For other versions of this document, see http://wikileaks.org/wiki/CRS-RL32357 ------------------------------------------------------------------------------ ¢ ¢ ¡ ¢ ¢ Prepared for Members and Committees of Congress ¢ ¢ This report provides a short summary of selected federal laws, executive orders, and presidential directives, currently in force, that govern computer security. The report focuses on the major roles and responsibilities assigned various federal agencies in the area of computer security. This report will not be updated. One major area of federal activity in computer security deals with securing federal computer systems. The roles and responsibilities for securing federal computer systems are split between national security systems and all other federal systems. The Federal Information Security Management Act of 2002 authorizes the Director of the Office and Management and Budget to oversee the development of, and compliance with, security standards and guidelines, developed by the National Institute of Standards and Technology and promulgated by the Secretary of Commerce. These authorities, however, do not apply to computer systems considered to be national security systems. The roles and responsibilities for securing national security systems are established by National Security Directive 42 (NSD-42). NSD-42 establishes what is now called the Committee on National Security Systems, which it authorizes to develop, and require compliance with, standards and guidelines for national security systems. In general, the federal government does not regulate the security of non-government computer systems. However, the federal government does require certain information held on non- government systems to be protected against unauthorized access and disclosure, primarily out of privacy considerations. To date, this has been limited to financial information (Gramm-Leach- Bliley Act) and medical information (Health Insurance Portability and Accountability Act of 1996). A number of regulatory agencies have authority for developing and enforcing standards for financial information. The Secretary of Health and Human Services has authority to develop and enforce standards for medical information. The Sarbanes-Oxley Act of 2002 requires certain companies to certify the accuracy of their internal financial controls. The Security Exchange Commission has authority to develop standards and enforce these regulations. Although it currently has a limited role in securing the nation's overall information infrastructure, the federal government does, through the Department of Homeland Security, work with and encourage the private sector, state and local government, academia, and the general public to protect the nation's information infrastructure. This role is authorized in a generic sense for all critical infrastructure by the Homeland Security Act of 2002. It is also reinforced more specifically in Homeland Security Presidential Directive No. 7 and the National Strategy for Securing Cyberspace. To date, these activities are voluntary for non-federal entities. Other roles established for the federal government include: investigation and prosecution of federal computer crimes; assisting state and local law enforcement entities in their investigation and prosecutions; and, developing the nation's expertise in information security. ¢ Introduction............................................................................................................................... 1 Securing Federal Computer Systems ........................................................................................ 1 Non-National Security Systems .......................................................................................... 1 National Security Systems .................................................................................................. 2 Summary............................................................................................................................. 4 National Strategy ................................................................................................................ 4 National Communication System ....................................................................................... 5 Protecting Information on Private Systems............................................................................... 6 Working with the Private Sector ............................................................................................... 7 Investigating and Prosecuting Computer Crimes...................................................................... 8 Research and Development and Developing Information Security Expertise .......................... 9 Conclusion .............................................................................................................................. 10 Current Status.................................................................................................................... 10 Issues................................................................................................................................. 10 Author Contact Information .......................................................................................................... 12 ¢ This report provides a short summary of selected federal laws, executive orders, and presidential directives, currently in force, that govern computer security. The report focuses its discussion of the roles and responsibilities for computer security that have been assigned different federal departments and agencies, some of which were assigned 20 or more years ago. This report is primarily concerned with the security of computer systems and the electronic information contained on, or transmitted by, those systems from unauthorized access, use, disclosure, disruption, modification or destruction, in the context of information services. The report does not discuss broader issues associated with information assurance which includes such concerns as the marking and handling of information in both electronic and physical formats, the assignment of certain status to certain types of information, and determining who should and should not have authorized access to it. The report also touches on telecommunications to a limited extent. Even though the technologies associated with computers and telecommunications have become inextricable, there remains a distinction between the use of that technology for information services (i.e. the Internet) and its use, in some cases of the very same hardware, for telecommunication services. The major federal role and responsibility in computer security relate primarily to securing federally owned, leased, or operated systems (or those systems operated for the federal government under contract or by third parties). In general, the federal government does not regulate the security of non-government computer systems (other than those used by contractors for the federal government). However, the federal government does require certain information held on non-government systems to be protected against unauthorized access and disclosure. In addition, as part of its effort to enhance the security of the nation's critical infrastructure, the federal government is working with and encouraging the private sector to improve security of the nation's information infrastructure more generally. Another role the federal government plays in computer systems security is to investigate and prosecute federal computer crimes. The federal government also offers assistance to state and local law enforcement entities in their investigation and prosecution of computer activities made illegal at the state level. Finally, the federal government has programs in research and development and in the development of the nation's expertise in computer security. ¢ ¢ ¢ Building upon the Computer Security Act of 1987 (P.L. 100-35), the Paperwork Reduction Act of 1995 (P.L. 104-13), and the Information Technology Management Reform Act of 1996 (i.e. Clinger-Cohen Act, P.L. 104-106, Division E), the Federal Information Security Act of 2002 (P.L. 107-347, Title III) provides the basic statutory requirements for securing federal computer systems. The Federal Information Security Act (FISMA) requires each agency to inventory its major computer systems, to identify and provide appropriate security protections, and to develop, document, and implement an agency-wide information security program. FISMA authorizes the National Institute of Standards and Technology (NIST) to develop security standards and guidelines for systems used by the federal government. It authorizes the Secretary ¢ of Commerce to choose which of these standards and guidelines to promulgate. FISMA authorizes the Director of the Office of Management and Budget (OMB) to oversee the development and implementation of (including ensuring compliance with) these security policies, principles, standards and guidelines. To help fulfill his responsibilities, FISMA authorizes the Director of OMB to: require agencies to follow the standards and guidelines developed by NIST and prescribed by the Secretary of Commerce; review agency security programs annually and approve or disapprove them; and, take actions authorized by the Clinger-Cohen Act (including budgetary actions) to ensure compliance. FISMA also requires agencies to conduct, annually, an independent evaluation of their security programs which includes an assessment of the effectiveness of the program, plans, and practices and compliance with FISMA requirements. The result of those evaluations are forwarded to the Director of OMB, who is to summarize the results each year in a report to Congress. FISMA also directs the Director of OMB to "ensure the operation" of a federal information security incident center. Among the missions of this center are: providing timely technical assistance to federal agencies in detecting and handling computer incidents; and, compiling and analyzing incident data. Such a center existed prior to FISMA. The Federal Computer Incident Response Capability (FedCIRC) evolved out of a pilot project first begun at NIST in 1996. FedCIRC was transferred to the General Services Administration, before being transferred again to the Department of Homeland Security. This capability is now located within the National Cyber Security Division in the Information Analysis and Infrastructure Protection Directorate. The above mentioned roles and responsibilities of NIST, the Secretary of Commerce, and the Director of OMB (except for the Director's authority to take related budgetary actions and to report to Congress), do not extend to computer systems identified as national security systems. ¢ ¢ FISMA1 defines a national security system, in statute, as: Any computer system (including any telecommunications system) used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency-- (i) the function of which-- (I) involves intelligence activities; (II) involves cryptologic activities related to national security; (III) involves command and control of military forces; (IV) involves equipment that is an integral part of a weapon or weapons system; (V) ...is critical to the direct fulfillment of military or intelligence missions; or 1 P.L. 107-347,§ 301(b)(1). ¢ (ii) is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy. The definition explicitly excludes systems that are used for routine administrative and business applications (including payroll, finance, logistics, and personnel management applications). The roles and responsibilities for securing national security systems are outlined in National Security Directive 42 (NSD-42), signed July 5, 1990 by President George H. W. Bush. NSD-42 establishes the National Security Telecommunications and Information Systems Security Committee, now called the Committee on National Security Systems (CNSS).2 CNSS is an interagency committee, chaired by the Department of Defense. Among other assignments, NSD- 42 directs the CNSS to: provide system security guidance for national security systems to executive departments and agencies; and, submit annually to the Executive Agent (see below) an evaluation of the security status of national security systems. NSD-42 also directs the Committee to interact, as necessary, with the National Communications System Committee of Principals (see below). NSD-42 assigns membership to the Committee to voting representatives of the Secretaries, Directors, and Administrators of the following departments and agencies: State, Treasury, Defense, Commerce, Transportation, Energy, Office of Management and Budget, Central Intelligence,3 Federal Bureau of Investigations, Federal Emergency Management Agency (FEMA), General Services Administration, National Security Agency, Defense Intelligence Agency. Also included are: the Attorney General, the Assistant to the President for National Security Affairs, Chairman of the Joint Chief of Staff, the Chiefs of Staff of the Army and the Air Force, the Chief of Naval Operations, the Commandant of the Marine Corps, and the Manager of the National Communications System (NCS). FEMA and NCS are now parts of the Department of Homeland Security. NSD-42 names the Secretary of Defense as the Executive Agent of the Government for National Security Telecommunications and Information Systems Security. NSD-42 directs the Executive Agent to implement policies and procedures that: ensure the development of plans and programs necessary to secure national security systems; procure for, and provide to, executive departments and agencies technical security materials, and other technical assistance; conduct, approve, or endorse research and development of security techniques and equipment; and to operate or coordinate the activities of federal technical centers related to national security systems. NSD-42 also assigns to the Executive Agent the responsibility for reviewing and assessing the National Manager's (see below) recommendations on national security systems programs and budgets for executive departments and agencies. The Executive Agent may make appropriate budgetary and programmatic recommendations to agency heads as well as to the National Security Council and to the Office of Management and Budget. In addition, NSD-42 instructs the Executive Agent to 2 The name was changed by Executive Order (E.O.) 13231, signed October 16, 2001. E.O. 13286, signed February 28, 2003, and which amended E.O. 13231, kept the name change. 3 The Director of Central Intelligence also cites (Director of Central Intelligence Directive 6/3-Policy) his authority to protect intelligence sources and methods granted under the National Security Act of 1947, Executive Orders 12333 and 12958, and NSD-42, to develop, and require compliance with, standards and guidelines to protect intelligence information on computer systems. ¢ report the security status of national security systems to the President through the National Security Council. NSD-42 also designates the Director of the National Security Agency as the National Manager for National Security Telecommunications and Information Systems Security. Among the authorities granted the National Manager are: examine U.S. Government national security systems and evaluate their vulnerability to foreign interception and exploitation; conduct, approve, or endorse research and development of security techniques and equipment; review and approve all security related standards, techniques, systems, and equipment for national security systems; assess the overall security posture of and disseminate information on threats to and vulnerabilities of national security systems; operate a central technical center to evaluate and certify national security systems; prescribe minimum standards, methods, and procedures for protecting national security systems; annually review and assess the national security systems programs and budgets of department and agencies, individually and in the aggregate, and recommend alternatives to the Executive Agent; and, enter into agreements for the procurement of technical security materials and equipment and their provision to executive departments and agencies, and when appropriate, to government contractors and foreign governments. ¢ To summarize, the Director of OMB is authorized to oversee the development of, and ensure compliance with, policies, principles, standards and guidelines governing the security of all federal computer systems, except for national security computer systems. The Committee on National Security Systems has that authority for national security systems (which include both information and telecommunication systems). The Director of Central Intelligence cites similar authority for computer systems that contain intelligence information. NIST has the responsibility for developing security standards and guidelines for all federal computer systems, except national security systems. The National Security Agency has that authority for national security systems. ¢ Although carrying less authority than law, executive order, or presidential directive, the National Strategy to Secure Cyberspace, released in February 2003,4 makes a number of recommendations aimed at the largest computer network operators, including the federal government, to the smallest of home users. Three recommendations direct specific federal agencies to take specific actions to improve the security of federal systems. The Strategy recommends DHS use exercises to test the security of federal systems and to report the results of those exercises to the Director of OMB. It also directs DHS to work with the General Services Administration to develop an improved patch management system, to ensure that agencies have made up-to-date security modifications to their software. The Strategy also directs OMB to coordinate the development of a research and development strategy for information technology security and to update this annually. 4 The Strategy was released by the President's Critical Infrastructure Protection Board. The Board was established by Executive Order 13231 (October 18, 2001). The Board was dissolved by Executive Order 13286 (February 28, 2003). ¢ ¢ Because of the reliance of computer networks on telecommunication assets and the use of computers in telecommunication networks, and the inextricable nature of the technologies involved, it is necessary to spend a few paragraphs discussing the National Communication System. NSD-42 makes reference to the National Communication System's Committee of Principals. The National Communication System (NCS) was first established by Presidential Memorandum No. 252, signed by President Kennedy in 1963 following the Cuban Missile Crisis. The Memorandum called for establishing a NCS by linking together, and improving on an evolutionary basis, the communication facilities and components of various federal agencies. This original memorandum since has been amended and superseded over time. The Executive Order currently in force is Executive Order 12472, signed by President Reagan on April 3, 1984, which was amended slightly by President George W. Bush in Executive Order 13286, on February 28, 2003. E.O. 12472 established (i.e. defined) a national communication system as those telecommunication assets owned or leased by the federal government that can meet the national security and emergency preparedness needs of the federal government, together with an administrative structure that could ensure that a national telecommunications infrastructure is developed that is responsive to national security and emergency preparedness needs. The administrative structure includes a National Communication System Committee of Principals, an Executive Agent, and a Manager. The National Communication System Committee of Principals consists of those agencies, designated by the President, that own or lease telecommunication assets identified as part of the National Communication System, or which bear policy, regulatory, or enforcement responsibilities of importance to national security and emergency preparedness telecommunications. The mission of the Committee of Principals is: to assist (including making recommendations to) the President, the National Security Council, the Homeland Security Council, the Director of the Office of Science and Technology Policy (OSTP), and the Director of the Office of Management and Budget (OMB) in exercising their functions and responsibilities associated with the National Communication System. Together the National Security Council, the Homeland Security Council, the Director of OSTP, and the Director of OMB, in consultation with the Executive Agent and the Committee of Principals, determine the requirements for the national communication system. The Committee of Principals also works closely with private sector service providers, which own and operate some of the assets that make up the NCS, through the National Security Telecommunication Advisory Committee. The Committee of Principals also; acts as forum in which Members may discuss and report on ongoing and perspective national security and emergency planning plans and programs; and, ensures that the NCS is responsive, capable of satisfying priority telecommunication requirements, and survivable to the maximum extend practicable at all times, including times of crisis and emergency. Infrastructure security is specifically mentioned as one of the concerns of the NCS (Section 1(c)(3)). The responsibilities of the Executive Agent include: designating the NCS Manager; ensuring the NCS conduct unified planning and operations; and, ensuring coordination with emergency management activities of the Department of Homeland Security. The original EO designated the Secretary of Defense as the Executive Agent. The Homeland Security Act of 2002 transferred ¢ the NCS to the Department of Homeland Security. To reflect this change, Executive Order 13286 made the Secretary of Homeland Security Executive Agent. The responsibilities of the NCS Manager include preparing for consideration by the Committee of Principals: recommendations on an evolutionary telecommunications architecture to meet current and future national security and emergency preparedness needs; plans and procedures for the allocation and use, including the priorities and preferences, of federally owned or leased assets under all emergency or crisis conditions; plans and standards for reducing impediments to interoperability; tests and exercises for evaluating capabilities; budget reviews; and, implement any approved plans or programs. The Manager also chairs the Committee of Principals. As result of the transfer of the NCS to the Department of Homeland Security, the Secretary of Homeland Security, as Executive Agent, has designated the Assistant Secretary for Infrastructure Protection as the NCS Manager. EO 12472 also established a joint industry-government National Coordinating Center (NCC) which assists in the initiation, coordination, restoration, and reconstruction of national security and emergency preparedness telecommunication services or facilities under all conditions. ¢ There are currently no general federal requirements for private entities other than federal contractors operating systems for the federal government to secure their computer systems. However, there are requirements for entities who hold or process certain types of personal information to ensure the confidentiality of that information. To date, this includes financial information and medical information. There is also a federal requirement that certain firms that register with the Security and Exchange Commission (SEC) must include in the financial reports an assessment of their internal financial controls. To the extent that each of these types of information is held and or processed electronically, the security of some private computer systems come under federal regulation. Title V of the Gramm-Leach-Bliley Act (P.L. 106-102, 15 USC Chpt. 94, §6801 et seq.) requires financial institutions to protect the security and confidentiality of their customers' nonpublic personal information. The Act authorizes various federal regulatory agencies, (the Comptroller of the Currency, the Security Exchange Commission, the Federal Deposit Insurance Corporation, et al.) to coordinate the development of regulations for meeting this requirement. Each of these federal agencies is authorized to enforce the regulations for those institutions in their jurisdiction. The regulations (16 CFR Part 314) require financial institutions to develop, implement, and maintain a comprehensive information security program that contains appropriate administrative, technical, and physical safeguards. Such a program should include the designation of an employee to coordinate the program, risk assessments, regular tests and monitoring of safeguards, and a process for making adjustments in light of test results and/or changes in operations or other circumstances that may impact the effectiveness of the program. The Health Insurance Portability and Accountability Act of 1996, (P.L. 104-191, Title II, Subtitle F, Sec. 262, 42 USC 1320d et seq.) authorizes the Secretary of Health and Human Services to adopt standards that require health plans, health care providers, and health care clearinghouses to take reasonable and appropriate administrative, technical and physical safeguards to: ensure the integrity and confidentiality of individually identifiable health information held or transferred by them; to protect against any reasonably anticipated threats, unauthorized use or disclosure; and to ensure compliance with these safeguards by officers and ¢ employees. These security standards were adopted in 45 CFR Part 164, Subpart C. The Secretary assigned responsibility for enforcing these security standards to the Center for Medicare and Medicaid Services. Besides these privacy-oriented rules, the Sarbanes-Oxley Act of 2002 (P.L. 107-204, §404) authorizes the Security Exchange Commission to prescribe regulations requiring entities that produce annual financial reports pursuant to sections 13(a) or 15(d) of the Securities Exchange Act of 1934 to contain a report on the firm's internal financial controls. The report must state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting and assess the effectiveness of those structures and controls. External audits must attest to and report on management's assessments. "Internal control" is defined as a process that provides assurance regarding the reliability of financial reporting. It pertains to the maintenance of records that accurately reflect the transactions and dispositions of assets and prevents or detects unauthorized acquisition, use, or disposition of assets. While there is no specific mention of computer security, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Framework for Enterprise Risk Management, which is mentioned in the regulation (17 CFR Part 210, 228, et al.) as the kind of evaluation process that would be acceptable, specifically includes the security of information technology (systems, software, applications) as a critical element to assess. Continuing the basic policy outlined in the Clinton Administration's Presidential Decision Directive No. 63, the Bush Administration's Homeland Security Presidential Directive No. 7 (HSPD-7), released December 17, 2003 states that it is U.S. policy to enhance the protection of the nation's critical infrastructure. Certain agencies were designated as lead agencies to work with their private sector counterparts. In addition to assigning the Secretary of Homeland Security the responsibility of coordinating the nation's overall efforts in critical infrastructure protection across all sectors, HSPD-7 also designates the Department of Homeland Security (DHS) as lead agency for the nation's information and telecommunications sectors. As a lead agency, DHS is to share threat information, help assess vulnerabilities, and encourage appropriate protective action and the development of contingency plans. In addition, HSPD-7 directs the Secretary of Homeland Security to maintain an organization that serves as a focal point for securing cyberspace. That organization is to: facilitate collaboration between federal departments and agencies, state and local governments, the private sector, academia, and international organizations. Its mission includes: 24x7 analysis and warning; information sharing; vulnerability reduction; mitigation; and, aiding national recovery. The National Cyber Security Division was established within the Information Analysis and Infrastructure Protection (IA/IP) Directorate in June 2003, leveraging capabilities transferred to DHS by the Homeland Security Act of 2002, such as elements of the National Infrastructure Protection Center from the FBI and FedCIRC from the General Services Administration. Beyond making DHS responsible for coordinating the national effort to protect critical infrastructure across all sectors, the Homeland Security Act of 2002 also authorizes the DHS (through the Undersecretary for Information Analysis and Infrastructure Protection), as appropriate and upon request, to provide the private sector with analysis and warning of threats and vulnerabilities of computer systems. It also authorizes the Undersecretary for IA/IP, in coordination with the Undersecretary for Emergency Preparedness and Response, as appropriate and upon request, to provide the private sector with crisis management support in response to a ¢ threat or attack on critical computer systems, and technical assistance to help recover from major failures of critical computer systems. The Act also authorizes the Undersecretary for IA/IP to establish a "NET Guard" comprised of local teams of experts to help communities respond to and recover from attacks on information and telecommunication systems. The National Strategy to Secure Cyberspace, mentioned earlier, also recommends that the Department of Homeland Security be responsible for a number of tasks associated with interacting with the state, local, and private sector. Some of these have been captured in HSPD-7. Among the recommended tasks are: establish a 24x7 synoptic view of the health of the information infrastructure; share threat and warning information; explore the use of exercises as a way to test coordination of public and private incident management, response and recovery capabilities; coordinate development of a national threat assessment; encourage a national voluntary patch clearinghouse; encourage the advanced training of cybersecurity professionals; and, encourage the development of broadly accepted certification program for those professionals. As part of its authority to develop standards for federal computer systems, NIST is also authorized by FISMA to assist the private sector, upon request, in using and applying security standards that NIST develops. The Counterfeit Access Device and Computer Fraud and Abuse Act of 1984 (P.L. 98-473, Title II, §2102(a), 18 USC 1030, as amended) makes certain acts associated with the unauthorized access to computers a federal crime. For example, it is a crime to knowingly gain unauthorized access to a nonpublic federal computer or a computer used by or for the federal government. It is also a crime to knowingly gain unauthorized access to a computer and obtain national security information, financial or credit information, or any information from a protected computer. A protected computer is one used by or for a financial institution, the federal government, or one used in interstate or foreign commerce and communication. It is also a federal crime to knowingly transmit a program, information, code, or command that causes damage to a protected computer. While the Attorney General has the primary authority to enforce federal laws, the Act also specifically states that the United States Secret Service has the authority, as does any other agency with such authority, to investigate the computer-related offenses covered by this section of the Act. The USA PATRIOT Act (P.L. 107-56, §506(a)) amended the above statute by adding that the Federal Bureau of Investigation (FBI) has primary authority to investigate offenses where espionage or national security is involved, except for offenses affecting the duties of the United States Secret Service. Such authorities are to be exercised in accordance with an agreement signed by the Secretary of the Treasury and the Attorney General. Section 105 of the PATRIOT Act authorizes the Director of the United States Secret Service to develop a national network of electronic crime task forces, modeled on the New York Electronic Crimes Task Force, for the purpose of electronic crimes, including potential attacks against critical infrastructure and financial payment systems. Section 816 of the PATRIOT Act also authorizes the Attorney General to establish regional computer forensic laboratories to provide forensic examinations with respect to seized or intercepted computer evidence related to criminal activity, to provide training and education to other federal, state, and local law officials, and to assist other federal, state, and local law officials. ¢ Some of the ground-rules for investigating computer crimes are found in the Electronic Communications Privacy Act. (P.L. 99-508, USC Chapters 119,121, 206). A number of these were modified in Title II of the USA Patriot Act. For example, prior to the amendments, tracking computer hackers via computer logs across jurisdictional areas required separate court orders from each jurisdiction. The USA Patriot Act allows investigators to get a single court order from any court of competent jurisdiction. Further discussion of these provisions is beyond the scope of this report. ¢ ¡ The federal government has a number of programs aimed at developing computer security expertise. FISMA requires an agency's Chief Information Officer to provide training to personnel with significant security responsibilities. FISMA also requires the agency head to ensure the agency has sufficient personnel trained in information security. The Computer Security Act, which was superceded by FISMA, had authorized NIST to develop, in consultation with the Office of Personnel Management, guidelines for training agency employees in information security practices. The guidelines developed cover a range of needs from making users aware of security issues and practices to guidelines for agencies to use when developing training courses for people charged with securing computer systems. NSA has similar guidelines for training personnel in securing national security systems. The National Security Agency, citing its authorities under NSD-42 to develop standards for securing national security system and in response to PDD-63, also has established a National Information Assurance Education and Training Program, part of which includes the National Centers of Excellence in Information Assurance Education. The Centers' program selects certain universities who have developed programs in information assurance that meet criteria established by the Committee on National Security Systems. Following the release of PDD-63, the Clinton Administration began a program called Scholarship-for-Service (SFS) which, leveraging NSA's Center of Excellence program, seeks to help schools develop information security programs that could qualify for NSA's Centers program and to support students with 2-year scholarships. Upon graduation, students receiving SFS support would be required to work 2 years in the federal sector. The National Science Foundation was tasked with running this program. The Floyd D. Spence National Defense Authorization Act of FY2001 (P.L. 106-398, §922) authorized the Secretary of Defense to establish a similar program for the Department of Defense. In part to help develop a cadre of experts in information security, Congress also passed the Cyber Security Research and Development Act (P.L. 107-305). The Act authorizes the National Science Foundation to: award basic research grants in areas that enhance computer security; to support the establishment of multi-disciplinary Centers for Computer and Network Security Research; to award grants to institutions of higher learning to establish or improve their programs and enrollments in computer and network security; to provide graduate assistance programs in computer and network security; to establish a graduate research fellowship program; and to establish a grant program to establish university programs to train students to pursue an academic career in computer and network security. The Act also authorized NIST to support the establishment of multi-disciplinary research partnerships in computer security between universities, government, profit, and non-profit entities; and, to establish a post-doctoral research fellowship program and a senior research fellowship program. ¢ In addition to supporting the development of national expertise in computer systems security, the federal government also conducts and supports research and development in computer systems security. As mentioned earlier in this report, NIST, DOD, and NSA are specifically authorized in FISMA and NSD-42, respectively, to conduct and support research in computer systems security. In addition, the Homeland Security Act of 2002 (Title II, Subtitle D) establishes within the Department of Justice the Office of Science and Technology. The Act authorizes this Office to conduct research, including research in tools and techniques that facilitate investigative and forensic work related to computer crimes. The Homeland Security Act of 2002 (§308) also authorizes the Undersecretary of Science and Technology of the Department of Homeland Security, when establishing university research centers, to consider universities with nationally recognized programs in information security. Although the Homeland Security Act of 2002 does not specifically call for research in this area, computer security makes up one of the portfolios of the Science and Technology Directorate. The roles and responsibilities of various federal departments and agencies in the area of computer security are relatively well defined. OMB and NIST are responsible for developing policy and standards, and for overseeing the implementation of those policies and standards, covering most of the federal government's computer systems. DOD, NSA, and the Director of Central Intelligence, working through the Committee on National Security Systems, are responsible for federal computer systems designated as national security systems. While inheriting the NCS and its responsibilities in the area of the NCS and telecommunications, the primary role of the Department of Homeland Security is to work with the private sector, state and local governments, and the public to protect the nation's information infrastructure (i.e. the Internet). The Secretary of Health and Human Services enforces regulations related to the privacy of individual health information held on private computer systems maintained by health care organizations. The SEC and other agencies with jurisdiction over financial institutions enforce regulations related to the privacy of individual financial information held on computer systems maintained by financial institutions. The SEC also enforces regulations related to the certification of internal financial controls (including those associated with a company's computer systems) for a large number of private sector firms. A number of agencies have the authority to investigate and prosecute federal computer crimes, in particular the Department of Justice and the Secret Service (now part of DHS). NSA, NSF, NIST and DHS are specifically authorized to support research and development in computer security and to develop the nation's expertise in this area. However, at least three issues have arisen concerning these roles and responsibilities: 1) the role the federal government in regulating the nation's privately owned and operated critical information infrastructure; 2) the relative roles of the Department of Homeland Security and the National Security Agency in setting policy and standards for computer and telecommunication systems handling critical infrastructure information; and, 3) the relative roles of the National Cyber Security Division and the National Communication System in setting policy and standards for dealing with the private sector. ¢ The current role of the federal government in regulating private sector computer systems is primarily derived from its interest to protect the privacy of individually identifiable information held on private computer systems or to improve the oversight of financial reporting by the private sector. Security of a company's or an individual's computer system or the Internet as a whole are not the policy objective. There is a long running debate about whether the federal government should take a more active regulatory role in improving private sector computer security. Two options that have been discussed include requiring the development of more secure computer software and/or requiring users to improve and maintain the security of their systems over time. A number of critics of the National Strategy to Secure Cyberspace have asserted that the Strategy did not go far enough in either of these directions in its recommendations.5 These critics tend to come from the developers of security products and services. Both software developers and software users take the position that it is in a company's interest to sell and maintain secure products and systems and that market forces are the best way to ensure cost-effective security. Current policy is to engage the private sector and collaborate in efforts to raise awareness of security issues and to disseminate best practices. The Homeland Security Act of 2002 defined a class of information called critical infrastructure information. Critical infrastructure information is information coming from the private sector, and state and local governments to the Department of Homeland Security concerning the identification of critical assets, their vulnerabilities, measures taken to protect them, and suspicious incidents. The Act gives the Secretary of Homeland Security authority to develop the information systems (as well as the protocols, etc.) needed to facilitate the sharing, storage, and analysis of this information. While not necessarily considered classified information, critical infrastructure information is considered sensitive and exempt from public disclosure. It might also be held and transmitted over systems that also handle classified or other types of sensitive information that would make the information systems handling it a national security system which falls within the jurisdiction of the Committee on National Security Systems and NSA. Who takes the lead in developing the policies and standards governing the systems being designed to handle this information? ¢ Lastly, the Information Protection side of the Information Analysis and Infrastructure Protection Directorate at DHS has both a National Cyber Security Division and the National Communication System. As the technologies of telecommunications and computer become even more inextricable, there may appear to be some redundancies in the roles and responsibilities of these two entities. The role of the NCS is well established from over 40 years of experience. Its jurisdiction, while wide, still deals primarily with those assets considered necessary for national security related communications or during times of national emergencies. The NCSD has a much wider mandate; to work with all owners, operators, and users of the nation's information 5 For example, see, White House Scales Back Cyberspace Plan. The New York Times. February 14, 2003. http://www.nytimes.com/2003/02/15/technology . This website was last accessed on April 16, 2004. Also, Bush's Cybersecurity Plan Falls Short, Report Says. Computerworld. December 23, 2002. page 10. ¢ infrastructure. There is some debate about whether these two functions should merge or remain separate. John D. Moteff Specialist in Science and Technology Policy jmoteff@crs.loc.gov, 7-1435 ------------------------------------------------------------------------------ For other versions of this document, see http://wikileaks.org/wiki/CRS-RL32357