S. HRG. 98-440 COMPUTER SECURITY IN THE FEDERAL GOVERN- HEARINGS BEFORE THE SUBCOMMITTEE ON OVERSIGHT OF GOVERNMENT MANAGEMENT OF THE COMMITTEE ON GOVERNMENTAL AFFAIRS UNITED STATES SENATE NINETY-EIGHTH CONGRESS FIRST SESSION OCTOBER 25 AND 26, 1983 Printed for the use of the Committee on Governmental Affairs 27-754 O U.S. GOVERNMENT PRINTING OFFICE WASHINGTON: 1983 CONTENTS Susan H. Nycum, partner, Gaston, Snow & Ely Bartlett, Palo Alto, Calif Susan Headley, Tujunga, Calif.. Robert H. Courtney, Jr., president, Robert H. Courtney, Inc., Port Ewen, N.Y... E. J. Criscuoli, Jr., executive vice president, American Society for Industrial Security, accompanied by Michael G. Carter, chairman, ASIS's Committee Joseph R. Wright, Jr., Deputy Director, Office of Management and Budget, accompanied by John P. McNicholas, Chief, Information Policy Branch, Office of Information Regulatory Affairs, OMB.. Richard P. Kusserow, Inspector General, Department of Health and Human Walter L. Anderson, Senior Associate Director, Information Management and Technology Division, General Accounting Office, accompanied by Harold J. Podell, Group Director, Information Management and Technology Division, John C. Keeney, Deputy Assistant Attorney General, Criminal Division, Jus- tice Department, accompanied by Floyd I. Clarke, Deputy Assistant Direc- tor, Criminal Investigative Division; and David Geneson Richard H. Shriver, Assistant Secretary of the Treasury, accompanied by Joe ............... Letter to Senator William S. Cohen from Robert P. Campbell, president, "Locking Up the Mainframe," Robert P. Campbell, Computerworld, October OMB Circular No. A-71, "Responsibilities for the Administration and Man- OMB Circular A-71 Transmittal Memorandum No. 1, "Security of Federal Automated Information Systems," July 27, 1978.. OMB Circular A-123, "Internal Control Systems," November 6, 1981 Development of an OMB Policy Circular on Federal Information Manage- ment; Solicitation of Public Comment, Office of Management and Budget, September 12, 1983 (48 FR 177)..... Additional response to question from Senator William S. Cohen, submitted by the Office of Management and Budget "Computer-Related Fraud and Abuse in Government Agencies," report of Richard P. Kusserow, Inspector General, U.S. Department of Health and "Computer-Related Fraud and Abuse in Government Agencies," charts ac- companying testimony of Richard P. Kusserow, Inspector General, U.S. Department of Health and Human Services, October 26, 1983.. Directives Manual, Information Systems, Risk Management Program, Joseph E. Bishop, Deputy Assistant Secretary, Program and Resources Manage- ment, U.S. Department of the Treasury, August 30, 1983.. Statement of Dr. John W. Lyons, Acting Director, National Bureau of Stand- COMPUTER SECURITY IN THE FEDERAL TUESDAY, OCTOBER 25, 1983 U.S. SENATE, SUBCOMMITTEE ON OVERSIGHT OF GOVERNMENT MANAGEMENT, COMMITTEE ON GOVERNMENTAL AFFAIRS, Washington, D.C. The subcommittee met at 2:05 p.m., in room SD-342, Dirksen Senate Office Building, Hon. William S. Cohen (chairman of the subcommittee) presiding. Present: Senators Cohen and Bingaman. Staff present: Susan M. Collins, staff director; Mary B. Gerwin, counsel; Peggy W. McGaffigan, professional staff member; Winthrop S. Cashdollar, professional staff member; Frances C. deVergie, chief clerk; Rachel D. Harlan, assistant chief clerk; Linda J. Gustitus, minority staff director and chief counsel to the minority; and Claudette V. Humphreys, minority counsel. OPENING STATEMENT OF SENATOR COHEN Senator COHEN. The subcommittee will come to order. Today, the Subcommittee on Oversight of Government Management begins 2 days of hearings on the adequacy of computer security within the Federal Government and in the private sector. The increasing prominence of computers in both the private sector and the Government has raised serious ethical, legal, and administrative questions regarding their use and abuse. This subcommittee has had a standing interest in issues pertaining to the role of computers in Government management and operations. Last December, I chaired hearings on the use of computer matching to detect waste, fraud, and abuse in Government programs. At those hearings, the subcommittee examined the implications of computer matching for the privacy rights of individuals. Today and tomorrow, I hope to pursue the questions of what is being done and what remains to be done in order to protect the Government and private concerns from losses suffered through the abuse of their computer systems. Reflection upon the pervasiveness of computers in our society and upon recent accounts of the abuse of these computers makes clear the imperative to attend to the security of these systems. The rapid evolution, diversification, and application of computers in business, banking, the Government, and the home have worked a |