Cybersecurity laws affecting businesses on the way

Meaningful regulatory approach promised

Putnam also said his subcommittee will look at whether U.S. government agencies other than the Department of Defense should require the software they use to meet security standards under the International Common Criteria for Information Technology Security. The Defense Department, in a policy from January 2000, requires commercial software used in national security-related functions be certified in the Common Criteria or an alternative certification from the National Institute of Standards and Technology.

"We're taking a pretty serious look at whether that requirement should be expanded government-wide," he said. "The certification process, the length of time that takes, how burdensome that is or is not, and the costs involved -- those are all factors in our decision. But having a standard template to work with is an important thing."

Because of the cost and time taken up by achieving the Common Criteria, vendors selling non-certified software currently have an advantage over those that seek the standard, said Oracle's Hoechst, who was encouraged by Putnam's remarks.

"The thing we find interesting now is there aren't too many agencies left in government that aren't related to national security," Hoechst added. "We hope the government uses its buying power to encourage others to buy software meeting those standards as well."

Putnam criticized the efforts of government agencies to pump up cybersecurity, saying the problems aren't related to technology but rather to personnel and workplace culture. Fourteen of 24 government agencies received failing grades in a cybersecurity report card issued by Congress in late 2002, he noted, and another seven agencies scored D+ or lower.

Putnam also placed some blame with his colleagues in Congress. "Frankly, I'm finding a lack of attention and a lack of understanding by the Congress and the (Bush) administration as to the serious nature of the threat," he said. "It's not nearly as sexy, or as engaging, or as interesting as the threats that are posed by terrorists boarding aircraft, or terrorists threats to the Brooklyn Bridge ... or to Disney World, and so the cyber threat has taken a back seat to the physical threat. I think that is a dangerously lopsided approach to homeland security."

While Putnam ripped the U.S. government's cybersecurity efforts, Mark Forman, administrator of the Office of Electronic Government at the White House Office of Management and Budget (OMB), defended the Bush administration's direction. Government agencies have a lot more work to do in cybersecurity, Forman said, but they are making progress.

Agencies must conduct yearly security assessments, with an independent audit, and OMB conducts quarterly e-government reviews of government agencies, and those reviews include security as one of five criteria, he said in a speech at the event.

Agencies are rated on a scale from green to red, and President Bush questions agency heads when their ratings fall, Forman said.

"For some strange reason, when the (agency) secretaries see their scores next to each other, and they see who's red and who's green, red is not a very good place to be," Forman said. "When the president asks, 'Mr. Secretary, why are you not making progress in these three areas,' when everybody else has, it's not a very good place for a secretary. There's recognition of the importance of cybersecurity at the secretary level, all the way up to the president."