the National Institute of Standards and Technology (NIST).
Optimistically, one could observe that, as the federal government’s cyber capabilities grow, the posture of federal cybersecurity management, oversight, and protection continuously matures to account for the modern computing environment.
The U.S. Federal government has come a long way since the Computer Security Act of 1987. As cyberspace has also evolved and continues to do so, there have been significant achievements in the past few years, including the creation of a Cybersecurity Framework, and a Cybersecurity and Infrastructure Security Agency.
The goals of these initiatives are to protect the critical infrastructure sectors of the United States, and increase communication, collaboration, and coordination of security efforts between government and industry.
While cybersecurity is not new to federal agencies, some challenges have been introduced by technology advances that need to be addressed and overcome. It is up to the next generation of cybersecurity professionals to ensure the continued and improved security of our homeland and national security.