Cyber Security

The international situation for evaluating the adequacy of IT security was quite confused
in the early 1990s.

In the United States

In December 2002, the U.S. Government passed the Federal Information Security Management Act (FISMA) and the Cybersecurity Research and Defense Act (CR&DA). FISMA requires the “development and maintenance of minimum controls required to protect Federal information and information systems” and “a mechanism for improved oversight of Federal agency information security programs.”

The United States law gave authority to the National Institute of Standards and Technology (NIST) to set standards for these controls. The CR&DA authorizes “funding for computer and network security research programs and research fellowship programs.” Both bills authorize funding for computer security. These U.S. laws are the most recent in a series of statutes enacted over the past several decades that confer substantial responsibilities on NIST in the area of cyber security. However, funds were not appropriated by the Congress for these purposes.

The Internet has vastly increased the importance of computers in government, with computing technology becoming the natural way for many citizens to communicate with government and for government to communicate with itself. The General Accounting Office has noted “[V]irtually all federal operations are supported by automated systems and electronic data, and agencies would find it difficult, if not impossible, to carry out their missions … without these information assets” [Dacey, p.7].

By changing the boundaries between what is “inside” and what is “outside,” the Internet has made achieving true computer security a much more challenging task.

The Internet era has also been accompanied by a great increase in the virulence of cyber security attacks and their impact. The Morris Worm was launched in the fall of 1988 and affected six thousand UNIX computers. Shortly afterwards, the Defense Advanced Research Projects Agency established, as part of the Software Engineering Institute, a federally-funded research and development center at Carnegie Mellon University, the Computer Emergency Response Team, CERT [www.cert.org], which tracks such incidents4. A particularly troubling trend is the annual doubling of incidents: in 1998, there were 3,734 incidents reported to CERT; by contrast, in 2003 there were 137,529.