Summary

H.R. 4246, the proposed Cyber Security Information Act of 2000, would remove barriers to information sharing between government and private industry. In GAO's view, the legislation would help build the meaningful private-public partnerships that are essential to protecting critical infrastructure assets. To successfully engage the private sector, however, the federal government itself must be a model of good information security. Today, it is not. Significant computer security weaknesses--from poor controls over sensitive systems and data to weak or nonexistent continuity of service plans--plague nearly every major agency. And, as seen in the recent "ILOVEYOU" computer virus, mechanisms already in place to ease information sharing among federal agencies about impending threats have not been working well. Moreover, the federal government may not yet have the right tools for identifying, analyzing, coordinating, and disseminating the type of information that H.R. 4246 envisions collecting from the private sector.

GAO noted that: (1) by removing key barriers that are precluding private industry from sharing information about infrastructure threats and vulnerabilities, H.R. 4246 can help build the meaningful private-public partnerships that are integral to protecting critical infrastructure assets; (2) however, to successfully engage the private sector, the federal government itself must be a model of good information security; (3) currently, it is not; (4) significant computer security weaknesses--ranging from poor controls over access to sensitive systems and data, to poor control over software development and changes, to nonexistent or weak continuity of service plans--pervade virtually every major agency; (5) and, as illustrated by the recent ILOVEYOU computer virus, mechanisms already in place to facilitate information sharing among federal agencies about impeding threats and vulnerabilities have not been working effectively; and (6) moreover, the federal government may not yet have the right tools for identifying, analyzing, coordinating, and disseminating the type of information that H.R. 4246 envisions collecting from the private sector.