GAO-06-1087T, Critical Infrastructure Protection: DHS Leadership Needed to Enhance Cybersecurity


This is the accessible text file for GAO report number GAO-06-1087T 
entitled 'Critical Infrastructure Protection: DHS Leadership Needed to 
Enhance Cybersecurity' which was released on September 14, 2006. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

United States Government Accountability Office: 

GAO: 

Testimony: 

Before the House Committee on Homeland Security, Subcommittee on 
Economic Security, Infrastructure Protection, and Cybersecurity: 

For Release on Delivery: 

Expected at 3 p.m. EDT Wednesday, September 13, 2006: 

Critical Infrastructure Protection: 

DHS Leadership Needed to Enhance Cybersecurity: 

Statement of David A. Powner Director, Information Technology 
Management Issues: 

GAO-06-1087T: 

GAO Highlights: 

Highlights of GAO-06-1087T, a testimony before the House Committee on 
Homeland Security, Subcommittee on Economic Security, Infrastructure 
Protection, and Cybersecurity 

Why GAO Did This Study: 

Increasing computer inter-connectivity has revolutionized the way that 
our nation and much of the world communicate and conduct business. 
While the benefits have been enormous, this widespread 
interconnectivity also poses significant risks to our nation's computer 
systems and, more importantly, to the critical operations and 
infrastructures they support. The Homeland Security Act of 2002 and 
federal policy establish DHS as the focal point for coordinating 
activities to protect the computer systems that support our nation’s 
critical infrastructures. GAO was asked to summarize recent reports on 
(1) DHS's responsibilities for cybersecurity-related critical 
infrastructure protection and for recovering the Internet in case of a 
major disruption (2) challenges facing DHS in addressing its 
cybersecurity responsibilities, including leadership challenges, and 
(3) recommendations to improve the cybersecurity of national critical 
infrastructures, including the Internet. 

What GAO Found: 

In 2005 and 2006, GAO reported that DHS had initiated efforts to 
address its responsibilities for enhancing the cybersecurity of 
critical infrastructures, but that more remained to be done. 
Specifically, in 2005, GAO reported that DHS had initiated efforts to 
fulfill 13 key cybersecurity responsibilities, but it had not fully 
addressed any of them. For example, DHS established forums to foster 
information sharing among federal officials with information security 
responsibilities and among various law enforcement entities, but had 
not developed national threat and vulnerability assessments for 
cybersecurity. Since that time, DHS has made progress on its 13 key 
responsibilities—including the release of its National Infrastructure 
Protection Plan—but none have been completely addressed. Moreover, in 
2006, GAO reported that DHS had begun a variety of initiatives to 
fulfill its responsibility to develop an integrated public/private plan 
for Internet recovery, but these efforts were not complete or 
comprehensive. For example, DHS established working groups to 
facilitate coordination among government and industry infrastructure 
officials and fostered exercises in which government and private 
industry could practice responding to cyber events, but many of its 
efforts lacked timeframes for completion and the relationships among 
its various initiatives were not evident. 

DHS faces a number of challenges that have impeded its ability to 
fulfill its cybersecurity responsibilities, including establishing 
effective partnerships with stakeholders, demonstrating the value it 
can provide to private sector infrastructure owners, and reaching 
consensus on DHS’s role in Internet recovery and on when the department 
should get involved in responding to an Internet disruption. DHS faces 
a particular challenge in attaining the organizational stability and 
leadership it needs to gain the trust of other stakeholders in the 
cybersecurity world—including other government agencies as well as the 
private sector. In May 2005, we reported that multiple senior DHS 
cybersecurity officials had recently left the department. In July 2005, 
DHS undertook a reorganization which established the position of the 
Assistant Secretary of Cyber Security and Telecommunications—in part to 
raise the visibility of cybersecurity issues in the department. 
However, over a year later, this position remains vacant. 

To strengthen DHS’s ability to implement its cybersecurity 
responsibilities and to resolve underlying challenges, GAO has made 
about 25 recommendations over the last several years. These 
recommendations focus on the need to (1) conduct threat and 
vulnerability assessments, (2) develop a strategic analysis and warning 
capability for identifying potential cyber attacks, (3) protect 
infrastructure control systems, (4) enhance public/private information 
sharing, and (5) facilitate recovery planning, including recovery of 
the Internet in case of a major disruption. These recommendations 
provide a high-level road map for DHS to use to help improve our 
nation’s cybersecurity posture. Until they are addressed, DHS will have 
difficulty achieving results as the federal cybersecurity focal point. 

[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-1087T]. 

To view the full product, including the scope and methodology, click on 
the link above. For more information, contact David Powner at (202) 512-
9286 or pownerd@gao.gov. 

[End of Section] 

Mr. Chairman and Members of the Subcommittee: 

Thank you for the opportunity to join in today's hearing on the need 
for leadership in protecting our nation's critical infrastructures from 
cybersecurity threats. Increasing computer interconnectivity--most 
notably growth in the use of the Internet--has revolutionized the way 
that our government, our nation, and much of the world communicate and 
conduct business. While the benefits have been enormous, this 
widespread interconnectivity also poses significant risks to the 
government's and our nation's computer systems and, more importantly, 
to the critical operations and infrastructures they support. 

Federal regulation establishes the Department of Homeland Security 
(DHS) as the focal point for the security of cyberspace--including 
analysis and warning, information sharing, vulnerability reduction, and 
recovery efforts for public and private critical infrastructure 
information systems.[Footnote 1] Additionally, federal policy 
recognizes the need to be prepared for the possibility of debilitating 
Internet disruptions and--because the vast majority of the Internet's 
infrastructure is owned and operated by the private sector--tasks DHS 
with developing an integrated public/private plan for Internet 
recovery.[Footnote 2] 

As requested, our testimony will summarize our recent work on (1) DHS's 
responsibilities for cybersecurity-related critical infrastructure 
protection and, more specifically, its responsibilities for recovering 
the Internet in case of a major disruption, (2) challenges facing DHS 
in addressing its cybersecurity responsibilities, including leadership 
challenges, and (3) recommendations to improve the cybersecurity of 
national critical infrastructures, including the Internet. In preparing 
for this testimony, we relied on our previous reports on the challenges 
faced by DHS in fulfilling its cybersecurity responsibilities and in 
facilitating the recovery of the Internet in case of a major 
disruption.[Footnote 3] These reports contain detailed overviews of the 
scope and methodology we used. All of the work on which this testimony 
is based was performed in accordance with generally accepted government 
auditing standards. 

Results in Brief: 

As the focal point for critical infrastructure protection, DHS has many 
cybersecurity-related responsibilities that are called for in law and 
policy. In 2005 and 2006, we reported that DHS had initiated efforts to 
address these responsibilities, but that more remained to be 
done.[Footnote 4] Specifically, in 2005, we reported that DHS had 
initiated efforts to fulfill 13 key cybersecurity responsibilities, but 
it had not fully addressed any of them. For example, DHS established 
forums to foster information sharing among federal officials with 
information security responsibilities and among various law enforcement 
entities, but had not developed national threat and vulnerability 
assessments for cybersecurity. Since that time, DHS has made progress 
on its responsibilities--including the release of its National 
Infrastructure Protection Plan--but none has been completely addressed. 
Moreover, in 2006, we reported that DHS had begun a variety of 
initiatives to fulfill its responsibility to develop an integrated 
public/private plan for Internet recovery, but that these efforts were 
not complete or comprehensive. For example, DHS had established working 
groups to facilitate coordination among government and industry 
infrastructure officials and fostered exercises in which government and 
private industry could practice responding to cyber events, but many of 
its efforts lacked timeframes for completion and the relationships 
among its various initiatives are not evident. 

DHS faces a number of challenges that have impeded its ability to 
fulfill its cybersecurity responsibilities, including establishing 
effective partnerships with stakeholders, achieving two-way information 
sharing with stakeholders, demonstrating the value it can provide to 
private sector infrastructure owners, and reaching consensus on DHS's 
role in Internet recovery and on when the department should get 
involved in responding to an Internet disruption. DHS faces a 
particular challenge in attaining the organizational stability and 
leadership it needs to gain the trust of other stakeholders in the 
cybersecurity world--including other government agencies as well as the 
private sector. In May 2005, we reported that multiple senior DHS 
cybersecurity officials had recently left the department. In July 2005, 
DHS undertook a reorganization which established the position of the 
Assistant Secretary of Cyber Security and Telecommunications--in part 
to raise the visibility of cybersecurity issues in the department. 
However, over a year later, this position remains vacant. While DHS 
stated that the lack of a permanent assistant secretary has not 
hampered its efforts related to protecting critical infrastructures, 
several private-sector representatives stated that DHS's lack of 
leadership in this area has limited its progress. 

To strengthen DHS's ability to implement its cybersecurity 
responsibilities and to resolve underlying challenges, GAO has made 
about 25 recommendations over the last several years. These 
recommendations focus on the need to (1) conduct important threat and 
vulnerability assessments, (2) develop a strategic analysis and warning 
capability for identifying potential cyber attacks, (3) protect 
infrastructure control systems, (4) enhance public/private information 
sharing, and (5) facilitate recovery planning, including recovery of 
the Internet in case of a major disruption. Together, the 
recommendations provide a high-level road map for DHS to use in working 
to improve our nation's cybersecurity posture. Until it addresses these 
recommendations, DHS will have difficulty achieving results in its role 
as the federal focal point for the cybersecurity of critical 
infrastructures--including the Internet. 

Background: 

The same speed and accessibility that create the enormous benefits of 
the computer age can, if not properly controlled, allow individuals and 
organizations to inexpensively eavesdrop on or interfere with computer 
operations from remote locations for mischievous or malicious purposes, 
including fraud or sabotage. In recent years, the sophistication and 
effectiveness of cyberattacks have steadily advanced. These attacks 
often take advantage of flaws in software code, circumvent signature- 
based tools[Footnote 5] that commonly identify and prevent known 
threats, and use social engineering techniques designed to trick the 
unsuspecting user into divulging sensitive information or propagating 
attacks. 

Government officials are increasingly concerned about attacks from 
individuals and groups with malicious intent, such as crime, terrorism, 
foreign intelligence-gathering, and acts of war. As greater amounts of 
money are transferred through computer systems, as more sensitive 
economic and commercial information is exchanged electronically, and as 
the nation's defense and intelligence communities increasingly rely on 
commercially available information technology, the likelihood increases 
that information attacks will threaten vital national interests. 

Recent attacks and threats have further underscored the need to bolster 
the cybersecurity of our government's and our nation's computer systems 
and, more importantly, of the critical operations and infrastructures 
they support. Recent examples of attacks include the following: 

* In March 2005, security consultants within the electric industry 
reported that hackers were targeting the U.S. electric power grid and 
had gained access to U.S. utilities' electronic control systems. 
Computer security specialists reported that, in a few cases, these 
intrusions had "caused an impact." While officials stated that hackers 
had not caused serious damage to the systems that feed the nation's 
power grid, the constant threat of intrusion has heightened concerns 
that electric companies may not have adequately fortified their 
defenses against a potential catastrophic strike. 

* In January 2005, a major university reported that a hacker had broken 
into a database containing 32,000 student and employee social security 
numbers, potentially compromising their identities and finances. In 
similar incidents during 2003 and 2004, it was reported that hackers 
had attacked the systems of other universities, exposing the personal 
information of over 1.8 million people. 

* In June 2003, the U.S. government issued a warning concerning a virus 
that specifically targeted financial institutions. Experts said the 
BugBear.b virus was programmed to determine whether a victim had used 
an e-mail address for any of the roughly 1,300 financial institutions 
listed in the virus's code. If a match were found, the software 
attempted to collect and document user input by logging keystrokes and 
then provided this information to a hacker, who could use it in 
attempts to break into the banks' networks. 

* In January 2003, the Slammer worm infected more than 90 percent of 
vulnerable computers worldwide within 10 minutes of its release on the 
Internet by exploiting a known vulnerability for which a patch had been 
available for 6 months.[Footnote 6] Slammer caused network outages, 
canceled airline flights, and automated teller machine failures. In 
addition, the Nuclear Regulatory Commission confirmed that the Slammer 
worm had infected a private computer network at a nuclear power plant, 
disabling a safety monitoring system for nearly 5 hours and causing the 
plant's process computer to fail. The worm reportedly also affected 
communication on the control networks of at least five utilities by 
propagating so quickly that control system traffic was blocked. Cost 
estimates on the impact of the work range from $1.05 billion to $1.25 
billion. 

In May 2005, we reported that federal agencies were facing a set of 
emerging cybersecurity threats as a result of increasingly 
sophisticated methods of attack and the blending of once distinct types 
of attack into more complex and damaging forms.[Footnote 7] Examples of 
these threats include spam (unsolicited commercial e-mail), phishing 
(fraudulent messages used to obtain personal or sensitive data), and 
spyware (software that monitors user activity without the user's 
knowledge or consent). Spam consumes significant resources and is used 
as a delivery mechanism for other types of cyberattacks; phishing can 
lead to identity theft, loss of sensitive information, and reduced 
trust and use of electronic government services; and spyware can 
capture and release sensitive data, make unauthorized changes, and 
decrease system performance. These attacks are also becoming 
increasingly automated with the use of botnets--compromised computers 
that can be remotely controlled by attackers to automatically launch 
attacks. Bots (short for robots) have become a key automation tool that 
is used to speed the infection of vulnerable systems. 

Federal law and regulation call for critical infrastructure protection 
activities that are intended to enhance the cyber and physical security 
of both the public and private infrastructures that are essential to 
national security, national economic security, and national public 
health and safety.[Footnote 8] Federal regulation also establishes DHS 
as the focal point for the security of cyberspace--including analysis, 
warning, information sharing, vulnerability reduction, mitigation, and 
recovery efforts for public and private critical infrastructure 
information systems. To accomplish this mission, DHS is to work with 
other federal agencies, state and local governments, and the private 
sector. Federal policy further recognizes the need to prepare for 
debilitating Internet disruptions and--because the vast majority of the 
Internet infrastructure is owned and operated by the private sector-- 
tasks the DHS with developing an integrated public/private plan for 
Internet recovery.[Footnote 9] 

Prior Reports Identified DHS's Efforts to Fulfill Cybersecurity 
Responsibilities: 

As the focal point for critical infrastructure protection, the 
Department of Homeland Security (DHS) has many cybersecurity-related 
roles and responsibilities that are called for in law and policy. These 
responsibilities include developing plans, building partnerships, and 
improving information sharing, as well as implementing activities 
related to the five priorities in the National Strategy to Secure 
Cyberspace. These priorities are (1) developing and enhancing national 
cyber analysis and warning, (2) reducing cyberspace threats and 
vulnerabilities, (3) promoting awareness of and training in security 
issues, (4) securing governments' cyberspace, and (5) strengthening 
national security and international cyberspace security cooperation. 
See table 1 for a list of DHS's 13 key cybersecurity responsibilities. 
These responsibilities are described in more detail in appendix I. To 
fulfill its cybersecurity role, in June 2003, DHS established the 
National Cyber Security Division to take the lead in addressing the 
cybersecurity of critical infrastructures. 

Table 1: DHS's Key Cybersecurity Responsibilities: 

* Develop a comprehensive national plan for critical infrastructure 
protection, including cybersecurity.

* Develop partnerships and coordinate with other federal agencies, 
state and local governments, and the private sector.

* Improve and enhance public/private information sharing involving 
cyber attacks, threats, and vulnerabilities.

* Develop and enhance national cyber analysis and warning capabilities.

* Provide and coordinate incident response and recovery planning 
efforts. 

* Identify and assess cyber threats and vulnerabilities.	

* Support efforts to reduce cyber threats and vulnerabilities.

* Promote and support research and development efforts to strengthen 
cyberspace security.

* Promote awareness and outreach.

* Foster training and certification.

* Enhance federal, state, and local government cybersecurity.

* Strengthen international cyberspace security.

* Integrate cybersecurity with national security.

Source: GAO analysis of the Homeland Security Act of 2002, the Homeland 
Security Presidential Directive-7, and the National Strategy to Secure 
Cyberspace. 

[End of table] 

In our 2005 report and testimony, we noted that while DHS initiated 
multiple efforts to fulfill its responsibilities, it had not fully 
addressed any of the 13 responsibilities, and much work remained to 
fulfill them.[Footnote 10] For example, the department established the 
United States Computer Emergency Readiness Team as a public/private 
partnership to make cybersecurity a coordinated national effort, and it 
established forums to build greater trust and information sharing among 
federal officials with information security responsibilities and law 
enforcement entities. However, DHS had not yet developed national cyber 
threat and vulnerability assessments or government/industry contingency 
recovery plans for cybersecurity. Since that report was issued, DHS has 
made progress on its responsibilities, but none have been completely 
addressed. For example, in June 2006, the agency released the National 
Infrastructure Protection Plan; however, supplemental sector-specific 
plans have not yet been finalized. Further, DHS reported that it has 
expanded the use of a situational awareness tool that supports cyber 
analysis and warning from one to seven federal agencies. However, this 
does not yet comprise a national analysis and warning capability. 

In our 2006 report and testimony, we focused particularly on one of 
DHS's key cybersecurity responsibilities--facilitating Internet 
recovery.[Footnote 11] We reported that DHS had begun a variety of 
initiatives to fulfill its responsibility for developing an integrated 
public/private plan for Internet recovery, but that these efforts were 
not comprehensive or complete. For example, DHS had developed high- 
level plans for infrastructure protection and incident response; 
however, the components of these plans that address the Internet 
infrastructure were not complete. Further, several representatives of 
private-sector firms supporting the Internet infrastructure expressed 
concerns about the plans, noting that the plans would be difficult to 
execute in times of crisis. The department had also started a variety 
of initiatives to improve the nation's ability to recover from Internet 
disruptions, including establishing working groups to facilitate 
coordination and exercises in which government and private industry 
practice responding to cyber events. However, progress to date on these 
initiatives had been limited, and other initiatives lacked time frames 
for completion. Also, the relationships among these initiatives were 
not evident. As a result, we reported that the government was not yet 
adequately prepared to effectively coordinate public/private plans for 
recovering from a major Internet disruption. A private-sector 
organization subsequently reported that our nation was unprepared to 
reconstitute the Internet after a massive disruption, noting that there 
were significant gaps in government response plans and that the 
responsibilities of the multiple organizations that would plan a role 
in recovery were unclear.[Footnote 12] 

DHS Faces Many Challenges; Organizational Stability and Leadership Are 
Keys to Success: 

DHS faces numerous challenges in fulfilling its cybersecurity-related 
CIP responsibilities. Key challenges in fulfilling DHS's broad 
responsibilities include increasing awareness about cybersecurity roles 
and capabilities, establishing effective partnerships with 
stakeholders, achieving two-way information sharing with these 
stakeholders, and demonstrating the value it can provide to private 
sector infrastructure owners. Key challenges to establishing a plan for 
recovering from Internet disruptions include addressing innate 
characteristics of the Internet that make planning for and responding 
to disruptions difficult, achieving consensus on DHS's role[Footnote 
13] and on when the department should get involved in responding to a 
disruption, addressing legal issues affecting DHS's ability to provide 
assistance to restore Internet service, and overcoming reluctance of 
many in the private sector to share information on Internet disruptions 
with DHS. Further, the department faces a particular challenge in 
attaining the organizational stability and leadership it needs to gain 
the trust of other stakeholders in the cybersecurity world--including 
other government agencies as well as the private sector. 

In May 2005, we reported that multiple senior DHS cybersecurity 
officials had recently left the department.[Footnote 14] These 
officials included the NCSD Director, the Deputy Director responsible 
for Outreach and Awareness, the Director of the US-CERT Control Systems 
Security Center, the Under Secretary for the Information Analysis and 
Infrastructure Protection Directorate and the Assistant Secretary 
responsible for the Information Protection Office. Infrastructure 
sector officials stated that the lack of stable leadership has 
diminished NCSD's ability to maintain trusted relationships with its 
infrastructure partners and has hindered its ability to adequately plan 
and execute activities. According to one private-sector representative, 
the importance of organizational stability in fostering strong 
partnerships cannot be over emphasized. 

In July 2005, DHS underwent a reorganization which elevated 
responsibility for cybersecurity to an assistant secretary position. 
NCSD and the National Communication System were placed in the 
Preparedness Directorate under a new position, called the Assistant 
Secretary of Cyber Security and Telecommunications--in part to raise 
the visibility of cybersecurity issues in the department. However, over 
a year later, this position remains vacant. While DHS stated that the 
lack of a permanent assistant secretary has not hampered its efforts 
related to protecting critical infrastructure, several private-sector 
representatives stated that DHS's lack of leadership in this area has 
limited progress. Specifically, these representatives stated that 
filling key leadership positions would enhance DHS's visibility to the 
Internet industry and would potentially improve its reputation. 

Implementation of GAO's Recommendations Should Enhance DHS's Ability to 
Fulfill Cybersecurity Responsibilities and Address Challenges: 

To strengthen DHS's ability to implement its cybersecurity 
responsibilities and to resolve underlying challenges, GAO has made 
about 25 recommendations over the last several years. These 
recommendations focus on the need to (1) conduct threat and 
vulnerability assessments, (2) develop a strategic analysis and warning 
capability for identifying potential cyber attacks, (3) protect 
infrastructure control systems, (4) enhance public/private information 
sharing, and (5) facilitate recovery planning, including recovery of 
the Internet in case of a major disruption. These recommendations are 
summarized below and key recommendations that have not yet been fully 
implemented are listed in appendix 2. Together, the recommendations 
provide a high-level roadmap for DHS to use to improve our nation's 
cybersecurity posture. Until it addresses these recommendations, DHS 
will have difficulty achieving results in its role as a federal focal 
point for cybersecurity of critical infrastructures. 

Threat and Vulnerability Assessments: In May 2005, we reported that 
while DHS had made progress in planning and coordinating efforts to 
enhance cybersecurity, much more work remained to be done for the 
department to fulfill its basic responsibilities--including conducting 
important threat and vulnerability assessments.[Footnote 15] 
Specifically, we noted that DHS had participated in national efforts to 
identify and assess cyber threats and had begun to take steps to 
facilitate sector-specific vulnerability assessments, but that it had 
not completed a national cyber threat assessment, sector-specific 
vulnerability assessments, or the identification of cross-sector 
interdependencies that are called for in the cyberspace strategy. We 
made recommendations to strengthen the department's ability to 
implement key cybersecurity responsibilities by prioritizing and 
completing critical activities and resolving underlying challenges. DHS 
concurred with our recommendation to engage stakeholders in 
prioritizing its key cybersecurity responsibilities, including 
performing a national cyber threat assessment and facilitating sector 
cyber vulnerability assessments. However, these efforts are not yet 
complete. 

Strategic Analysis and Warnings: In 2001, we reported on the analysis 
and warnings efforts within DHS's predecessor, the National 
Infrastructure Protection Center, and we identified several challenges 
that were impeding the development of an effective strategic analysis 
and warning capability.[Footnote 16] We reported that a generally 
accepted methodology for analyzing strategic cyber-based threats did 
not exist. Specifically, there was no standard terminology, no standard 
set of factors to consider, and no established thresholds for 
determining the sophistication of attack techniques. We also reported 
that the Center did not have the industry-specific data on factors such 
as critical systems components, known vulnerabilities, and 
interdependencies. 

We therefore recommended that the responsible executive-branch 
officials and agencies establish a capability for strategic analysis of 
computer-based threats, including developing a methodology, acquiring 
expertise, and obtaining infrastructure data. 

More recently, in 2005, we reported that DHS had established various 
initiatives to enhance its analytical capabilities, including 
intelligence-sharing through the US CERT and situational awareness 
tools through the US CERT Einstein program at selected federal 
agencies. However, we noted that DHS was still facing the same 
challenges in developing strategic analysis and warning capabilities 
and that our original recommendations had not been fully implemented. 

Control Systems: In March 2004, we reported that several factors-- 
including the adoption of standardized technologies with known 
vulnerabilities and the increased connectivity of control systems to 
other systems--had contributed to an escalation of the risk of cyber- 
attacks against control systems.[Footnote 17] We recommended that DHS 
develop and implement a strategy for coordinating with the private 
sector and with other government agencies to improve control system 
security, including an approach for coordinating the various ongoing 
efforts to secure control systems. DHS concurred with our 
recommendation and, in December 2004, issued a high-level national 
strategy for control systems security. This strategy includes, among 
other things, goals to create a capability to respond to attacks on 
control systems and to mitigate vulnerabilities, bridge industry and 
government efforts, and develop control systems security awareness. 
However, the strategy does not yet include underlying details and 
milestones for completing activities. In 2007, we plan to evaluate 
federal efforts to enhance the protection of critical control systems. 

Information Sharing: Over the years, we have issued a series of 
reports, summarized below, on efforts to improve information sharing in 
support of critical infrastructure protection. Further, because of the 
importance of this topic, in January 2005, we designated establishing 
appropriate and effective information-sharing mechanisms to improve 
homeland security as a new high-risk area in our report on federal 
programs and operations at risk.[Footnote 18] We reported that the 
ability to share security-related information can unify the efforts of 
federal, state, and local government agencies and the private sector in 
preventing or minimizing terrorist attacks. 

In July 2004, we recommended actions to improve the effectiveness of 
DHS's information-sharing efforts.[Footnote 19] We recommended that 
officials within the Information Analysis and Infrastructure Protection 
Directorate (1) proceed with and establish milestones for developing an 
information-sharing plan and (2) develop appropriate DHS policies and 
procedures for interacting with ISACs, sector coordinators (groups or 
individuals designated to represent their respective infrastructure 
sectors' CIP activities), and sector-specific agencies and for 
coordination and information sharing within the Information Analysis 
and Infrastructure Protection Directorate and other DHS components. DHS 
stated that the report generally provided an accurate analysis and 
planned actions to address these recommendations. However, as of today, 
the recommendations have not yet been implemented. 

More recently, in March 2006, we reported that more than 4 years after 
September 11, the nation still lacked governmentwide policies and 
processes to help agencies integrate a myriad of ongoing efforts to 
improve the sharing of terrorism-related information that is critical 
to protecting our homeland.[Footnote 20] Responsibility for creating 
these policies and processes now lies with the Director of National 
Intelligence--and should include a cybersecurity focus. We made several 
recommendations to the Director of National Intelligence to strengthen 
information sharing efforts. 

Most recently, in April 2006, we reported on DHS's efforts to implement 
the Critical Infrastructure Information Act of 2002, which was enacted 
to encourage nonfederal entities to voluntarily share critical 
infrastructure information and established protections for it.[Footnote 
21] DHS has initiated several actions, including issuing interim 
operating procedures[Footnote 22] and creating a program office to 
administer the critical infrastructure protection program called for by 
the Critical Infrastructure Information Act. The program office has 
also begun to accept and safeguard critical infrastructure information 
submitted voluntarily by infrastructure owners and is sharing it with 
other DHS entities and, on a limited basis, with other government 
entities. For example, as of January 2006, the program office had 
received about 290 submissions of critical infrastructure information 
from various sectors. However, DHS faces challenges that impede the 
private sector's willingness to share sensitive information, including 
defining specific government needs for critical infrastructure 
information, determining how the information will be used, assuring the 
private sector that the information will be protected and who will be 
authorized to have access to the information, and demonstrating to 
critical infrastructure owners the benefits of sharing the information. 
We recommended that DHS better define its own and other federal 
agencies' critical infrastructure information needs and explain how it 
and the other agencies will use the information they receive from the 
private sector. We also recommended that DHS establish a specific 
deadline for issuing its final operating procedures. DHS concurred with 
our findings and recommendations and has made progress in selected 
areas. Specifically, on September 1, 2006, DHS released its final 
operating procedures.[Footnote 23] 

Recovery Planning: In May 2005, we reported that while DHS had made 
progress in planning and coordinating efforts to enhance cybersecurity, 
much more work remained to be done to fulfill its responsibilities-- 
including facilitating government and government/industry cybersecurity 
recovery plans.[Footnote 24] More recently, in June 2006, we reported 
that DHS had begun a variety of initiatives to fulfill its 
responsibility for developing an integrated public/private plan for 
Internet recovery, but that these efforts were not complete or 
comprehensive.[Footnote 25] Further, we reported that DHS faced key 
challenges in establishing a plan for recovering from Internet 
disruptions, including obtaining consensus on its role and on when the 
department should get involved in responding to a disruption, 
overcoming the reluctance of many in the private sector to share 
information on Internet disruptions, addressing leadership 
uncertainties within the department. We made recommendations to 
strengthen the department's ability to help recover from Internet 
disruptions. DHS concurred with our recommendations and identified 
plans to begin addressing them. 

We also reported that the federal laws and regulations that address 
critical infrastructure protection, disaster recovery, and the 
telecommunications infrastructure provide broad guidance that applies 
to the Internet, but it is not clear how useful these authorities would 
be in helping to recover from a major Internet disruption. 
Specifically, key legislation on critical infrastructure protection 
does not address roles and responsibilities in the event of an Internet 
disruption. Other laws and regulations governing disaster response and 
emergency communications have never been used for Internet recovery. We 
suggested that Congress consider clarifying the legal framework guiding 
Internet recovery. 

In summary, while DHS has initiatives underway to fulfill its many 
cybersecurity responsibilities, major tasks remain to be done. These 
include assessing and reducing cyber threats and vulnerabilities and 
coordinating incident response and recovery planning efforts. In 
fulfilling its cybersecurity responsibilities, DHS has many challenges 
to overcome, several of which will be difficult without effective 
leadership. Effective leadership is essential in order to fulfill key 
government responsibilities and to partner and build credibility with 
the private sector. Addressing this leadership void starts with DHS 
naming its Assistant Secretary of Cyber Security and 
Telecommunications. Once that position is filled, our recommendations 
in the areas of threat and vulnerability analysis, analysis and 
warning, control systems protection, information sharing, and recovery 
planning can help prioritize efforts to secure our nation's public and 
private infrastructures. 

Mr. Chairman, this concludes my statement. I would be happy to answer 
any questions at this time. 

If you have any questions on matters discussed in this testimony, 
please contact us at (202) 512-9286 or by e-mail at pownerd@gao.gov. 
Other key contributors to this report include Colleen Phillips 
(Assistant Director), Vijay D'Souza, Michael Gilmore, Barbarol James, 
and Teresa Neven. 

Appendix I: Thirteen DHS Cybersecurity Responsibilities: 

Critical infrastructure protection responsibilities with a cyber 
element: Develop a national plan for critical infrastructure protection 
that includes cybersecurity; 
Description: Developing a comprehensive national plan for securing the 
key resources and critical infrastructure of the United States, 
including information technology and telecommunications systems 
(including satellites) and the physical and technological assets that 
support such systems. This plan is to outline national strategies, 
activities, and milestones for protecting critical infrastructures. 

Critical infrastructure protection responsibilities with a cyber 
element: Develop partnerships and coordinate with other federal 
agencies, state and local governments, and the private sector; 
Description: Fostering and developing public/private partnerships with 
and among other federal agencies, state and local governments, the 
private sector, and others. DHS is to serve as the "focal point for the 
security of cyberspace.". 

Critical infrastructure protection responsibilities with a cyber 
element: Improve and enhance public/private information sharing 
involving cyber attacks, threats, and vulnerabilities; 
Description: Improving and enhancing information sharing with and among 
other federal agencies, state and local governments, the private 
sector, and others through improved partnerships and collaboration, 
including encouraging information sharing and analysis mechanisms. DHS 
is to improve sharing of information on cyber attacks, threats, and 
vulnerabilities. 

Responsibilities related to the cyberspace strategy's five priorities: 
Develop and enhance national cyber analysis and warning capabilities; 
Description: Providing cyber analysis and warnings, enhancing 
analytical capabilities, and developing a national indications and 
warnings architecture to identify precursors to attacks. 

Responsibilities related to the cyberspace strategy's five priorities: 
Provide and coordinate incident response and recovery planning efforts;
Description: Providing crisis management in response to threats to or 
attacks on critical information systems. This entails coordinating 
efforts for incident response, recovery planning, exercising 
cybersecurity continuity plans for federal systems, planning for 
recovery of Internet functions, and assisting infrastructure 
stakeholders with cyber-related emergency recovery plans. 

Responsibilities related to the cyberspace strategy's five priorities:  
Identify and assess cyber threats and vulnerabilities; 
Description: Leading efforts by the public and private sector to 
conduct a national cyber threat assessment, to conduct or facilitate 
vulnerability assessments of sectors, and to identify cross-sector 
interdependencies. 

Responsibilities related to the cyberspace strategy's five priorities:  
Support efforts to reduce cyber threats and vulnerabilities; 
Description: Leading and supporting efforts by the public and private 
sector to reduce threats and vulnerabilities. Threat reduction involves 
working with law enforcement community to investigate and prosecute 
cyberspace threats. Vulnerability reduction involves identifying and 
remediating vulnerabilities in existing software and systems. 

Responsibilities related to the cyberspace strategy's five priorities:  
Promote and support research and development efforts to strengthen 
cyberspace security; 
Description: Collaborating and coordinating with members of academia, 
industry, and government to optimize cybersecurity related research and 
development efforts to reduce vulnerabilities through the adoption of 
more secure technologies. 

Responsibilities related to the cyberspace strategy's five priorities:  
Promote awareness and outreach; 
Description: Establishing a comprehensive national awareness program to 
promote efforts to strengthen cybersecurity throughout government and 
the private sector, including the home user. 

Responsibilities related to the cyberspace strategy's five priorities:  
Foster training and certification; 
Description: Improving cybersecurity- related education, training, and 
certification opportunities. 

Responsibilities related to the cyberspace strategy's five priorities:  
Enhance federal, state, and local government cybersecurity; 
Description: Partnering with federal, state, and local governments in 
efforts to strengthen the cybersecurity of the nation's critical 
information infrastructure to assist in the deterrence, prevention, 
preemption of, and response to terrorist attacks against the United 
States. 

Responsibilities related to the cyberspace strategy's five priorities: 
Strengthen international cyberspace security; 
Description: Working in conjunction with other federal agencies, 
international organizations, and industry in efforts to promote 
strengthened cybersecurity on a global basis. 

Responsibilities related to the cyberspace strategy's five priorities:  
Integrate cybersecurity with national security; 
Description: Coordinating and integrating applicable national 
preparedness goals with its National Infrastructure Protection Plan.  

Source: GAO analysis of the Homeland Security Act of 2002, the Homeland 
Security Presidential Directive-7, and the National Strategy to Secure 
Cyberspace. 

[End of table]

Appendix II: Key Recommendations To Improve Cybersecurity of Critical 
Infrastructures: 

Functional Area: Threat and vulnerability assessments; 
Recommendations That Have Not Yet Been Fully Implemented: Perform a 
national cyber threat assessment; 
Facilitate sector cyber vulnerability assessments--to include 
identification of cross-sector interdependencies. 

Functional Area: Strategic analysis and warning; 
Recommendations That Have Not Yet Been Fully Implemented: Establish a 
capability for strategic analysis of computer-based threats, including 
developing a related methodology, acquiring staff expertise, and 
obtaining infrastructure data; 
Develop a comprehensive governmentwide data-collection and analysis 
framework and ensure that national watch and warning operations for 
computer- based attacks are supported by sufficient staff and 
resources; 
Develop a comprehensive written plan for establishing analysis and 
warning capabilities that integrates existing planning elements and 
includes milestones and performance measures; approaches (or 
strategies) and the various resources needed to achieve the goals and 
objectives; a description of the relationship between the long-term 
goals and objectives and the annual performance goals; and a 
description of how program evaluations could be used to establish or 
revise strategic goals, along with a schedule for future program 
evaluations. 

Functional Area: Infrastructure control systems protection; 
Recommendations That Have Not Yet Been Fully Implemented: Develop and 
implement a strategy for coordinating with the private sector and other 
government agencies to improve control system security, including an 
approach for coordinating the various ongoing efforts to secure control 
systems. 

Functional Area: Public/private information sharing; 
Recommendations That Have Not Yet Been Fully Implemented: To ensure 
effective implementation of the Intelligence Reform Act, assess 
progress toward the milestones set in the Interim Implementation Plan; 
identify any barriers to achieving these milestones,such as 
insufficient resources and determine ways to resolve them; and 
recommend to the oversight committees with jurisdiction any necessary 
changes to the organizational structure or approach to creating the 
Information Sharing Environment; 
Consistent with other infrastructure planning efforts such as the NIPP, 
define and communicate to the private sector what critical 
infrastructure information DHS and federal entities need to fulfill 
their critical infrastructure responsibilities and how federal, state, 
and local entities are expected to use the information submitted under 
the program; 
Determine whether creating mechanisms, such as providing originator 
control and direct submissions to federal agencies other than DHS, 
would increase submissions of critical infrastructure information; 
Expand efforts to use incentives to encourage more users of critical 
infrastructure information, such as mechanisms for state-to-state 
sharing; 
Proceed with and establish milestones for the development of an 
information-sharing plan that includes (1) a clear description of the 
roles and responsibilities of DHS, the ISACs, the sector coordinators, 
and the sector-specific agencies and (2) actions designed to address 
information-sharing challenges. Efforts to develop this plan should 
include soliciting feedback from the ISACs, sector coordinators, and 
sector-specific agencies to help ensure that challenges identified by 
the ISACs and the ISAC Council are appropriately considered in the 
final plan; 
Considering the roles, responsibilities, and actions established in the 
information-sharing plan, develop appropriate DHS policies and 
procedures for interacting with the Information Sharing and Analysis 
Centers (ISACs), sector coordinators, and sector-specific agencies and 
for coordination and information sharing within the IAIP Directorate 
(such as the National Cyber Security Division and Infrastructure 
Coordination Division) and other DHS components that may interact with 
the ISACs, including TSA. 

Functional Area: Recovery planning; 
Recommendations That Have Not Yet Been Fully Implemented: Establish 
contingency plans for cybersecurity, including recovery plans for key 
internet functions; 
Establish  dates for revising the National Response Plan and finalizing 
the National Infrastructure Protection Plan (to include components 
related to Internet recovery); 
Draft public/ private plans for Internet recovery and obtain input from 
key Internet infrastructure companies; 
Review the organizational structures and roles of DHS's National 
Communication System (NCS) and National Cyber Security Division (NCSD) 
in light of the convergence of voice and data communications; 
Identify the relationships and interdependencies among the various 
Internet recovery-related activities currently underway in NCS and 
NCSD; 
Establish timelines and priorities for key efforts identified by the 
Internet Disruption Working Group; 
Identify ways to incorporate lessons learned from actual incidents and 
during cyber exercises into recovery plans and procedures; 
Work with private-sector stakeholders representing the Internet 
infrastructure to address challenges to effective Internet recovery by 
(1) further defining needed government functions, (2) defining a 
trigger for government involvement in responding to a disruption, and 
(3) documenting assumptions and developing approaches to deal with key 
challenges that are not within the government's control. 

Functional Area: Crosscutting topics; 
Recommendations That Have Not Yet Been Fully Implemented: Engage 
appropriate stakeholders to prioritize key cybersecurity 
responsibilities so that the most important activities are addressed 
first; 
Prioritize a list of activities for addressing underlying challenges 
that are impeding execution of DHS responsibilities; 
Identify performance measures and milestones for fulfilling prioritized 
responsibilities and activities to address underlying challenges, and 
track progress against these measures and milestones. 

Source: GAO-06-383, GAO-06-385, GAO-06-672, GAO-05-434, GAO-04-780, GAO-
04-354, GAO-01-323. 

[End of table] 

FOOTNOTES 

[1] Homeland Security Presidential Directive 7: Critical Infrastructure 
Identification, Prioritization, and Protection (Dec. 17, 2003). 

[2] The White House, National Strategy to Secure Cyberspace 
(Washington, D.C.: February 2003). 

[3] GAO, Critical Infrastructure Protection: Department of Homeland 
Security Faces Challenges in Fulfilling Cybersecurity Responsibilities, 
GAO-05-434 (Washington, D.C.: May 26, 2005); Critical Infrastructure 
Protection: Challenges in Addressing Cybersecurity,GAO- 05-827T 
(Washington, D.C.: July 19, 2005); Internet Infrastructure: DHS Faces 
Challenges in Developing a Joint Public/Private Recovery Plan, GAO-06-
672 (Washington, D.C.: June 16, 2006); Internet Infrastructure: 
Challenges in Developing a Public/Private Recovery Plan, GAO-06-863T 
(Washington, D.C.: July 28, 2006). 

[4] GAO-05-434 and GAO-06-672. 

[5] Signature-based tools compare files or packets to a list of 
"signatures"--patterns of specific files or packets that have been 
identified as threats. 

[6] GAO-06-672. 

[7] GAO, Information Security: Emerging Cybersecurity Issues Threaten 
Federal Information Systems, GAO-05-231 (Washington, D.C.: May 13, 
2005). 

[8] The Homeland Security Act of 2002 and the Homeland Security 
Presidential Directive 7. 

[9] The White House, National Strategy to Secure Cyberspace 
(Washington, D.C.: February 2003). 

[10] GAO-05-434 and GAO-05-827T. 

[11] GAO-06-672 and GAO-06-863T. 

[12] Business Roundtable, Essential Steps to Strengthen America's Cyber 
Terrorism Preparedness (Washington, D.C.: June 2006). 

[13] While some private sector officials we spoke to stated that the 
government did not have a direct recovery role, others identified a 
variety of potential roles including providing information on specific 
threats, providing security and disaster relief during a crisis, 
funding backup communication infrastructures, driving improved Internet 
security through requirements for the government's own procurements, 
and providing logistical assistance, such as fuel, power, and security 
to Internet infrastructure operators during a crisis. 

[14] GAO-05-434. 

[15] GAO-05-434. 

[16] GAO, Critical Infrastructure Protection: Significant Challenges in 
Developing National Capabilities, GAO-01-323 (Washington, D.C.: Apr. 
25, 2001). 

[17] GAO, Critical Infrastructure Protection: Challenges and Efforts to 
Secure Control Systems, GAO-04-354 (Washington, D.C.: Mar. 15, 2004). 

[18] GAO, High-Risk Series: An Update, GAO-05-207 (Washington, D.C.: 
January 2005). 

[19] GAO, Critical Infrastructure Protection: Improving Information 
Sharing with Infrastructure Sectors, GAO-04-780 (Washington, D.C.: July 
9, 2004). 

[20] GAO, Information Sharing: The Federal Government Needs to 
Establish Policies and Processes for Sharing Terrorism-Related and 
Sensitive but Unclassified Information, GAO-06-385 (Washington, D.C.: 
March 17, 2006). 

[21] GAO, Information Sharing: DHS Should Take Steps to Encourage More 
Widespread Use of Its Program to Protect and Share Critical 
Infrastructure Information, GAO-06-383 (Washington, D.C.: April 17, 
2006). 

[22] On February 20, 2004, DHS issued Procedures for Handling Critical 
Infrastructure Information: Interim Rule (69 FR 8074) that, among other 
things, included mechanisms specified in law, established authorities 
regarding the sharing of information, and stated that DHS would 
consider issuing supplemental regulations. 

[23] Department of Homeland Security, Procedures for Handling Critical 
Infrastructure Information; Final Rule (71 FR 52262) (Sept. 1, 2006). 

[24] GAO-05-434. 

[25] GAO-06-672. 

GAO's Mission: 

The Government Accountability Office, the investigative arm of 
Congress, exists to support Congress in meeting its constitutional 
responsibilities and to help improve the performance and accountability 
of the federal government for the American people. GAO examines the use 
of public funds; evaluates federal programs and policies; and provides 
analyses, recommendations, and other assistance to help Congress make 
informed oversight, policy, and funding decisions. GAO's commitment to 
good government is reflected in its core values of accountability, 
integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains 
abstracts and full-text files of current reports and testimony and an 
expanding archive of older products. The Web site features a search 
engine to help you locate documents using key words and phrases. You 
can print these documents in their entirety, including charts and other 
graphics. 

Each day, GAO issues a list of newly released reports, testimony, and 
correspondence. GAO posts this list, known as "Today's Reports," on its 
Web site daily. The list contains links to the full-text document 
files. To have GAO e-mail this list to you every afternoon, go to 
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order 
GAO Products" heading. 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office 

441 G Street NW, Room LM 

Washington, D.C. 20548: 

To order by Phone: 

Voice: (202) 512-6000: 

TDD: (202) 512-2537: 

Fax: (202) 512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: www.gao.gov/fraudnet/fraudnet.htm 

E-mail: fraudnet@gao.gov 

Automated answering system: (800) 424-5454 or (202) 512-7470: 

Public Affairs: 

Jeff Nelligan, managing director, 

NelliganJ@gao.gov 

(202) 512-4800 

U.S. Government Accountability Office, 

441 G Street NW, Room 7149 

Washington, D.C. 20548: