That interdependence carries with it the potential for disaster if security is breached: Trading on the stock exchange may be halted due to a computer "malfunction." The Social Security System may fail to send checks to the proper people. Air traffic control systems may be disabled causing near miss mid-air collisions. Salary and other payments may end up in unnumbered accounts in Zurich. Income security payments may be diverted to special accounts in the Cayman Islands. Confidential patient information may end up in the tabloids. Telecommunications may be intercepted by foreign agents. It is the stuff that high drama is made of.

A Clear and Present Danger
Advances in information technology (IT) offer unprecedented opportunities as well as new challenges. The cost of owning and operating increasingly powerful computers has dropped dramatically over the past several decades.

The availability of IT products with ever increasing computing, communication, and storage capacities has contributed to the integration of computers into modern daily life. The growing spread of computers and their associated networks has propelled the world into the information age.

These interconnected computer networks have revolutionized our lives and, at the same time, they may foster cyber attacks on a massive scale.

Cyber terrorism acts to destroy data in cyberspace or cause disruption in the cyber and the physical worlds. This cyber violence can disrupt major systems of national importance to the economy, public health and welfare, telecommunications, and defense. The National Research Council has stated that "tomorrow's terrorists may be able to do more damage with a keyboard than with a bomb."

Today, "cruise viruses" exist to capture specific passwords, steal specific information, or destroy a specific hard disk drive or system. These are the software equivalent of the intelligent cruise missile.

Loopholes in the System
Deficiencies in federal information security are a growing concern. The General Accounting Office (GAO) has designated information security as a government-wide high-risk area. Malicious attacks on computer systems are an increasing threat to our national welfare. Our reliance on interconnected systems to control critical functions such as communications, financial services, transportation, utilities, and health services makes these systems much more vulnerable to anonymous intruders, who may manipulate data to commit fraud, obtain sensitive information, severely disrupt operations, or deny authorized users access to systems.

Poor security management may place billions of dollars worth of assets at risk of loss and vast amounts of sensitive data at risk of unauthorized access and disclosure. There is even evidence that some organizations are developing strategies and tools for conducting premeditated attacks on information systems.

According to a recent statement by the Director of the National Security Agency, attacks on public and private systems occur every day. For example, hackers used tools and techniques readily available on Internet bulletin boards to attack systems at the Department of Defense. Media reports on intrusions, fraud, and sabotage abound, and, in a recent survey conducted by the Computer Security Institute in cooperation with the Federal Bureau of Investigation, 64 percent of the 520 respondents from the private and public sector reported computer security breaches within the last 12 months.

This is a 16 percent increase in security breaches over those reported in a similar survey in 1997 and a 22 percent increase over those reported in 1996.

Federal agency computer systems are already under attack. Fifty-three percent of federal government computer security managers reported unauthorized use of their systems. Defense Information Systems Agency data implies that the Department of Defense may have experienced as many as 250,000 attacks, of which 65 percent were successful. The CIA has warned Congress that several foreign governments are developing information warfare programs and that terrorist groups are watching how the United States responds to hacker attacks on government systems to plan their own cyber attacks.

The Accountant's Role
Primarily due to the requirement to have audited financial statements, auditors and accountants have a much more proactive role to play in helping managers assess the general controls in an IT environment. Accountants and other financial managers should be "at the table" and lend a voice to help management ensure that general computer security controls are in place. These general controls include:

• Security Planning and Management. These are the management procedures and organizational framework for identifying and assessing risks, deciding what policies and controls are needed, periodically evaluating the effectiveness of these policies and controls, and acting to address any identified weaknesses.
• Access Controls. These controls limit or detect inappropriate access to computer resources, including data, equipment and facilities, thereby protecting these resources from unauthorized modification, loss and disclosure.
• Application Software Development and Change Controls. These controls prevent unauthorized software programs or modifications to programs from being implemented.
• Segregation of Duties. These are the policies, procedures and organizational structure that help ensure that one individual cannot independently control all key aspects of a process or computer-related operation and thereby conduct unauthorized actions or gain unauthorized access to assets or records without detection.
• System Software Controls. These controls limit and monitor access to the powerful programs and sensitive files associated with the computer systems operations.
• Service Continuity Controls. These controls ensure that when unexpected events occur, critical operations continue without undue interruption and critical and sensitive data are protected.

These controls affect the overall effectiveness and security of computer operations. They are intended to:

1. protect data, files and programs from unauthorized access, modification, and destruction.
2. prevent the introduction of unauthorized changes to systems and applications software.
3. ensure that system software development and maintenance, application software development and maintenance, computer operations, security, and quality assurance functions are performed by different people.
4. ensure recovery of computer processing operations in case of a disaster or other unexpected interruption.
5. ensure that an adequate computer security planning and management program is in place.

Accountants are uniquely qualified to help management conduct internal control reviews to ensure that adequate IT security plans exist and are followed. They are trained and experienced with internal controls. Accountants can help agency management understand the interrelated components of internal control. They include:

1. Control environment, which sets the tone of an organization, influencing the control consciousness of its people.
2. Risk assessment, which is the entity's identification and analysis of the relevant risks to achieving its objectives. This assessment helps form the basis for determining how the risks should be managed.
3. Control activities, which are the policies and procedures that help ensure that management directives are carried out.
4. Information and communication activities, which identify, capture, and exchange information in a form and time frame that enables people to carry out their responsibilities
5. Monitoring, which is a process that assesses the quality of internal controls over time.

These internal controls help provide reasonable assurance that the objectives of the agency are being achieved in the following categories:

• Effectiveness and efficiency of operations, including the use of entities resources.
• Reliability of financial reporting, including reports on budget execution, financial statements, and other reports for internal and external use.
• Compliance with applicable laws and regulations.

An important implication of these standards is the safeguarding of agency assets against unauthorized acquisition, use, or disposition. Thus, internal control standards include the reasonable assurance that agency computer systems are secured against unauthorized acquisition, use or disposition.

The End Game
Threats to federal computer systems are real. The drama played out in techno-thrillers is today's reality. Federal managers must protect IT systems from cyber threats from within and outside the agency. Accountants and other financial managers have an important role to play and may add value to the process by helping agency management:

• conduct an appropriate computer security risk assessment.
• create and define a life cycle computer security program, establish strategic direction, assign specific responsibilities, and communicate the plan to all affected stakeholders.
• select safeguards and implement controls to address the computer security risk.
• reassess computer security risk and re-establish safeguards and controls based on the existing risk.