Challenges in Developing a Public/Private Recovery Plan
GAO-08-212T: Published: Oct 23, 2007. Publicly Released: Oct 23, 2007.
Since the early 1990s, growth in the use of the Internet has revolutionized the way that our nation communicates and conducts business. While the Internet originated as a U.S. government-sponsored research project, the vast majority of its infrastructure is currently owned and operated by the private sector. Federal policy recognizes the need to prepare for debilitating Internet disruptions and tasks the Department of Homeland Security (DHS) with developing an integrated public/private plan for Internet recovery. GAO was asked to summarize its report on plans for recovering the Internet in case of a major disruption (GAO-06-672) and to provide an update on DHS's efforts to implement that report's recommendations. The report (1) identifies examples of major disruptions to the Internet, (2) identifies the primary laws and regulations governing recovery of the Internet in the event of a major disruption, (3) evaluates DHS plans for facilitating recovery from Internet disruptions, and (4) assesses challenges to such efforts.
A major disruption to the Internet could be caused by a physical incident (such as a natural disaster or an attack that affects key facilities), a cyber incident (such as a software malfunction or a malicious virus), or a combination of both physical and cyber incidents. Recent physical and cyber incidents, such as Hurricane Katrina, have caused localized or regional disruptions but have not caused a catastrophic Internet failure. Federal laws and regulations that address critical infrastructure protection, disaster recovery, and the telecommunications infrastructure provide broad guidance that applies to the Internet, but it is not clear how useful these authorities would be in helping to recover from a major Internet disruption. Specifically, key legislation on critical infrastructure protection does not address roles and responsibilities in the event of an Internet disruption. Other laws and regulations governing disaster response and emergency communications have never been used for Internet recovery. As of 2006, DHS had begun a variety of initiatives to fulfill its responsibility to develop an integrated public/private plan for Internet recovery, but these efforts were not yet comprehensive or complete. For example, the department had developed high-level plans for infrastructure protection and incident response, but the components of these plans that address the Internet infrastructure were not complete. As a result, the risk remained that the government was not adequately prepared to effectively coordinate public/private plans for recovering from a major Internet disruption. Key challenges to establishing a plan for recovering from Internet disruptions include (1) innate characteristics of the Internet that make planning for and responding to disruptions difficult, (2) lack of consensus on DHS's role and when the department should get involved in responding to a disruption, (3) legal issues affecting DHS's ability to provide assistance to restore Internet service, (4) reluctance of many in the private sector to share information on Internet disruptions with DHS, and (5) leadership and organizational uncertainties within DHS. Until these challenges are addressed, DHS will have difficulty achieving results in its role as a focal point for helping the Internet to recover from a major disruption. DHS has made progress in implementing GAO's recommendations by revising key plans in coordination with private industry infrastructure stakeholders, coordinating various Internet recovery-related activities, and addressing key challenges to Internet recovery planning. However, further work remains to complete these activities, including finalizing recovery plans and defining the interdependencies among DHS's various working groups and initiatives. Full implementation of these recommendations should enhance the nation's ability to recover from a major Internet disruption.