Computer Security Act of 1987 (Major Acts of Congress)
Derrek M. Davis
Personal computers (PCs) have brought about an information revolution. The PC has become a universal tool for developing, storing, and accessing information. The Internet has also grown exponentially, connecting computers together worldwide, and creating an "information superhighway" for the transmission of PC users's thoughts and ideas. This information revolution, in turn, has led to a high level of hacker activity and other abuses that disrupt the system. All of these events created concern in the federal government, one of the largest computer users in the country, over the security of its computer systems and the information housed within them. To further exacerbate the situation, federal employees lacked training in security technology, and the government had not created a central authority responsible for setting standards and policies for its computer security. This situation prompted Congress and federal agencies to address the rising concern over computer security in the federal government.
By the mid-1980s Congress passed several pieces of legislation attempting to address the issue of computer security. The Computer Fraud and Abuse Act, for example, made it a federal offense to either knowingly access a computer without authorization, or to have proper authorization and use a computer for unauthorized purposes. The legislators, however, made no attempt to create a central authority in the federal government responsible for computer security.
Originally, The Office of Management and Budget was responsible for computer security policy, the National Security Agency (NSA) was responsible for securing classified information, and the Department of Commerce had responsibility for setting computer and processing standards for federal government computers, but no central authority existed to coordinate the effects of these three government agencies. Seeing this problem, in 1984 President Ronald Reagan issued National Security Decision Directive 145, the National Policy on Telecommunications and Automated Information Systems Security, handing control for security of government computer systems to a National Telecommunications and Information Systems Security Council composed primarily of defense and intelligence agencies. This directive, however, was controversial and subject to widespread criticism. Nevertheless, the growing need for a central authority led Congress to act.
After numerous hearings on the subject of computer security and information privacy, Representative Dan Glickman of Kansas introduced the Computer Security and Training Act of 1985, to place the duty of computer security training and standards under the authority of the National Bureau of Standards. This bill failed and Representative Glickman introduced a second bill, the Computer Security Act of 1987 (CSA) (P.L. 100-235, 101 Stat. 1724), this time addressing four major concerns: federal government computer security, the role of the NSA, a new sensitive but unclassified information classification, and the lack of training government employees had in the use of federal computers containing sensitive information. In short, this bill sought to improve the security and privacy of sensitive information in federal computer systems and it ultimately won comprehensive approval and became law in 1987.
The passage of the Computer Security Act (CSA) did not, however, clarify the role of the government's actions in technology security and the NSA continued to seek a more active role in setting governmental security standards than Congress originally intended. In 1994 President Clinton issued Presidential Decision Directive 29, a directive that created a Security Policy Board. This Board proposed that the President consolidate all government computer security activities by placing them under the auspices of the NSA. In 2001, President George W. Bush disbanded this Board and transferred its duties to the Policy Coordination Committees, which includes the Records Access and Information Security Committee under the authority of the NSA.
These changes led Congress to reconsider the CSA in an effort to reaffirm the role of a single agency for the purposes of establishing computer security standards. Congress sought to amend the act with the Computer Security Enhancement Acts of 1997, 1999, and 2001, bills designed to address technological advancements that had occurred since 1987 and to reaffirm a single agency to lead computer security activities. Each measure passed the House and made its way through the Senate subcommittees, but none reached the Senate Floor for a vote. There have since been no new attempts to amend the Computer Security Act.
The CSA provided a clear framework for the establishment of federal government security standards. Since this time, however, it is apparent that the defense and intelligence communities, led by the executive branch and the NSA, have made attempts to change its framework. It appears the security of government computers falls into an uncertain realm where both the executive and legislative branches seek to gain authority and to control security activity. Unless these two branches of government make a concerted effort to centralize the security of federal computer systems, no real coordination of efforts will occur and governmental systems could remain insecure.
See also: COUNTERFEIT ACCESS DEVICE AND COMPUTER FRAUD AND ABUSE ACT OF 1984; ELECTRONIC COMMUNICATIONS PRIVACY ACT OF 1986.
Geewax, Marilyn. "Government Computer Security Found Lacking," Atlanta Journal-Constitution, November 10, 2001: F4.
Hillburg, Bill. "Fed's Computer Security Effort Gets Failing Grade." Daily News (Los Angeles) November 20, 2002: N16.
Mulhall, Tom. "Where Have All the Hackers Gone?: Part 4egislation." Computers and Security 16, no. 4 (1997): 29803.
Russell, Deborah and G.T. Gangemi, Sr. Computer Security Basics. Sebastopol, CA: O'Reilly & Associates, 1991.
Schneider, Fred B., ed. Trust in Cyberspace. Washington, DC: National Academy Press, 1999.
Van Heuven, Marten, Maarten Botterman, and Stephan de Spiegeleire. Managing New Issues: Cyber Security in an Era of Technological Change. Santa Monica, CA: Rand, 2003.