Information sharing among government agencies and between the public and private sectors is a critical element in the war against terrorism. This was the message delivered by Rep. Thomas Davis (R-Va.) in his congressional keynote address at the 2002 Federal Librarians and Information Center Committee Forum held at the Library on March 19.
The theme of this year's forum was "Homeland Security: Impact of Policy Changes on Government Information Access." Viet Dinh, assistant attorney general for the Office of Legal Policy in the Justice Department, delivered an executive keynote speech on the topic (see page 68).
Rep. Davis voiced his concerns about federal information security in an era of cyber terrorism. Citing the results of a recent survey by the House Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations, Rep. Davis reported that 16 out of 24 federal agencies received a grade of F in the area of information security.
"Information security is our greatest vulnerability," said the congressman. "As a result of the information revolution and the ever-evolving technologies that support information collection, our vulnerability has grown exponentially. These terrorist groups may be fundamentalists, who are anti-information and antiglobalization, but they do understand our networks and interconnectivity, and they are developing technologies to destroy them. The next attack is not likely to be by air. The amount of damage that can be done to our critical infrastructure outweighs that done on September 11."
Compounding the problem, according to Rep. Davis, is the fact that federal information security suffers from a lack of coordinated management.
"All the information was out there [prior to September 11], but no one was talking to anyone else," he said, referring to the Immigration and Naturalization Service and other agencies. "It is a hodgepodge of turf wars," he said. "In my opinion there is no framework for a coordinated effort."
To combat the problem, Rep. Davis has introduced several pieces of legislation. The most recent, the Federal Information Security Management Act (H.R. 3844), would strengthen federal government information security; one provision would require information security risk management standards. Introduced by Rep. Davis on March 5 and co-sponsored by Rep. Stephen Horn (R-Calif.), the legislation would require the Office of Management and Budget (OMB) to make standards for information technology security compulsory among federal agencies. It would require risk assessments, periodic reviews, and security awareness training for employees.
"The federal government must first put its own house in order," the congressman said. "We can't afford to delay."
Rep. Davis believes that, given its importance, the responsibility for coordinating federal information security should be a function housed within the Executive Office of the President. Toward this end, he introduced a bill several years ago that would have created a federal chief information officer position, reporting directly to the president. However, the congressman has no immediate plans to reintroduce the bill, given the recent establishment of an associate director of information technology and electronic government in OMB.
He also feels strongly that there must be a coordinated effort between the public and private sectors to combat electronic terrorism. "The private sector controls about 90 percent of our telecommunications systems. The government is responsible for national security and law enforcement. The two must engage in a responsible, candid dialog. Without the cooperation of the private sector, we are hopelessly vulnerable," he added.
To further communication between the government and private sector, Rep. Davis introduced the Cyber Security Information Act (H.R. 2435) on July 10, 2001– two months before the terrorist attacks. The bill would "encourage the secure disclosure and protected exchange of information about cyber security problems, solutions, test practices and test results, and related matters in connection with critical infrastructure protection."
He hopes the legislation will go forward but acknowledges that it will be an uphill battle. "There are barriers to information sharing, such as antitrust laws," he said. "At the moment, private industry has every incentive not to disclose any information."
According to the congressman, private industry must be given the assurance they need to share information with the federal government in much the same way as they did to address the Y2K computer problem.
"This is not about the public knowing [what private companies are doing], but about the government knowing," he said. Referring to the implications of the legislation, Rep. Davis said, "Everything is a trade-off. Let's not let the 'perfect' be the enemy of the 'very good.'"
