In-Depth

In Brief

New security legislation; the future of e-mail and IM security

• By Mathew Schwartz
• 09/15/2004

Congress to Give Government Agencies InfoSec Teeth?

Government agencies’ baseline information security stands to get a boost.

A proposed legislative amendment could require security become an essential part of government agencies’ capital procurement process. Vendors, as a result, would have to better secure their products or find another market.

So writes Forrester analyst Michael Rasmussen in a Forrester brief entitled “Proposed Clinger-Cohen Changes Aimed At Vendors As Well As U.S. Government.”

The amendment is part of H.R. 4570, part of a bill introduced by United States Rep. Adam Putnam (R-Fla.), the chairman of the subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census.

The bill seeks to amend the Clinger-Cohen Act, also known as the IT Management Reform Act of 1996. The bill was a landmark, paving the way for e-government by simplifying IT procurement, creating CIOs for each agency, and standardizing cross-agency IT definitions. According to Rasmussen, agencies rushed to create their own IT architectures, paving the way for e-government.

One section of Clinger-Cohen requires the Department of Commerce, via the National Institute of Standards and Technology, to enforce the security of government agencies. Yet “there were no particular teeth in the Clinger-Cohen Act,” he says, dubbing it “an unfunded mandate without teeth.” Government agencies cherry picked what they did—or didn’t—want to do.

By contrast, the proposed amendment would make security “a criterion in the IT capital planning and investment process.”

In short, “the legislation is a shot across the bow of the boat of IT vendors, warning them to integrate security into their products,” he says, putting security—and accountability for it—back into Clinger-Cohen.

The change should give the government more leverage when it comes to security. “With security as a criterion in IT purchasing, government spending can be used as an instrument of reform.” In other words, vendors can introduce secure products, or lose the ability to sell to the government.

What remains to be seen, however, is whether the government will require agencies to define their security requirements, then enforce those requirements. For now, he says, “the proposed amendment is a warning.”

- - -

The Future of E-mail and IM Security

E-mail and instant messaging (IM) may be ubiquitous in most organizations, but keeping it secure is far from easy. One in six organizations, for example, has been infected this year by a virus transmitted via instant messaging (IM).

Security managers say the toughest problem, however, is spam, followed by e-mail storage growth, remote-user support, and insufficient e-mail archiving.

Those results come from Osterman Research Inc., in a new report that predicts e-mail and IM security market trends from 2004 to 2007. Osterman surveyed organizations to determine prevailing use of antivirus, anti-spam, content filtering, secure e-mail, and other technologies, plus problems with those technologies, organizational drivers for adopting them, and how much organizations actually spend on them.

One interesting result: the most important criteria for purchasing antivirus software is “the length of time it takes for a vendor to issue an update after the outbreak of a new virus,” says Osterman.

Of course, spam is an organization's biggest self-identified e-mail problem. Interestingly, when it comes to stopping spam, larger organizations’ IT and security managers think legislation won’t be the answer. Smaller organizations, however, hope it will help.

Finally, the research found respondents want one-stop e-mail security. In other words, they want to replace a variety of best-of-breed solutions for such things as anti-spam and antivirus, with a single, software-based product run on internal servers that takes less time to manage. Osterman says respondents viewed an alternative—managed service providers—with distrust, seeing potential for increased costs and decreased messaging security.