Computer Security Act of 1987
Computer Security Act of 1987
Derrek M. Davis
Personal computers (PCs) have brought about an information revolution. The PC has become a universal tool for developing, storing, and accessing information. The Internet has also grown exponentially, connecting computers together worldwide, and creating an "information superhighway" for the transmission of PC users's thoughts and ideas. This information revolution, in turn, has led to a high level of hacker activity and other abuses that disrupt the system. All of these events created concern in the federal government, one of the largest computer users in the country, over the security of its computer systems and the information housed within them. To further exacerbate the situation, federal employees lacked training in security technology, and the government had not created a central authority responsible for setting standards and policies for its computer security. This situation prompted Congress and federal agencies to address the rising concern over computer security in the federal government.
By the mid-1980s Congress passed several pieces of legislation attempting to address the issue of computer security. The Computer Fraud and Abuse Act, for example, made it a federal offense to either knowingly access a computer without authorization, or to have proper authorization and use a computer for unauthorized purposes. The legislators, however, made no attempt to create a central authority in the federal government responsible for computer security.
Originally, The Office of Management and Budget was responsible for computer security policy, the National Security Agency (NSA) was responsible for securing classified information, and the Department of Commerce had responsibility for setting computer and processing standards for federal government computers, but no central authority existed to coordinate the effects of these three government agencies. Seeing this problem, in 1984 President Ronald Reagan issued National Security Decision Directive 145, the National Policy on Telecommunications and Automated Information Systems Security, handing control for security of government computer systems to a National Telecommunications and Information Systems Security Council composed primarily of defense and intelligence agencies. This directive, however, was controversial and subject to widespread criticism. Nevertheless, the growing need for a central authority led Congress to act.
After numerous hearings on the subject of computer security and information privacy, Representative Dan Glickman of Kansas introduced the Computer Security and Training Act of 1985, to place the duty of computer security training and standards under the authority of the National Bureau of Standards. This bill failed and Representative Glickman introduced a second bill, the Computer Security Act of 1987 (CSA) (P.L. 100-235, 101 Stat. 1724), this time addressing four major concerns: federal government computer security, the role of the NSA, a new sensitive but unclassified information classification, and the lack of training government employees had in the use of federal computers containing sensitive information. In short, this bill sought to improve the security and privacy of sensitive information in federal computer systems and it ultimately won comprehensive approval and became law in 1987.
The passage of the Computer Security Act (CSA) did not, however, clarify the role of the government's actions in technology security and the NSA continued to seek a more active role in setting governmental security standards than Congress originally intended. In 1994 President Clinton issued Presidential Decision Directive 29, a directive that created a Security Policy Board. This Board proposed that the President consolidate all government computer security activities by placing them under the auspices of the NSA. In 2001, President George W. Bush disbanded this Board and transferred its duties to the Policy Coordination Committees, which includes the Records Access and Information Security Committee under the authority of the NSA.
These changes led Congress to reconsider the CSA in an effort to reaffirm the role of a single agency for the purposes of establishing computer security standards. Congress sought to amend the act with the Computer Security Enhancement Acts of 1997, 1999, and 2001, bills designed to address technological advancements that had occurred since 1987 and to reaffirm a single agency to lead computer security activities. Each measure passed the House and made its way through the Senate subcommittees, but none reached the Senate Floor for a vote. There have since been no new attempts to amend the Computer Security Act.
The CSA provided a clear framework for the establishment of federal government security standards. Since this time, however, it is apparent that the defense and intelligence communities, led by the executive branch and the NSA, have made attempts to change its framework. It appears the security of government computers falls into an uncertain realm where both the executive and legislative branches seek to gain authority and to control security activity. Unless these two branches of government make a concerted effort to centralize the security of federal computer systems, no real coordination of efforts will occur and governmental systems could remain insecure.
See also: COunterfeit Access Device and Computer Fraud and Abuse Act of 1984; Electronic Communications Privacy Act of 1986.
Geewax, Marilyn. "Government Computer Security Found Lacking," Atlanta Journal-Constitution, November 10, 2001: F4.
Hillburg, Bill. "Fed's Computer Security Effort Gets Failing Grade." Daily News (Los Angeles) November 20, 2002: N16.
Mulhall, Tom. "Where Have All the Hackers Gone?: Part 4—Legislation." Computers and Security 16, no. 4 (1997): 298–303.
Russell, Deborah and G.T. Gangemi, Sr. Computer Security Basics. Sebastopol, CA: O'Reilly & Associates, 1991.
Schneider, Fred B., ed. Trust in Cyberspace. Washington, DC: National Academy Press, 1999.
Van Heuven, Marten, Maarten Botterman, and Stephan de Spiegeleire. Managing New Issues: Cyber Security in an Era of Technological Change. Santa Monica, CA: Rand, 2003.
Computer Security Act (1987)
Computer Security Act (1987)
The Computer Security Act of 1987 is the first major United States government effort to legislate protection and defense for unclassified information in governmentrelated computer systems. The act mandates the National Bureau of Standards to develop and implement procedures that improve the security and privacy of sensitive material and creates a means for establishing minimum acceptable security practices.
The CSA arose out of congressional concerns about computer database vulnerability and executive branch over-zealousness on computer matters. While the Department of Defense argued that unclassified information could be pieced together to create a national security threat, President Ronald Reagan's 1984 National Security Decision Directive 145 set information safeguards at such a high level that private computer data companies loudly complained to legislators about federal scrutiny of their customers. Congress decided to assess the vulnerability of government computers, develop technical and management strategies against access to sensitive information, and establish mandatory training for employees in computer and communication security. The resulting CSA also designates the creation of a twelve-member advisory board that meets at least three times per year and reports to the Secretary of Commerce, the Office of Management and Budget, the National Security Council, and Congress.
While the CSA is designed to prevent the release of sensitive information, the law specifically forbids any federal agency to withhold information requested under the Freedom of Information Act (FOIA). It also does not authorize any agency to limit, restrict, or regulate the collection, disclosure, use, or sale of privately owned or public domain information. Despite this provision journalists have encountered increasing difficulty obtaining FOIA access to federal material stored in computer databases. Librarians have also observed that the Department of Defense, Department of Energy, and NASA release fewer documents to the public than in the years prior to CSA.
In light of the George W. Bush administration's concern with secrecy as an element of national security, the CSA will likely continue to be used to limit public access to government information.
█ FURTHER READING:
Blyth, Andrew and Gerald L. Kovacich. Information Assurance: Surviving in the Information Environment. London: Springer, 2001.
Martin, Shannon E. Bits, Bytes, and Big Brother: Federal Information Control in the Technological Age. Westport, CT: Praeger, 1995.
Bush Administration (2001–), United States National Security Policy
Commerce Department Intelligence and Security Responsibilities, United States
Computer Fraud and Abuse Act of 1986
Computer Hardware Security
DOD (United States Department of Defense)
DOE (United States Department of Energy)
FOIA (Freedom of Information Act)
NSC (National Security Council)
Reagan Administration (1981–1989), United States National Security Policy