Skip to main content

Critical Infrastructure Protection: Significant Challenges in Developing National Capabilities

GAO-01-323 Published: Apr 25, 2001. Publicly Released: May 22, 2001.
Jump To:
Skip to Highlights

Highlights

To better protect the nation's critical computer-dependent infrastructures from computer-based attacks and disruption, the President issued Presidential Decision Directive (PDD) 63 in 1998. The directive established the National Infrastructure Protection Center as a national focal point for gathering information on threats and facilitating the federal government's response to computer-based incidents. This report evaluates the center's progress in (1) developing national capabilities for analyzing cyber threat and vulnerability data and issuing warnings, (2) enhancing its capabilities for responding to cyber attacks, and (3) developing outreach and information-sharing initiatives with government and private-sector entities. GAO found that although the center has taken some steps to develop analysis and warning capabilities, the strategic capabilities described in PDD 63 have not been achieved. The center has provided important support to the Federal Bureau of Investigation's investigations of computer crimes by coordinating investigations and providing technical assistance. The center has also developed crisis management procedures and drafted an emergency law enforcement sector plan, which is now being reviewed by sector members. The center's information-sharing relationships are still evolving and will probably have limited effectiveness until reporting procedures and thresholds are defined and trust relationships are established.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Office of the Assistant to the President for National Security Affairs On the basis of the criteria provided in PDD 63 and related plans, the Assistant to the President for National Security Affairs, in coordination with pertinent executive agencies, should establish a capability for strategic analysis of computer-based threats, including developing a related methodology, acquiring staff expertise, and obtaining infrastructure data.
Closed – Not Implemented
The office agreed with the recommendation. In February 2003, the National Strategy to Secure Cyberspace transferred responsibility for strategic analysis to DHS. It states DHS will lead and synchronize efforts for the National Cyberspace Security Response System as part of its overall information sharing and crisis coordination mandate, including strategic analysis. In addition, Homeland Security Presidential Directive 7 (paragraph 33) requires DHS to develop a national indications and warnings architecture to facilitate the identification of indicators and precursors to attack. In May 2005, GAO reported that DHS' National Cyber Security Division was in the early stages of providing strategic analytical capabilities that included federal government networks, but not private sector networks. Officials acknowledged that DHS' current analytical capabilities were not expected to provide national-level indicators and precursors to a cyber attack. In addition, GAO reported that DHS faces the same challenges GAO reported in 2001 relating to developing a strategic analysis and warning capability and that officials had taken little action to establish this capability.
Office of the Assistant to the President for National Security Affairs On the basis of the criteria provided in PDD 63 and related plans, the Assistant to the President for National Security Affairs, in coordination with pertinent executive agencies, should develop a comprehensive governmentwide data-collection and analysis framework and ensure that national watch and warning operations for computer-based attacks are supported by sufficient staff and resources.
Closed – Implemented
The office agreed with the recommendation. In February 2003, the National Strategy to Secure Cyberspace transferred responsibility for analysis to DHS. It states DHS will lead and synchronize efforts for the National Cyberspace Security Response System as part of its overall information sharing and crisis coordination mandate. In addition, Homeland Security Presidential Directive 7 (paragraph 33) requires DHS to develop a national indications and warnings architecture to facilitate the identification of indicators and precursors to attack. GAO reported in May 2005 that DHS had made progress in providing analysis and warning capabilities through its involvement in the US-CERT by providing continuous operational support in monitoring the status of systems and networks. For example, US-CERT had initiated a pilot program that provides a framework for gathering governmentwide data for analytical purposes. In addition, it had resources to operate a number of components to coordinate all cyber incident warnings and responses across government and the private sector, including a 24-hour-a-day/7-day-a-week operations center.
Office of the Assistant to the President for National Security Affairs On the basis of the criteria provided in PDD 63 and related plans, the Assistant to the President for National Security Affairs, in coordination with pertinent executive agencies, should clearly define the role of the NIPC in relation to other government and private-sector entities, including (1) lines of authority among the NIPC and the National Security Council, Justice, the FBI, and other entities, (2) the NIPC's integration into the national warning system, and (3) protocols that articulate how and under what circumstances the NIPC would be placed in a support function to either the DOD or the intelligence community.
Closed – Implemented
The office agreed with the recommendation. Subsequent to GAO's review, actions occurred that clarified the role of the National Infrastructure Protection Center's (NIPC) functions in relation to other government functions. First, the Homeland Security Act of 2002 established DHS' responsibilities for critical infrastructure protection and transferred most of the NIPC's functions to DHS. Second, Homeland Security Presidential Directive (HSPD) 7 defined the roles and responsibilities of federal departments and agencies in regard to security of cyberspace, including (1) DHS continuing to have an organization to serve as a focal point for federal and nonfederal efforts and (2) other federal entities, including the Departments of Justice and Defense, collaborating and supporting the DHS organization. Third, the National Response Plan's Cyber Annex describes the framework for Federal cyber incident response coordination among Federal departments and agencies and, upon request, state, local, tribal, and private-sector entities. In addition, the cyber annex articulated the roles and responsibilities related to securing cyberspace and coordinating incident response for the federal entities, including the Departments of Defense, Homeland Security (National Cyber Security Division), Justice (including the Federal Bureau of Investigation), and the United States Secret Service and National Security Council. In addition, the Interim National Infrastructure Protection Plan, issued in February 2005, establishes a national organizational structure to provide effective partnerships, communications, and coordination between DHS and infrastructure stakeholders.
Office of the Assistant to the President for National Security Affairs As the national strategy for critical infrastructure protection is reviewed and possible changes considered, the Assistant to the President for National Security Affairs should define the NIPC's responsibilities for monitoring reconstitution as the national strategy for critical infrastructure protection is reviewed and possible changes considered.
Closed – Implemented
The office agreed with GAO's recommendation. Subsequent to GAO's review, actions occurred that clarified the role of the National Infrastructure Protection Center's (NIPC) functions relating to monitoring reconstitution. First, the Homeland Security Act of 2002 established DHS' responsibilities for critical infrastructure protection and transferred most of the NIPC's functions to DHS. Second, the Homeland Security Presidential Directive (HSPD) 7 (paragraph 16) transferred responsibility for assisting in the recovery efforts for critical infrastructure information systems to the DHS. Third, the National Response Plan's Cyber Annex describes the framework for Federal cyber incident response coordination among Federal departments and agencies and, upon request, State, local, tribal, and private-sector entities. Among other things, the cyber annex articulated DHS' roles and responsibilities related to securing cyberspace and coordinating incident response for the federal entities, including aiding national recovery efforts for critical infrastructure information systems.
Office of the Assistant to the President for National Security Affairs To develop the information-sharing goals identified in PDD 63 and related plans, the Assistant to the President for National Security Affairs should (1) direct the federal agencies and encourage the private sector to better define the types of information that are necessary and appropriate to exchange in order to combat computer-based attacks and procedures for performing such exchanges,(2) initiate development of a strategy for identifying assets of national significance that includes coordinating efforts already underway, such as those at DOD and Commerce, and (3) resolve discrepancies between PDD 63 requirements and guidance provided by the federal Chief Information Officers Council regarding computer incident reporting by federal agencies.
Closed – Implemented
The office agreed with the recommendation. Subsequent to GAO's work, additional law and guidance was established that addresses information sharing. The Homeland Security Act of 2002 and the Homeland Security Presidential Directive 7 establishes information sharing related responsibilities for DHS. In July 2004, GAO reported that DHS was developing an information sharing plan to document current information-sharing relationships, goals for improving information sharing, and methods for measuring progress. According to a DHS official, this plan will be made a part of the next version of the National Infrastructure Protection Plan that is expected to be completed in November 2005. Regarding a strategy for the identification of significant assets, in February 2003, the National Strategy for the Physical Protection of Critical Infrastructures and Key Assets was released that established a strategy for developing a comprehensive, prioritized assessment of facilities, systems, and functions of national-level criticality across the infrastructure sectors. As part of this strategy, DHS was identified as the agency responsible for cross-sector coordination. Regarding the reporting of computer incidents by federal agencies, at the time of GAO's review, federal agencies were required to report incidents to GSA's Federal Computer Incident Response Capability (FedCIRC), and not necessarily the NIPC, which was at the Federal Bureau of Investigation. According to DHS, this was resolved by the transfer of the functions and resources of both FedCIRC and the NIPC to DHS. In addition, DHS held a Policy Coordination Committee, where the Office of Management and Budget established that DHS was responsible for FedCIRC's responsibilities.
Directorate of Information Analysis and Infrastructure Protection The Attorney General should task the FBI Director to require the NIPC Director to develop a comprehensive written plan for establishing analysis and warning capabilities that integrates existing planning elements and includes milestones and performance measures.
Closed – Not Implemented
Per the Homeland Security Act of 2002, this responsibility is transferred to the Department of Homeland Security (DHS). Homeland Security Presidential Directive 7 (HSPD 7), issued by the President on 12/17/2003, directs DHS to produce a comprehensive National Plan for Critical Infrastructure and Key Resources Protection. HSPD 7 specifies many requirements for the plan, including many of those in GAO's recommendations. In February 2005, DHS issued the Interim National Infrastructure Protection plan that begins to address this recommendation, but this plan does not provide a comprehensive plan for establishing analysis and warning capabilities that integrates existing elements or includes milestones and performance measures.
Directorate of Information Analysis and Infrastructure Protection The Attorney General should task the FBI Director to require the NIPC Director to develop a comprehensive written plan for establishing analysis and warning capabilities that integrates existing planning elements and includes approaches (or strategies) and the various resources needed to achieve the goals and objectives.
Closed – Not Implemented
Per the Homeland Security Act of 2002, this responsibility is transferred to the Department of Homeland Security (DHS). Homeland Security Presidential Directive 7 (HSPD 7), issued by the President on 12/17/2003, directs DHS to produce a comprehensive National Plan for Critical Infrastructure and Key Resources Protection. HSPD 7 specifies many requirements for the plan, including many of those in GAO's recommendations. In February 2005, DHS issued the Interim National Infrastructure Protection Plan that begins to address this recommendation, but this plan does not provide a comprehensive plan for establishing analysis and warning capabilities that integrates existing planning elements and includes approaches and the various resources needed to achieve the goals and objectives.
Directorate of Information Analysis and Infrastructure Protection The Attorney General should task the FBI Director to require the NIPC Director to develop a comprehensive written plan for establishing analysis and warning capabilities that integrates existing planning elements and includes a description of the relationship between the long-term goals and objectives and the annual performance goals.
Closed – Not Implemented
Per the Homeland Security Act of 2002, this responsibility is transferred to the Department of Homeland Security (DHS). Homeland Security Presidential Directive 7 (HSPD 7), issued by the President on 12/17/2003, directs DHS to produce a comprehensive National Plan for Critical Infrastructure and Key Resources Protection. HSPD 7 specifies many requirements for the plan, including many of those in GAO's recommendations. In February 2005, DHS issued the Interim National Infrastructure Protection Plan that begins to address this recommendation, but this plan does not provide a comprehensive plan for establishing analysis and warning capabilities that integrates existing planning elements and includes a description of the relationship between the long-term goals and objectives and the annual performance goals.
Directorate of Information Analysis and Infrastructure Protection The Attorney General should task the FBI Director to require the NIPC Director to develop a comprehensive written plan for establishing analysis and warning capabilities that integrates existing planning elements and includes a description of how program evaluations could be used to establish or revise strategic goals, along with a schedule for future program evaluations.
Closed – Not Implemented
Per the Homeland Security Act of 2002, this responsibility is transferred to the Department of Homeland Security (DHS). Homeland Security Presidential Directive 7 (HSPD 7), issued by the President on 12/17/2003, directs DHS to produce a comprehensive National Plan for Critical Infrastructure and Key Resources Protection. HSPD 7 specifies many requirements for the plan, including many of those in GAO's recommendations. In February 2005, DHS issued the Interim National Infrastructure Protection Plan that begins to address this recommendation, but this plan does not provide a comprehensive plan for establishing analysis and warning capabilities that integrates existing planning elements and includes a description of how program evaluations could be used to establish or revise strategic goals, along with a schedule for future program evaluations.
Directorate of Information Analysis and Infrastructure Protection To ensure that the NIPC develops the response, investigative and crisis management capabilities required by PDD 63, the Attorney General should direct the FBI Director to task the NIPC Director to ensure that the Special Technologies and Applications Unit has access to the computer and communications resources necessary to analyze data associated with the increasing number of complex investigations.
Closed – Implemented
The agency agreed with the recommendation. In February 2004, an FBI official reported that in 2002, the Cyber Division was formed through a reorganization initiated by the FBI's Director. As a result, the Special Technologies and Applications Unit evolved into the Special Technologies and Applications Section, which is comprised of the Infrastructure and Engineering Unit, Special Technologies Research and Development Unit, the Technology Analysis Unit, and the Cyber Operations/Deployment Unit. This new section supports the FBI criminal, counter-terrorism and counterintelligence computer intrusion and related investigations with all necessary equipment and technical tools. GAO observed the operations of the section's new facility and verified the existence of the additional capabilities and that it had access to the computer and communications resources necessary for its mission.
Directorate of Information Analysis and Infrastructure Protection To ensure that the NIPC develops the response, investigative and crisis management capabilities required by PDD 63, the Attorney General should direct the FBI Director to task the NIPC Director to monitor implementation of the new performance measures to ensure that they result in field offices' fully reporting information on potential computer crimes to the NIPC.
Closed – Implemented
The basis for this recommendation was to ensure that Federal Bureau of Investigation (FBI) field offices reported information on potential computer crimes to the NIPC. The Homeland Security Act of 2002 transferred to DHS the NIPC's functions, other than the Computer Investigations and Operations Section. Under Homeland Security Presidential Directive 7, the Department of Justice, including the FBI, is responsible for, among other things, investigating and prosecuting actual or attempted disruptions of critical infrastructure. In addition, they are to cooperate and coordinate with DHS. In May 2005, GAO reported on DHS efforts to reduce threats by enhancing its collaboration with the law enforcement community; these efforts included (1) having a FBI detail assigned to the National Cyber Security Division (NCSD) to facilitate information sharing between the FBI and the NCSD on potential computer crimes and ensure that all appropriate information is being shared and (2) supporting a secure, internet-based information-mechanism to allow members of the law enforcement community to discuss issues related to cyber crime and threat reduction. According to DHS officials, these efforts have increased the interaction and information shared between law enforcement, including between the FBI and NCSD. These actions fulfill the intent of the recommendation to having appropriate information sharing from law enforcement to the infrastructure protection community.
Directorate of Information Analysis and Infrastructure Protection To ensure that the NIPC develops the response, investigative and crisis management capabilities required by PDD 63, the Attorney General should direct the FBI Director to task the NIPC Director to complete development of the emergency law enforcement plan, after comments are received from law enforcement sector members.
Closed – Implemented
In August 2002, the Emergency Law Enforcement Services (ELES) coordinator stated that the ELES Sector Critical Infrastructure Protection Plan and Guide, dated February 2001, for state and local law enforcement were accepted by the White House as the ELES Sector part of the National Infrastructure Protection Plan.
Directorate of Information Analysis and Infrastructure Protection To ensure that the NIPC develops the response, investigative and crisis management capabilities required by PDD 63, the Attorney General should direct the FBI Director to direct the NIPC Director to (1) formalize relationships between the NPIC and other federal entities, including DOD and the Secret Service, and private-sector Information Sharing and Analysis Centers (ISAC) so that a clear understanding of what is expected from the respective organization exists, (2) develop a plan to foster the two-way exchange of information between the NIPC and the ISACs, and (3) ensure that the Key Asset Initiative is integrated with other similar federal activities.
Closed – Implemented
Subsequent to GAO's work, additional law and guidance was established that addresses this recommendation. Regarding formalizing relationships, Homeland Security Presidential Directive (HSPD) 7 defined roles and responsibilities for federal departments and agencies, as sector-specific agencies and others, regarding critical infrastructure protection efforts and required them to collaborate with and support private sector efforts. In addition, in February 2005, the Interim National Infrastructure Protection Plan (NIPP) established a national organizational structure to formalize the relationships between federal and between federal and nonfederal entities. Regarding information sharing planning, GAO reported in July 2004 that DHS was developing an information sharing plan to document current information-sharing relationships, goals for improving information sharing, and methods for measuring progress. According to a DHS official, this plan will be made a part of the next version of the National Infrastructure Protection Plan that is expected to be completed in November 2005. Regarding a strategy for the identification of significant assets, the Homeland Security Presidential Directive 7 directs federal departments and agencies to identify critical infrastructure and key resources and requires DHS to take a leadership role in efforts to carry out the directive. In addition, the Interim NIPP established a goal to develop and maintain a comprehensive inventory of critical assets that is to be implemented by both sector-specific agencies and DHS.

Full Report

Office of Public Affairs

Topics

Computer crimesComputer securityCounterterrorismEmergency preparednessFederal computer incident response capabilityHomeland securityInformation resources managementInteragency relationsPerformance measuresTerrorismTrojan horsesCritical infrastructure protection