Summary: Security threats to the government's computer systems are significant and growing. The dramatic rise in computer interconnectivity, coupled with the popularity of the Internet, have made it easier for people to intrude into poorly protected systems and to obtain sensitive information, commit fraud, or disrupt operations. At the same time, the number of people with the skill to "hack" into computer systems is on the rise. Federal web sites have already had to deal with a spate of break-ins. Recently, the government had to cope with the threat of the "Melissa" computer virus. Although that incident caused relatively little damage, it is likely that the next virus will propagate faster, do more damage, and be harder to detect. Yet GAO and others have found that federal agencies are ill prepared to deal with these evolving threats. GAO urges the federal government to swiftly implement long-term solutions at both individual agencies and governmentwide to protect systems and sensitive data. In GAO's view, the Computer Security Enhancement Act of 1999 takes several positive steps toward addressing the proliferation of networked systems and the need for better protection over sensitive data belonging to both the government and the private sector. First, the bill requires the National Institute of Standards and Technology to provide guidance and assistance to federal agencies. Second, the bill requires the Commerce Department to establish a clearinghouse of information available to the public on information security threats. Third, the bill requires the National Research Council to assess the desirability of key public infrastructures and the technologies needed to establish such key infrastructures. Fourth, the bill establishes a panel to explore developing a national digital signature infrastructure. GAO also discusses what can be done to further strengthen security program management at individual agencies as well as governmentwide leadership, coordination, and oversight.
