Critical Infrastructure Protection:
Comments on the Proposed Cyber Security Information Act of 2000
T-AIMD-00-229: Published: Jun 22, 2000. Publicly Released: Jun 22, 2000.
Pursuant to a congressional request, GAO discussed the proposed Cyber Security Information Act of 2000 (H.R. 4246), focusing on how it can enhance critical infrastructure protection and the formidable challenges involved with achieving the goals of the bill.
GAO noted that: (1) by removing key barriers that are precluding private industry from sharing information about infrastructure threats and vulnerabilities, H.R. 4246 can help build the meaningful private-public partnerships that are integral to protecting critical infrastructure assets; (2) however, to successfully engage the private sector, the federal government itself must be a model of good information security; (3) currently, it is not; (4) significant computer security weaknesses--ranging from poor controls over access to sensitive systems and data, to poor control over software development and changes, to nonexistent or weak continuity of service plans--pervade virtually every major agency; (5) and, as illustrated by the recent ILOVEYOU computer virus, mechanisms already in place to facilitate information sharing among federal agencies about impeding threats and vulnerabilities have not been working effectively; and (6) moreover, the federal government may not yet have the right tools for identifying, analyzing, coordinating, and disseminating the type of information that H.R. 4246 envisions collecting from the private sector.