This is the accessible text file for GAO report number GAO-06-672 entitled 'Internet Infrastructure: DHS Faces Challenges in Developing a Joint Public/Private Recovery Plan' which was released on July 28, 2006. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to Congressional Requesters: June 2006: Internet Infrastructure: DHS Faces Challenges in Developing a Joint Public/Private Recovery Plan: GAO-06-672: GAO Highlights: Highlights of GAO-06-672, a report to congressional requesters Why GAO Did This Study: Since the early 1990s, growth in the use of the Internet has revolutionized the way that our nation communicates and conducts business. While the Internet was originally developed by the Department of Defense, the vast majority of its infrastructure is currently owned and operated by the private sector. Federal policy recognizes the need to prepare for debilitating Internet disruptions and tasks the Department of Homeland Security (DHS) with developing an integrated public/private plan for Internet recovery. GAO was asked to (1) identify examples of major disruptions to the Internet, (2) identify the primary laws and regulations governing recovery of the Internet in the event of a major disruption, (3) evaluate DHS plans for facilitating recovery from Internet disruptions, and (4) assess challenges to such efforts. What GAO Found: A major disruption to the Internet could be caused by a cyber incident (such as a software malfunction or a malicious virus), a physical incident (such as a natural disaster or an attack that affects key facilities), or a combination of both cyber and physical incidents. Recent cyber and physical incidents have caused localized or regional disruptions but have not caused a catastrophic Internet failure. Federal laws and regulations addressing critical infrastructure protection, disaster recovery, and the telecommunications infrastructure provide broad guidance that applies to the Internet, but it is not clear how useful these authorities would be in helping to recover from a major Internet disruption. Specifically, key legislation on critical infrastructure protection does not address roles and responsibilities in the event of an Internet disruption. Other laws and regulations governing disaster response and emergency communications have never been used for Internet recovery. DHS has begun a variety of initiatives to fulfill its responsibility for developing an integrated public/private plan for Internet recovery, but these efforts are not complete or comprehensive. Specifically, DHS has developed high-level plans for infrastructure protection and incident response, but the components of these plans that address the Internet infrastructure are not complete. In addition, the department has started a variety of initiatives to improve the nation’s ability to recover from Internet disruptions, including working groups to facilitate coordination and exercises in which government and private industry practice responding to cyber events. However, progress to date on these initiatives has been limited, and other initiatives lack time frames for completion. Also, the relationships among these initiatives are not evident. As a result, the government is not yet adequately prepared to effectively coordinate public/private plans for recovering from a major Internet disruption. Key challenges to establishing a plan for recovering from Internet disruptions include (1) innate characteristics of the Internet (such as the diffuse control of the many networks making up the Internet and private sector ownership of core components) that make planning for and responding to disruptions difficult, (2) a lack of consensus on DHS’s role and when the department should get involved in responding to a disruption, (3) legal issues affecting DHS’s ability to provide assistance to restore Internet service, (4) reluctance of many in the private sector to share information on Internet disruptions with DHS, and (5) leadership and organizational uncertainties within DHS. Until these challenges are addressed, DHS will have difficulty achieving results in its role as a focal point for helping to recover the Internet from a major disruption. What GAO Recommends: GAO is suggesting that Congress consider clarifying the legal framework guiding Internet recovery. GAO is also making recommendations to the Secretary of the Department of Homeland Security to strengthen the department’s ability to serve as a focal point for helping to recover from Internet disruptions by completing key plans and activities and addressing challenges. In written comments, DHS agreed with GAO’s recommendations and provided information on activities it was taking to implement them. [Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-672]. To view the full product, including the scope and methodology, click on the link above. For more information, contact David Powner at (202) 512- 9286 or pownerd@gao.gov. [End of Section] Contents: Letter: Results in Brief: Background: Although Both Cyber and Physical Incidents Have Caused Disruptions, the Internet Has Not Yet Suffered a Catastrophic Failure: Existing Laws and Regulations Apply to the Internet, but Numerous Uncertainties Exist in Using Them for Internet Recovery: DHS Initiatives Supporting Internet Recovery Planning Are under Way, but Much Remains to Be Done and the Relationships among Initiatives Are Not Evident: Multiple Challenges Exist to Planning for Recovery from Internet Disruptions: Conclusions: Matters for Congressional Consideration: Recommendations for Executive Action: Agency Comments: Appendixes: Appendix I: Objectives, Scope, and Methodology: Appendix II: Legislation and Regulations Govern Critical Infrastructure Protection, Disaster Response, and the Telecommunications Infrastructure: Multiple Laws and Regulations Govern Protection of Critical Infrastructure: Multiple Laws Govern Federal Response to Disasters and Incidents of National Significance: Specific Laws and Regulations Govern the Telecommunications Infrastructure That Supports the Internet: Appendix III: Two Task Forces Have Assessed NCS Roles and Mission : Next Generation Network Task Force: National Coordinating Center Task Force: Appendix IV: DHS Has Conducted Disaster Response Exercises That Include Cyber Incidents: DHS Has Conducted Regional Exercises Involving Cyber Attacks: Cyber Storm Was DHS's First National Exercise Focused on Cyber Attacks: Appendix V: Comments from the Department of Homeland Security: Appendix VI: GAO Contacts and Staff Acknowledgments: Tables: Table 1: Critical Infrastructure Sectors: Table 2: Sources of Cyber Threats Identified by the U.S. Intelligence Community: Table 3: Examples of Collaborative Groups: Table 4: DHS's Key Cybersecurity Responsibilities: Table 5: Examples of Potential Internet Disruptions: Table 6: Potential DHS Roles: Table 7: Selected Lessons Learned from DHS Regional Exercises with Cyber Components: Figures: Figure 1: Example of an E-mail Transiting the Internet: Figure 2: How the Domain Name System Translates a Web Site Name into a Numerical Address: Figure 3: Example of Dynamic Routing Using Border Gateway Protocol: Figure 4: Case Study--The Slammer Worm: Figure 5: Case Study--A Root Server Attack: Figure 6: Case Study--The Baltimore Train Tunnel Fire: Figure 7: Case Study--The September 11, 2001, Terrorist Attack on the World Trade Center: Figure 8: Case Study--Hurricane Katrina: Abbreviations: DHS: Department of Homeland Security: IP: Internet Protocol: NCS: National Communications System: NCSD: National Cyber Security Division: US-CERT: United States Computer Emergency Readiness Team: June 16, 2006: Congressional Requesters: Since the early 1990s, increasing computer interconnectivity--most notably growth in the use of the Internet--has revolutionized the way that our government, our nation, and much of the world communicate and conduct business. Our country has come to rely on the Internet as a critical infrastructure supporting commerce, education, and communication. While the benefits of this technology have been enormous, this widespread interconnectivity poses significant risks to the government's and our nation's computer systems and, more importantly, to the critical operations and infrastructures they support. Federal regulation establishes the Department of Homeland Security (DHS) as the focal point for the security of cyberspace--including analysis, warning, information sharing, vulnerability reduction, mitigation, and recovery efforts for public and private critical infrastructure systems.[Footnote 1] To accomplish this mission, DHS is to work with federal agencies, state and local governments, and the private sector. Federal policy also recognizes the need to be prepared for the possibility of debilitating disruptions in cyberspace and, because the vast majority of the Internet infrastructure is owned and operated by the private sector, tasks DHS with developing an integrated public/private plan for Internet recovery.[Footnote 2] Last year, we reported on DHS efforts to fulfill its cybersecurity responsibilities and noted that the department had not developed key cybersecurity recovery plans--including a plan for recovering key Internet functions.[Footnote 3] Because of your interest in DHS's efforts to develop a joint plan for recovering the Internet in case of a major disruption, you asked that we (1) identify examples of major disruptions to the Internet, (2) identify the primary laws and regulations governing recovery of the Internet in the event of a major disruption, (3) evaluate DHS's plans for facilitating recovery from Internet disruptions, and (4) assess challenges to such efforts. To accomplish these objectives, we assessed documentation of disruptions to the Internet and compiled case studies of incidents that have affected the Internet. We also reviewed relevant laws and regulations related to critical infrastructure protection, disaster response, and the telecommunications infrastructure. We assessed DHS progress and plans for handling Internet disruptions. In order to identify challenges to effective Internet recovery planning, we also interviewed officials from DHS, other federal agencies, and representatives of the private sector who have a role in operating the Internet infrastructure. Appendix I provides additional details on our objectives, scope, and methodology. We performed our work from August 2005 to May 2006 in accordance with generally accepted government auditing standards. Results in Brief: A major disruption to the Internet could be caused by a cyber incident (such as a software malfunction or a malicious virus), a physical incident (such as a natural disaster or an attack that affects facilities and other assets), or a combination of both cyber and physical incidents. Recent cyber and physical incidents have caused localized or regional disruptions, highlighting the importance of recovery planning. For example, a 2002 root server attack highlighted the need to plan for increased server capacity at Internet exchange points in order to manage the high volumes of data traffic during an attack. However, recent incidents also have shown the Internet as a whole to be flexible and resilient. Even in past severe circumstances, the Internet did not suffer a catastrophic failure. Several federal laws and regulations provide broad guidance that applies to the Internet, but it is not clear how useful these authorities would be in helping to recover from a major Internet disruption. Specifically, the Homeland Security Act of 2002 and Homeland Security Presidential Directive 7 provide guidance on protecting our nation's critical infrastructures. However, they do not specifically address roles and responsibilities in the event of an Internet disruption. In addition, the Defense Production Act and the Stafford Act provide authority to federal agencies to plan for and respond to incidents of national significance, such as disasters and terrorist attacks. However, the Defense Production Act has never been used for Internet recovery and the Stafford Act does not authorize the provision of resources to for-profit companies--such as those that own and operate core Internet components. The Communications Act of 1934 and the National Communications System authorities govern the telecommunications infrastructure and help ensure communications during national emergencies, but they have never been used for Internet recovery. Thus, it is not clear how effective they would be in assisting Internet recovery. DHS has begun a variety of initiatives to fulfill its responsibility for developing an integrated public/private plan for Internet recovery, but these efforts are not yet complete or comprehensive. Specifically, DHS has developed high-level plans for infrastructure protection and incident response, but the components of these plans that address the Internet infrastructure are not complete. In addition, DHS has started a variety of initiatives to improve the nation's ability to recover from Internet disruptions, including working groups to facilitate coordination and exercises in which government and private industry practice responding to cyber events. However, progress to date on these initiatives has been limited and other initiatives lack time frames for completion. Also, the relationships among these initiatives are not evident. As a result, risk remains that the government is not yet adequately prepared to effectively coordinate public/private plans for recovering from a major Internet disruption. Key challenges to establishing a plan for recovering from an Internet disruption include (1) innate characteristics of the Internet (such as the diffuse control of the many networks that make up the Internet and the private-sector ownership of core components) that make planning for and responding to disruptions difficult, (2) lack of consensus on DHS's role and when the department should get involved in responding to a disruption, (3) legal issues affecting DHS's ability to provide assistance to entities working to restore Internet service, (4) reluctance of many in the private sector to share information on Internet disruptions with DHS, and (5) leadership and organizational uncertainties within DHS. Until these challenges are addressed, DHS will have difficulty achieving results in its role as a focal point for helping to recover the Internet from a major disruption. Given the importance of the Internet infrastructure to our nation's communications and commerce, we are suggesting that Congress consider clarifying the legal framework guiding Internet recovery. We are also making recommendations to the Secretary of the Department of Homeland Security to strengthen the department's ability to effectively serve as a focal point for helping to recover from Internet disruptions by establishing clear milestones for completing key plans, coordinating various Internet recovery-related activities, and addressing key challenges to Internet recovery planning. DHS provided written comments on a draft of this report in which it agreed with our recommendations and provided information on initial activities it is taking to implement them (see app. V). DHS officials, as well as others who were quoted in our report, also provided technical corrections, which we have incorporated in this report as appropriate. Background: The Internet: An Overview: The Internet is a vast network of interconnected networks. It is used by governments, businesses, research institutions, and individuals around the world to communicate, engage in commerce, do research, educate, and entertain. While most Americans are familiar with Internet service providers--such as America Online and EarthLink--that provide consumers with a pathway, or "on-ramp," to the Internet, many are less familiar with how the Internet was developed, the underlying structure of the Internet, and how it works. In the late 1960s and the 1970s, the Department of Defense's Advanced Research Projects Agency developed a network to allow multiple universities to communicate and share computing resources. In the ensuing decades, this project grew to become a large network of networks and was joined with an array of scientific and academic computers funded by the National Science Foundation. This expanded network provided the backbone infrastructure of today's Internet. In 1995, the federal government began to turn the backbone of the Internet over to a consortium of commercial backbone providers. From that point on, the Internet infrastructure was owned and operated by private companies--including telecommunications companies, cable companies, and Internet service providers. Today's Internet connects millions of small, medium, and large networks. When an Internet user wants to access a Web site or to send an e-mail to someone who is connected to the Internet through a different Internet service provider, the data must be transferred between networks. Transit across the Internet is provided by either national backbone providers, regional network operators, or a combination of both. National backbone providers are companies that own and operate high-capacity, long-haul backbone networks. These providers transmit data traffic over long distances using high-speed, fiber-optic lines. Because national backbone operators do not service all locations worldwide, regional network providers supplement the long-haul traffic by providing regional service. Data cross between networks at Internet exchange points--which can be either hub points where multiple networks exchange data or private interconnection points arranged by transit providers. At these exchange points, computer systems called routers determine the optimal path for the data to reach their destination. The data then continue their path through the national and regional networks and exchange points, as necessary, to reach the recipient's Internet service provider and the recipient (see fig. 1). Figure 1: Example of an E-mail Transiting the Internet: [See PDF for image] Source: GAO. [End of figure] The networks that make up the Internet communicate via standardized rules called protocols. These rules can be considered voluntary because there is no formal institutional or governmental mechanism for enforcing them. However, if any computer deviates from accepted standards, it risks losing the ability to communicate with other computers that follow the standards. Thus, the rules are essentially self enforcing. One critical set of rules is the Transmission Control Protocol/Internet Protocol suite. These protocols define a detailed process that a sender and receiver agree upon for exchanging data. They describe the flow of data between the physical connection to the network and on to the end-user application. Specifically, these protocols control the addressing of a message by the sender, its division into packets, its transmission across networks, and its reassembly and verification by the receiver. This protocol suite has become the de facto communication standard of the Internet because many standard services (including mail transfer, news, and Web pages) are available on systems that support these protocols.[Footnote 4] Another critical set of protocols, collectively known as the Domain Name System, ensures the uniqueness of each e-mail and Web site address. This system links names like www.senate.gov with the underlying numerical addresses that computers use to communicate with each other. It translates names into addresses and back again in a process invisible to the end user. This process relies on a system of servers, called domain name servers, which store data linking names with numbers. Each domain name server stores a limited set of names and numbers. They are linked by a series of 13 root servers, which coordinate the data and allow users to find the server that identifies the sites they want to reach. Domain name servers are organized into a hierarchy that parallels the organization of the domain names. For example, when someone wants to reach the Web site at www.senate.gov, his or her computer will ask one of the root servers for help.[Footnote 5] The root server will direct the query to a second server that knows the location of names ending in the .gov top-level domain.[Footnote 6] If the address includes a subdomain, the second server refers the query to a third server--in this case, one that knows the addresses for all names ending in senate.gov. The third server will then respond to the request with a numerical address, which the original requester uses to establish a direct connection with the www.senate.gov site. Figure 2 illustrates this example. Figure 2: How the Domain Name System Translates a Web Site Name into a Numerical Address: [See PDF for image] Source: GAO. [End of figure] Another critical set of rules is called the Border Gateway Protocol--a protocol for routing packets between autonomous systems.[Footnote 7] This protocol is used by routers located at network nodes to direct traffic across the Internet. Typically, routers that use this protocol maintain a routing table that lists all feasible paths to a particular network. They also determine metrics associated with each path (such as cost, stability, and speed), so that the best available path can be chosen. This protocol is important because if a certain path becomes unavailable, the system will send data over the next best path (see fig. 3). Figure 3: Example of Dynamic Routing Using Border Gateway Protocol: [See PDF for image] Source: GAO. [End of figure] The Internet Is a Critical Information Infrastructure: From its origins in the 1960s as a research project sponsored by the U.S. government, the Internet has grown increasingly important to both American and foreign businesses and consumers, serving as the medium for hundreds of billions of dollars of commerce each year. According to the U.S. Census Bureau, retail e-commerce sales in the United States were an estimated $86 billion in 2005. The Internet has also become an extended information and communications infrastructure, supporting vital services such as power distribution, health care, law enforcement, and national defense. Federal regulation recognizes the need to protect critical infrastructures. In December 2003, the President updated a national directive for federal departments and agencies to identify and prioritize critical infrastructure sectors and key resources and to protect them from terrorist attack. (See: table 1 for a list of critical infrastructure sectors.)[Footnote 8] This directive recognized that since a large portion of these critical infrastructures is owned and operated by the private sector, a public/ private partnership is crucial for the successful protection of these critical infrastructures. Table 1: Critical Infrastructure Sectors: Sector: Agriculture; Description: Provides for the fundamental need for food. The infrastructure includes supply chains for feed and crop production. Sector: Banking and finance; Description: Provides the financial infrastructure of the nation. This sector consists of commercial banks, insurance companies, mutual funds, government-sponsored enterprises, pension funds, and other financial institutions that carry out transactions, including clearing and settlement. Sector: Chemicals and hazardous materials; Description: Transforms natural raw materials into commonly used products benefiting society's health, safety, and productivity. The chemical industry produces more than 70,000 products that are essential to automobiles, pharmaceuticals, food supply, electronics, water treatment, health, construction, and other necessities. Sector: Commercial facilities; Description: Includes prominent commercial centers, office buildings, sports stadiums, theme parks, and other sites where large numbers of people congregate to pursue business activities, conduct personal commercial transactions, or enjoy recreational pastimes. Sector: Dams; Description: Comprises approximately 80,000 dam facilities, including larger and nationally symbolic dams that are major components of other critical infrastructures that provide electricity and water. Sector: Defense industrial base; Description: Supplies the military with the means to protect the nation by producing weapons, aircraft, and ships and providing essential services, including information technology and supply and maintenance. Sector: Drinking water and water treatment systems; Description: Sanitizes the water supply through about 170,000 public water systems. These systems depend on reservoirs, dams, wells, treatment facilities, pumping stations, and transmission lines. Sector: Emergency services; Description: Saves lives and property from accidents and disasters. This sector includes fire, rescue, emergency medical services, and law enforcement organizations. Sector: Energy; Description: Provides the electric power used by all sectors and the refining, storage, and distribution of oil and gas. This sector is divided into electricity and oil and natural gas. Sector: Food; Description: Carries out the postharvesting of the food supply, including processing and retail sales. Sector: Government; Description: Ensures national security and freedom and administers key public functions. Sector: Government facilities; Description: Includes the buildings owned and leased by the federal government for use by federal entities. Sector: Information technology; Description: Produces hardware, software, and services that enable other sectors to function. Sector: National monuments and icons; Description: Includes key assets that are symbolically equated with traditional American values and institutions or U.S. political and economic power. Sector: Nuclear reactors, materials, and waste; Description: Includes 104 commercial nuclear reactors; research and test nuclear reactors; nuclear materials; and the transportation, storage, and disposal of nuclear materials and waste. Sector: Postal and shipping; Description: Delivers private and commercial letters, packages, and bulk assets. The United States Postal Service and other carriers provide the services of this sector. Sector: Public health and healthcare; Description: Mitigates the risk of disasters and attacks and also provides recovery assistance if an attack occurs. This sector consists of health departments, clinics, and hospitals. Sector: Telecommunications; Description: Provides wired, wireless, and satellite communications to meet the needs of businesses and governments. Sector: Transportation; Description: Enables movement of people and assets that are vital to our economy, mobility, and security, using aviation, ships, rail, pipelines, highways, trucks, buses, and mass transit. Sources: Homeland Security Presidential Directive 7 and the National Strategy for Homeland Security. [End of table] In its plan for protecting these critical infrastructures, DHS recognizes that the Internet is a key resource composed of assets within both the information technology and the telecommunications sectors.[Footnote 9] It notes that the Internet is used by all sectors to varying degrees, and that it provides information and communications to meet the needs of businesses, government, and the other critical infrastructure sectors. Similarly, the national cyberspace strategy states that cyberspace is the nervous system supporting our nation's critical infrastructures and recognizes the Internet as the core of our information infrastructure.[Footnote 10] It is also important to note that there are critical interdependencies between sectors. For example, the telecommunications and information technology sectors, like many other sectors, depend heavily on the energy sector. Attacks on the Information Infrastructure Are Increasing: In recent years, cyber attacks involving malicious software or hacking have been increasing in frequency and complexity. These attacks can come from a variety of actors. Table 2 lists sources of cyber threats that have been identified by the U.S. intelligence community. Table 2: Sources of Cyber Threats Identified by the U.S. Intelligence Community: Threat: Bot-network operators; Description: Bot-network operators are hackers; however, instead of breaking into systems for the challenge or bragging rights, they take over multiple systems to enable them to coordinate attacks and to distribute phishing[A] schemes or malwareb attacks. Threat: Criminal groups; Description: Criminal groups attack systems for monetary gain. Specifically, organized crime groups are using spam, phishing, and spyware/malware to commit identity theft and online fraud. International corporate spies and organized crime organizations also pose a threat to the United States through their ability to conduct industrial espionage and large-scale monetary theft and to hire or develop hacker talent. Threat: Foreign intelligence services; Description: Foreign intelligence services use cyber tools as part of their information- gathering and espionage activities. In addition, several nations are aggressively working to develop information warfare doctrine, programs, and capabilities. Such capabilities would enable a single entity to have a significant and serious impact by disrupting the supply, communications, and economic infrastructures that support military power--impacts that could affect the daily lives of U.S. citizens across the country. Threat: Hackers; Description: Hackers break into networks for the thrill of the challenge or for bragging rights within the hacker community. Although remote cracking once required a fair amount of skill or computer knowledge, hackers can now download attack scripts and protocols from the Internet and launch them against victim sites. Thus, while attack tools have become more sophisticated, they also have become easier to use. According to the Central Intelligence Agency, the large majority of hackers do not have the requisite tradecraft to threaten difficult targets, such as critical U.S. networks. Nevertheless, the worldwide population of hackers poses a relatively high threat of causing an isolated or brief disruption that results in serious damage. Threat: Insiders; Description: The disgruntled organization insider is a principal source of computer crime. Insiders may not need a great deal of knowledge about computer intrusions because their knowledge of a target system often allows them to gain unrestricted access to cause damage to the system or to steal system data. The insider threat also includes outsourcing vendors as well as employees who accidentally introduce malware into systems. Threat: Spyware/Malware authors; Description: Individuals or organizations with malicious intent carry out attacks against users by producing and distributing spyware and malware. Several destructive computer viruses and worms have harmed files and hard drives, including the Melissa Macro Virus, the Explore.Zip worm, the CIH (Chernobyl) Virus, NIMDA, Code Red, Slammer, and Blaster. Threat: Terrorists; Description: Terrorists seek to destroy, incapacitate, or exploit critical infrastructures in order to threaten national security, cause mass casualties, weaken the U.S. economy, and damage public morale and confidence. Terrorists may use malicious software to gather sensitive information. Source: GAO analysis of data from the Federal Bureau of Investigation, the Central Intelligence Agency, and the Software Engineering Institute's CERT® Coordination Center. [A] Phishing involves the creation and use of e-mail and Web sites that are designed to look like the e-mail and Web sites of well-known legitimate businesses or government agencies, in order to deceive Internet users into disclosing their personal data for criminal purposes, such as identity theft and fraud. [B] Spyware/Malware is software designed with a malicious intent, such as a virus. [End of table] An intelligence report on global trends[Footnote 11] forecast that terrorists may develop capabilities to conduct both cyber and physical attacks against nodes of the world's information infrastructure-- including the Internet and other systems that control critical industrial processes--such as electricity grids, refineries, and flood control mechanisms. The report stated that terrorists already have specified the U.S. information infrastructure as a target and currently are capable of physical attacks that would cause at least brief, isolated disruptions. According to a Congressional Research Service report, the annual worldwide cost of major cyber attacks was, on average, $13.5 billion from 2000 to 2003. A more recently published report estimated that the worldwide financial impact of virus attacks was $17.5 billion in 2004 and $14.2 billion in 2005. Multiple Organizations Could Help in Recovering the Internet from a Major Disruption: In the event of a major Internet disruption, multiple organizations could help recover Internet service. These organizations include private industry, collaborative groups, and government organizations. Private industry is central to Internet recovery because private companies own the vast majority of the Internet's infrastructure and often have response plans. Collaborative groups--including working groups and industry councils--provide information-sharing mechanisms to allow private organizations to restore services. Additionally, government initiatives could facilitate responding to major Internet disruptions. Private Industry: Private industry organizations are critical to recovering Internet services in the event of a major disruption because they own and operate the vast majority of the Internet's infrastructure. This group of Internet infrastructure owners and operators includes telecommunications companies (such as AT&T and Verizon Communications), cable companies (such as Cox Communications and Time Warner Cable), Internet service providers (such as AOL and EarthLink), and root server operators (such as VeriSign and the University of Maryland). These entities own or operate cable lines; telephone lines; fiber-optic cables; or critical core systems, such as network routers and domain name servers. These private companies currently deal with cyber attacks and physical disruptions on the Internet on a regular basis. According to representatives of Internet infrastructure owners and operators, these firms typically have disaster recovery plans in place. For example, a representative from a major telecommunications company stated that the company has emergency response plans for its primary and secondary emergency operations centers. Similarly, representatives of a cable trade association reported that most cable companies have standard disaster recovery plans and a network operations center from which they can monitor recovery operations. Infrastructure representatives also noted that in the event of a network disruption, companies that are competitors work together to resolve the disruption. They said that although the companies are competitors, they have a business interest in cooperating because it is common to rely on each other's networks. For example, a representative of a major telecommunications company noted that the company has "mutual-aid" agreements with its competitors to exchange technicians and hardware in the event of an emergency. Collaborative Groups: Collaborative groups--working groups and industry councils that the private and public sectors have established to allow technical information sharing--help handle and recover from Internet disruptions. These collaborative groups are usually composed of individuals and experts from separate organizations. In the event of a major Internet disruption, these groups allow individuals from different companies to exchange information in order to assess the scope of the disruption and to restore services. Table 3 provides descriptions of selected collaborative groups. Table 3: Examples of Collaborative Groups: Group: North American Network Operators Group; Description: This group of network operators coordinates and disseminates technical information related to backbone/enterprise networking technologies and operational practices. It was originally established to discuss operational issues regarding the National Science Foundation's high-speed research and education network, which became the Internet. In the mid-1990s, the group revised its charter to include a broader base of network service providers. Although the National Science Foundation originally funded the group, it is now funded by conference registration fees and donations from vendors: Through the group's mailing list, members collaborate and assist each other in resolving network operating issues. In the event of a major Internet disruption, these information- sharing mechanisms are used to resolve issues related to the disruption. For example, group members used their mailing list to collaborate with each other when the Slammer worm hit in January 2003, causing significant Internet congestion. Through the mailing list, members were able to corroborate events and share mitigation strategies. Group: Network Service Providers Security Consortium; Description: This group was originally established in 2001 to allow individuals in the network service provider community to coordinate on network security issues and problems. Its primary information-sharing mechanism is through its e-mail list. Members of the list who observe disruptions or malicious activity can post their observations or concerns to the list, and other members can take action or provide assistance. Membership in the list is only available to those who have been identified by other group members as having a relevant need for the information on the list. As of March 2006, approximately 500 people subscribe to the list. If the list were not available or an issue needed to be addressed immediately, the group's organizer would be able to coordinate collaboration between the necessary parties: According to the group's organizer, the closed nature of the list is crucial to its value. The limited membership allows the building of trusted relationships and gives each member confidence that information posted to the list will not be misused. The organizer stated that the list has been very effective at resolving disruption issues. For example, the consortium's mailing list played a major role in resolving the root Domain Name System server attacks that occurred in October 2002. Group: Packet Clearing House; Description: The Packet Clearing House is a nonprofit research institute that supports operations and analyses in the areas of Internet traffic exchange, routing economics, and global network development. It hosts a hotline telephone system, called the Inter- Network Operations Center Dial-By-Autonomous System Number (a unique identifier for autonomous systems on the Internet). This system is a global voice telephony network that connects the network operations centers and security incident response teams of critical Internet infrastructure owners and operators, such as backbone providers, Internet service providers, and Internet exchange point operators. The hotline also connects critical individuals within the policy, regulatory, Internet governance, security, and vendor communities. The hotline is a closed system, ensuring secure and authenticated communications. It uses a combination of mechanisms to create a resilient, high-survivability network. Additionally, the hotline telephone system carries both routine operational traffic and emergency- response traffic. Representatives of several Internet service providers noted that they use this system to contact other network operators in order to resolve problems quickly. Group: Information Technology Information Sharing and Analysis Center; Description: This center is made up of representatives of companies from across the information technology industry. It helps facilitate operational information sharing, communication with other infrastructure sectors, and crisis response: The center works to improve security, reliability, and disaster recovery in information technology. The center identifies threats and vulnerabilities to information technology infrastructure (including the Internet) and shares best practices for how to quickly and properly address them. The representatives also stated that the Information Technology Information Sharing and Analysis Center facilitates information sharing and participates in exercises to test its ability to respond to incidents such as a major Internet disruption. For example, the center assisted with DHS's recent Cyber Storm exercise in February 2006. The center took a leadership role in Cyber Storm and prepared a concept of operations that addressed incident response to cyber or physical attacks. Group: Telecommunications Information Sharing and Analysis Center; Description: In 1984, following the divestiture of AT&T, the National Coordinating Center for Telecommunications was established to allow information sharing between representatives of the telecommunications companies. In January 2000, the center was designated the information sharing and analysis center for the telecommunications industry. The center is unique among information sharing and analysis centers in that it is actually a joint government/industry operation: According to a center representative, the main role of the Telecommunications Information Sharing and Analysis Center during an Internet disruption is to provide a protected forum in which industry members can collaborate and freely share information. In turn, this coordination effort will help expedite the overall Internet recovery. The industry chair of the center noted that this forum enables members to form trusted relationships with each other where they otherwise may not exist between competitors. An example of this cooperation occurred during the Code Red and NIMDA cyber attacks. Center members coordinated to understand and mitigate the attacks. Group: National Security Telecommunications Advisory Committee; Description: This committee provides industry-based analyses and recommendations to the President and the executive branch regarding telecommunications policy and proposals for enhancing national security and emergency preparedness. The committee is made up of 30 Presidentially appointed industry leaders, usually chief executive officers of companies in the telecommunications industry. Since the committee is composed of telecommunications executives, their role in Internet recovery is strategic as opposed to operational: Members of the committee have long established relationships with DHS's National Communications System and National Coordinating Center for Telecommunications. Committee representatives reported that the committee works closely with these entities during response and recovery activities following a terrorist attack or natural disaster. The committee and these entities also share information related to a variety of other issues, including modifications to federal policy associated with telecommunications in support of national security and emergency preparedness and changes in the commercial telecommunications marketplace: Additionally, the committee publishes reports that cover topics related to Internet recovery. In an October 2005 report, the committee provides an industry perspective on lessons learned in responding to the September 11, 2001, terrorist attacks. In the October report, the committee deemed Internet services to be increasingly important in disaster response and central to the mission-critical operations of business and government agencies, and it identified steps the government could take to help the coordination center better address potential network security issues, such as distributed denial- of- service attacks and software viruses. Source: GAO. [End of table] Government Organizations--DHS: Federal policies and plans[Footnote 12] assign DHS lead responsibility for facilitating a public/private response to and recovery from major Internet disruptions. Within DHS, responsibilities reside in two divisions within the Preparedness Directorate: the National Cyber Security Division (NCSD) and the National Communications System (NCS). NCSD operates the U.S. Computer Emergency Readiness Team (US-CERT), which coordinates defense against and response to cyber attacks. The other division, NCS, provides programs and services that ensure the resilience of the telecommunications infrastructure in times of crisis. National Cyber Security Division: In June 2003, DHS created NCSD to serve as a national focal point for addressing cybersecurity issues and to coordinate the implementation of the National Strategy to Secure Cyberspace. Its mission is to secure cyberspace and America's cyber assets in cooperation with public, private, and international entities. NCSD is the government lead on a public/private partnership supporting the US-CERT, an operational organization responsible for analyzing and addressing cyber threats and vulnerabilities and disseminating cyber- threat warning information. In the event of an Internet disruption, US- CERT facilitates coordination of recovery activities with the network and security operations centers of owners and operators of the Internet and with government incident response teams. NCSD also serves as the lead for the federal government's cyber incident response through the National Cyber Response Coordination Group. This group is the principal federal interagency mechanism for coordinating the preparation for, and response to, significant cyber incidents--such as a major Internet disruption. In the event of a major disruption, the group convenes to facilitate intragovernmental and public/private preparedness and operations. The group brings together officials from national security, law enforcement, defense, intelligence, and other government agencies that maintain significant cybersecurity responsibilities and capabilities. Members use their established relationships with the private sector and with state and local governments to help coordinate and share situational awareness, manage a cyber crisis, develop courses of action, and devise response and recovery strategies. NCSD also recently formed the Internet Disruption Working Group, which is a partnership between NCSD, NCS, the Department of the Treasury, the Department of Defense, and private-sector companies, to plan for ways to improve DHS's ability to respond to and recover from major Internet disruptions. The goals of the working group are to identify and prioritize the short-term protective measures necessary to prevent major disruptions to the Internet or reduce their consequences and to identify reconstitution measures in the event of a major disruption. National Communications System: NCS is responsible for ensuring a communications infrastructure for the federal government under all conditions--ranging from normal situations to national emergencies and international crises. NCS is composed of members from 23 federal departments and agencies.[Footnote 13] Although originally focused on traditional telephone service, due to the convergence of the Internet and telecommunications NCS has taken a larger role in Internet-related issues and has partnered with NCSD and private companies to address issues related to major Internet disruptions. For example, NCS now helps manage issues related to disruptions of the Internet backbone (e.g., high-capacity data routes). The National Coordinating Center for Telecommunications (National Coordinating Center), which serves as the operational component of NCS, also has a role in Internet recovery. The center has eight resident industry members (representing companies that were originally telephone providers) as well as additional nonresident members, including representatives of newer, more Internet-oriented companies. During a major disruption to telecommunications services, the center communicates with both resident and nonresident members, with the goal of restoring service as soon as possible. In the event of a major Internet disruption, the National Coordinating Center plays a role in the recovery effort through its partnerships and collaboration with telecommunications and Internet-related companies. Government Organizations--Federal Communications Commission: The Federal Communications Commission can support Internet recovery by coordinating resources for restoring the basic communications infrastructures over which Internet services run. For example, after Hurricane Katrina, the commission granted temporary authority for private companies to set up wireless Internet communications supporting various relief groups; federal, state, and local government agencies; businesses; and victims in the disaster areas. The commission also sponsors the Network Reliability and Interoperability Council. A primary goal of the council is to prevent Internet disruptions from occurring in the first place. The council has developed a list of best practices for Internet disaster recovery that provides guidance on strategic issues (such as exercising disaster recovery plans) as well as operational issues (such as how to restore a corrupt domain name server).[Footnote 14] Prior Evaluations of DHS's Cybersecurity Responsibilities Have Highlighted Issues and Challenges Facing the Department: In May 2005, we issued a report on DHS's efforts to fulfill its cybersecurity responsibilities.[Footnote 15] We noted that while DHS had initiated multiple efforts to fulfill its responsibilities, it had not fully addressed any of the 13 key cybersecurity responsibilities (see table 4) noted in federal law and policy. For example, we noted that the department established US-CERT as a public/private partnership to make cybersecurity a coordinated national effort, and it established forums to build greater trust and information sharing among federal officials with information security responsibilities and with law enforcement entities. However, DHS had not yet developed national cyber threat and vulnerability assessment or government/industry cybersecurity recovery plans--including a plan for recovering key Internet functions. We also noted in our May 2005 report that DHS faced a number of challenges that have impeded its ability to fulfill its cyber responsibilities. These challenges included achieving organizational stability, gaining organizational authority, overcoming hiring and contracting issues, increasing awareness of cybersecurity roles and capabilities, establishing effective partnerships with stakeholders, achieving two-way information sharing with stakeholders, and demonstrating the value that DHS can provide. We made recommendations to the department to strengthen its ability to implement key responsibilities by completing critical activities and resolving underlying challenges. DHS agreed that strengthening cybersecurity is central to protecting the nation's critical infrastructures and that much remained to be done, but it has not yet addressed our recommendations. We continue to evaluate DHS's progress in implementing our recommendations. Table 4: DHS's Key Cybersecurity Responsibilities: * Develop a national plan for critical infrastructure protection, including cybersecurity. * Develop partnerships and coordinate with other federal agencies, state and local governments, and the private sector. * Improve and enhance public/private information sharing involving cyber attacks, threats, and vulnerabilities. * Develop and enhance national cyber analysis and warning capabilities. * Provide and coordinate incident response and recovery planning efforts; * Identify and assess cyber threats and vulnerabilities. * Support efforts to reduce cyber threats and vulnerabilities. * Promote and support research and development efforts to strengthen cyberspace security. * Promote awareness and outreach. * Foster training and certification. * Enhance federal, state, and local government cybersecurity. * Strengthen international cyberspace security. * Integrate cybersecurity with national security. Source: GAO analysis of law and policy. [End of table] Although Both Cyber and Physical Incidents Have Caused Disruptions, the Internet Has Not Yet Suffered a Catastrophic Failure: The Internet's infrastructure is vulnerable to disruptions in service due to terrorist and other malicious attacks, natural disasters, accidents, technological problems, or a combination of the above. Disruptions to Internet service can be caused by cyber and physical incidents--both intentional and unintentional. Private network operators routinely deal with Internet disruptions of both types. Recent cyber and physical incidents have caused localized or regional disruptions, highlighting the importance of recovery planning. However, these incidents have also shown the Internet as a whole to be flexible and resilient. Even in severe circumstances, the Internet has not yet suffered a catastrophic failure. Internet Disruptions Have Been Caused by Both Cyber and Physical Incidents: The Internet can be disrupted by either cyber or physical incidents, or by a combination of the two. These incidents can be intentional (such as a cyber attack or a terrorist attack on our nation's physical infrastructure) or unintentional (such as a software malfunction or a natural disaster). Table 5 provides examples of intentional and unintentional cyber and physical incidents. Table 5: Examples of Potential Internet Disruptions: Intentional act; Cyber incident: * malicious code (virus, worm, or other attack); * hacking; * distributed denial-of-service attack; * insider manipulating systems (changing router configurations); Physical incident: * terrorist bomb; * foreign nation attack; * intentional cutting of fiber-optic cables. Unintentional act; Cyber incident: * software glitch; * hardware malfunction; * improper configuration of software or hardware; Physical incident: * severe natural event (hurricane, earthquake, or flood); * accidental cutting of fiber-optic cables; * other industrial accidents (chemical spill or fire). Source: GAO. [End of table] A cyber incident could cause a disruption if it affects a network protocol or an application that is integral to the working of the Internet. A cyber incident could be unintended (such as a software problem) or intended (such as an attack using malicious software or hacking that causes a disruption of service). Unintended incidents have caused significant disruptions in the past. For example, in 1998, a major Internet backbone provider had a massive outage due to a software flaw in the infrastructure that caused systems to crash; in 2002, a different provider had an outage due to a router with a faulty configuration. Intentional incidents, or malicious attacks, have been increasing in frequency and complexity and recently have been linked to organized crime. Examples of malicious attacks include viruses and worms. Viruses and worms are often used to launch denial-of-service attacks, which flood targeted networks and systems with so much data that regular traffic is either slowed or stopped. Such attacks have been used ever since the groundbreaking Morris worm in November 1988, which brought 10 percent of the systems connected to the Internet to a halt. More recently, in 2001, the Code Red worm used a denial-of-service attack to affect millions of computer users by shutting down Web sites, slowing Internet service, and disrupting business and government operations.[Footnote 16] Cyber attacks can also cause Internet disruptions by targeting specific protocols, such as the Border Gateway Protocol or the Domain Name System. If a vulnerability in the Border Gateway Protocol was exploited, the ability of Internet traffic to reach its destination could be limited or halted. Some experts believe that it could take weeks to recover from a major attack on the Border Gateway Protocol. The Domain Name System is also susceptible to various attacks, including the corruption of stored domain name information and the misdirection of addresses. Recently, hackers have used domain name servers to launch denial-of-service attacks--thereby amplifying the strength of the attacks. A network security expert stated that there have been numerous attacks of this type recently, and that some attacks have targeted top-level domains[Footnote 17] and Internet service providers. Attacks against top-level domain servers could disrupt users' capability to connect to various Internet addresses. It could take several days to recover from a massive disruption of the domain name server system. As the number of individuals with computer skills has increased, more intrusion, or hacking, tools have become readily available and relatively easy to use. Frequently, skilled hackers develop exploitation tools and post them on Internet hacking sites. These tools are then readily available for others to download, allowing even inexperienced programmers to create a computer virus or to literally point and click to launch an attack. According to the National Institute of Standards and Technology, 30 to 40 new attack tools are posted on the Internet every month. Experts also agree that there has been a steady advance in the sophistication and effectiveness of attack technology. In the case of insider incidents, these tools may not even be necessary, because insiders often have unfettered access to their employers' computer systems. In one incident, an insider installed unauthorized backdoor access to his employer's systems. After his termination, the insider used these back doors to gain access to the systems and to delete accounts, change passwords, and delete security logs. While this is a case of an insider disrupting a single network, an insider could also use this knowledge to disrupt the operation of an Internet service provider. For example, an insider at a company that develops critical routing hardware might be able to use specific technical knowledge of the products to create an attack that could disrupt networks that use that particular equipment. To date, cyber attacks have caused various degrees of damage. The following case studies provide examples of cyber attacks; the effects of these attacks; and the government's role, if any, in recovery (see figs. 4 and 5). Figure 4: Case Study--The Slammer Worm: On Saturday, January 25, 2003, the Slammer worm infected more than 90 percent of vulnerable computers worldwide within 10 minutes of its release on the Internet by exploiting a known vulnerability for which a patch had been available since July 2002. Slammer caused network outages, canceled airline flights, and automated teller machine failures. In addition, the Nuclear Regulatory Commission confirmed that the Slammer worm had infected a private computer network at a nuclear power plant, disabling a safety monitoring system for nearly 5 hours and causing the plant's process computer to fail. The worm reportedly also affected communications on the control networks of at least five utilities by propagating so quickly that control system traffic was blocked. In addition, on Monday, January 27, the worm infected more networks when U.S. and European business hours started. Cost estimates on the impact of the worm range from $1.05 billion to $1.25 billion. Slammer resulted in temporary loss of Internet access to some users and increased network traffic worldwide. Postincident studies noted that if the worm had been malicious or had exploited more widespread vulnerabilities, it would have caused a significant disruption to Internet traffic. Responses to Slammer were quick. Within 1 hour, Web site operators were able to filter the worm. The disruption was partly resolved by network operators blocking the main communication channel that the worm was using, which helped control the spread of the worm. Security experts advised network operators to use firewalls to block the channel and to apply the patch before reconnecting services. In addition, private- sector network operators used the North American Network Operators Group mailing list to collaborate with each other in restoring infected networks. The federal government coordinated with security companies and Internet service providers and released an advisory recommending that federal departments and agencies patch and block access to the affected channel. However, most of these activities occurred after the worm had stopped spreading because it had propagated so quickly. Source: GAO analysis of GAO and other published reports. [End of Figure] Figure 5: Case Study--A Root Server Attack: On Monday, October 21, 2002, a coordinated denial-of-service attack was launched against all of the root servers in the Domain Name System. All 13 root servers, located around the world, were targeted. The root servers experienced an unusually high volume of traffic. Two root server operators reported that traffic was 3 times the normal level, while another reported that traffic was 10 times the normal level. The attacks lasted for approximately 1 hour and 15 minutes. While reports of the attack differ, they all agreed that at least 9 of the servers experienced degradation in service. Specifically, 7 failed to respond to legitimate network traffic and 2 others failed intermittently during the attack. Some root servers were unreachable from many parts of the global Internet because of traffic congestion from the attack. While all of the servers continued to answer any queries they received (because of their substantial backup capacity), many did not receive all of the queries that had been routed to them due to the high volume of traffic. However, average end users hardly noticed the attack. The attack became visible only as a result of various Internet health- monitoring projects. According to experts, the root name servers would have to be down for several hours before the effects would be noticeable to end users. The response to these attacks was handled by the server operators and their service providers. The Domain Name System servers worked as they were designed to, and demonstrated robustness against a concerted, synchronized attack. However, the attack pointed to a need to increase the capacity of servers at Internet exchange points in order to manage the high volumes of data traffic that occur during an attack. The attacks led to systems receiving faster-than-normal upgrades. According to experts familiar with the attack, the government did not have a role in recovering from this attack. Source: GAO analysis of interviews and published reports from sources, including root name server operators and current and former government officials. [End of Figure] A physical incident could be caused by an intentional attack, a natural disaster, or an accident. For example, terrorist attacks, storms, earthquakes, and unintentional cutting of cables can all cause physical disruptions. Physical incidents causing Internet and telecommunications disruptions occur regularly--often as a result of the accidental cutting of cable lines. Physical incidents could affect various aspects of the Internet infrastructure, including underground or undersea cables and facilities that house telecommunications equipment, Internet exchange points, or Internet service providers. Such incidents could also disrupt the power infrastructure--leading to an extended power outage and thereby disrupting telecommunications and Internet service. The following case studies provide examples of physical incidents that caused Internet disruptions and the effect of these incidents (see figs. 6 to 8). Figure 6: Case Study--The Baltimore Train Tunnel Fire: On July 18, 2001, a 60-car freight train derailed in a Baltimore tunnel, causing a fire that interrupted Internet and data services between Washington and New York. The tunnel housed fiber-optic cables that served seven of the biggest U.S. Internet service providers. The fire burned and severed fiber-optic cables, causing backbone slowdowns for at least three major Internet service providers. There were sporadic reports from across the Northeast corridor about service disruptions and delays. For example, users in Baltimore did not suffer disrupted service, while users in Washington D.C. did suffer disruptions. In addition, there were selected impacts far outside the disaster zone. For example, the U.S. embassy in Lusaka, Zambia, experienced problems with e-mail. Two of the service providers had service restored within 2 days. Despite the outages caused by the fire, the Internet continued to operate. Efforts to recover Internet service were handled by the affected Internet service providers. City officials also worked with telecommunications and networking companies to reroute cables. Other federal and local government efforts to resolve the disruption consisted of responding to the immediate physical issues of extinguishing the fire, maintaining safety in the surrounding area, and rerouting traffic. Source: GAO analysis of a Department of Transportation report. [End of Figure] Figure 7: Case Study--The September 11, 2001, Terrorist Attack on the World Trade Center: [See PDF for image] Source: GAO analysis of report entitled The Internet Under Crisis Conditions: Learning from September 11, the National Research Council, National Academy Press: Washington, D.C., 2003, and other published reports. [End of figure] Figure 8: Case Study--Hurricane Katrina: [See PDF for image] Sources: GAO analysis of published reports and testimonies by DHS, FCC, NSTAC, and Renesys as well as interviews with private-sector officials. [End of figure] The Internet Has Not Yet Experienced a Catastrophic Disruption: Since its inception, the Internet has experienced disruptions of varying scale--from fast-spreading worms, to denial-of-service attacks, to physical destruction of key infrastructure components. However, the Internet has yet to experience a catastrophic disruption. Experts agree--and case studies show--that the Internet is resilient and flexible enough to handle and recover from many types of disruptions. While specific regions may experience Internet disruptions, backup servers and the ability to reroute traffic limit the effect of many targeted attacks. These efforts highlight the importance of recovery planning. However, it is possible that a complex attack or set of attacks could cause the Internet to fail. It is also possible that a series of attacks against the Internet could undermine users' trust--and thereby reduce the Internet's utility. Existing Laws and Regulations Apply to the Internet, but Numerous Uncertainties Exist in Using Them for Internet Recovery: Several federal laws and regulations provide broad guidance that applies to the Internet infrastructure, but it is not clear how useful these authorities would be in helping to recover from a major Internet disruption, because some do not specifically address Internet recovery and others have seldom been used. Pertinent laws and regulations address critical infrastructure protection, federal disaster response, and the telecommunications infrastructure (see app. II for additional details). Specifically, the Homeland Security Act of 2002[Footnote 18] and Homeland Security Presidential Directive 7[Footnote 19] establish critical infrastructure protection as a national goal and describe a strategy for cooperative efforts by the government and the private- sector to protect the cyber-and physical-based systems that are essential to the operations of both the economy and the government. These authorities apply to the Internet because it is a core communications infrastructure supporting the information technology and telecommunications sectors. However, this law and regulation do not specifically address roles and responsibilities in the event of an Internet disruption. Regarding federal disaster response, the Defense Production Act[Footnote 20] and the Stafford Act[Footnote 21] provide authority to federal agencies to plan for and respond to incidents of national significance--like disasters and terrorist attacks. Specifically, the Defense Production Act authorizes the President to ensure the timely availability of products, materials, and services needed to meet the requirements of a national emergency. The act is applicable to critical infrastructure protection and restoration, but it has never been used for Internet recovery. The Stafford Act authorizes federal assistance to states, local governments, nonprofit entities, and individuals in the event of a major disaster or emergency. However, the act does not authorize assistance to for-profit companies--such as those that own and operate core Internet components. Several representatives of private companies reported that they were unable to obtain needed resources to restore the communications infrastructure in the aftermath of Hurricane Katrina because the act does not extend to for-profit companies. Other legislation and regulations, including the Communications Act of 1934[Footnote 22] and the National Communications System (NCS) authorities,[Footnote 23] govern the telecommunications infrastructure and help ensure communications during national emergencies. The act governs the regulation of the telecommunications infrastructure upon which the Internet depends. However, coverage of the Internet is subsumed in provisions that govern interstate wire and radio communications, and there is no specific provision governing Internet recovery. NCS authorities establish guidance for operationally coordinating with industry to protect and restore key national security and emergency preparedness communications services. These authorities grant the President certain emergency powers regarding telecommunications, including the authority to require any carrier subject to the Communications Act of 1934 to grant preference or priority to essential communications.[Footnote 24] The President may also, in the event of war or national emergency, suspend regulations governing wire and radio transmissions and authorize the use or control of any such facility or station and its apparatus and equipment by any department of the government. Although these authorities remain in force and are implemented in the Code of Federal Regulations, they have been seldom used--and never for Internet recovery. Thus, it is not clear how effective they would be if used for this purpose. In commenting on the statutory authority for Internet reconstitution following a disruption, DHS agreed that this authority is lacking and noted that the government's roles and authorities related to assisting Internet reconstitution following a disruption are not fully defined. In a written response, DHS attorneys identified several statutes and other authorities that provide authority for the NCS telecommunications response functions in a situation involving national security and emergency preparedness. DHS stated the following: "The Internet infrastructure is owned and operated by the private sector. Although certain policies direct DHS to work with the private sector to ensure infrastructure protection, DHS does not have the authority to direct Internet owners and operators in their recovery efforts." DHS Initiatives Supporting Internet Recovery Planning Are under Way, but Much Remains to Be Done and the Relationships among Initiatives Are Not Evident: DHS has begun a variety of initiatives to fulfill its responsibility for developing an integrated public/private plan for Internet recovery, but these efforts are not complete or comprehensive. Specifically, DHS has developed high-level plans for infrastructure protection and national disaster response, but the components of these plans that address the Internet infrastructure are not complete. In addition, DHS has started a variety of initiatives to improve the nation's ability to recover from Internet disruptions, including working groups to facilitate coordination and exercises in which government and private industry practice responding to cyber events. While these activities are promising, some initiatives are not complete, others lack time lines and priorities, and still others lack effective mechanisms for incorporating lessons learned. In addition, the relationships among these initiatives are not evident. As a result, the nation is not prepared to effectively coordinate public/private plans for recovering from a major Internet disruption. DHS Has Developed High-level Protection and Response Plans, but Key Components Are Not Complete: Federal policy establishes DHS as the central coordinator for cyberspace security efforts and tasks the department with developing an integrated public/private plan for Internet recovery.[Footnote 25] DHS has two key documents that guide its infrastructure protection and recovery efforts, but components of these plans dealing with Internet recovery are not complete. The National Response Plan is DHS's overarching framework for responding to domestic incidents. The plan, which was released in December 2004, contains the following two components that address issues related to telecommunications and the Internet: * The Emergency Support Function 2 of the plan identifies federal actions to provide temporary emergency telecommunications during a significant incident and to restore telecommunications after the incident. It assigns roles and responsibilities to different federal agencies; provides guidelines for incident response; and identifies actions to take before, during, and after the incident. Because the Internet is supported by the telecommunications infrastructure, this section of the plan could help with Internet recovery efforts. * The Cyber Incident Annex identifies policies and organizational responsibilities for preparing for, responding to, and recovering from cyber-related incidents impacting critical national processes and the national economy. The annex recognizes the National Cyber Response Coordination Group as the principal federal interagency mechanism to coordinate the government's preparation for, response to, and recovery from a major Internet disruption or significant cyber incident. These components, however, are not complete in that the Emergency Support Function 2 does not directly address Internet recovery, and the Cyber Incident Annex does not reflect the National Cyber Response Coordination Group's current operating procedures. DHS officials acknowledged that both Emergency Support Function 2 and the Cyber Incident Annex need to be revised to reflect the maturing capabilities of the National Cyber Response Coordination Group, the planned organizational changes affecting NCS and NCSD, and the convergence of voice and Internet networks. However, DHS has not reached consensus on the best approach for revising these components, and it has not established a schedule for revising the overall plan. The Draft National Infrastructure Protection Plan consists of both a base plan and sector-specific plans, but these have not been finalized. A January 2006 draft of the base plan identifies roles, responsibilities, and a high-level strategy for infrastructure protection across all sectors. It emphasizes the need to protect and recover the cyber infrastructure, including the Internet. Additionally, the sector plans are expected to apply the strategies identified in the base plan to the infrastructure sectors. For example, the information technology sector plan identifies relationships within the information technology sector and with other infrastructure sectors. It also identifies preliminary steps for infrastructure protection, such as identifying key assets and the consequences of the failure of those assets. DHS is planning to finalize its base plan in 2006, but it has not yet set a date for doing so. Once this plan is released, it will lead to the development of the more detailed sector-specific plans. The next versions of the information technology and telecommunications sector plans are due to DHS within 180 days of the release of the final base plan. While DHS's intentions to revise these plans are necessary steps in the right direction, the plans do not fulfill the department's responsibility to develop an integrated public/private plan for Internet recovery. Several representatives of private-sector firms supporting the Internet infrastructure expressed concerns about both plans, noting that the plans would be difficult to execute in times of crisis. Other representatives were uneasy about the government developing recovery plans, because they were not confident in the government's ability to successfully execute the plans. DHS officials acknowledged that it will be important to obtain input from private- sector organizations as they refine these plans and initiate more detailed public/private planning. Until both the National Response Plan and the National Infrastructure Protection Plan are updated and more detailed public/private planning begins, DHS lacks the integrated approach to Internet recovery called for in the cyberspace strategy and risks not being prepared to effectively coordinate such a recovery. Other DHS Initiatives Related to Internet Recovery Planning Are under Way, but They Are Incomplete and the Relationships among the Initiatives Are Not Evident: While the National Response Plan outlines an overall framework for incident response, it is designed to be supplemented by more specific plans and activities. DHS has numerous initiatives under way to better define its ability to assist in responding to major Internet disruptions. These initiatives include task forces, working groups, and exercises. While these activities are promising, some initiatives are incomplete, others still lack time lines and priorities, and others lack an effective mechanism for incorporating lessons learned. In addition, the relationships and interdependencies among different initiatives are not evident. As a result, tangible progress toward improving the government's ability to help recover from a major Internet disruption has been limited. DHS Plans to Revise the Role and Mission of the National Communications System, but This Effort Is Not Yet Complete: DHS plans to revise the role and mission of the National Communications System (NCS) to reflect the convergence of voice and data communications, but this effort is not yet complete. NCS is responsible for ensuring the availability of a viable national security and emergency preparedness communications infrastructure. Originally focused on traditional telephone service, NCS has recently taken on a larger role in Internet-related issues due to the convergence of the infrastructures that serve traditional telephone traffic and those that serve data (such as Internet traffic). A presidential advisory committee on telecommunications[Footnote 26] has established two task forces to recommend changes to NCS's role, mission, and functions to reflect this convergence. One task force focused on changes due to next- generation network technologies, while the other focused on revising the role and mission of NCS's National Communications Center. Appendix III provides additional details on the two task forces. Both task forces have made recommendations to improve NCS's operations, but DHS has not yet developed plans to address these recommendations. Until NCS completes efforts to revise its role and mission, the group is at risk of not being prepared to address the unique issues that could be caused by future Internet disruptions. National Cyber Response Coordination Group Is Defining Its Roles and Responsibilities, but Much Remains to Be Done: As a primary entity responsible for coordinating governmentwide responses to cyber incidents--such as major Internet disruptions--DHS's National Cyber Response Coordination Group is working to define its roles and responsibilities, but much remains to be done. The group reported that it has begun efforts to define its roles, responsibilities, capabilities, and activities. For example, the group has developed a concept of operations--which includes a high-level recovery function--but is waiting for the results of additional analyses before revising and enhancing the concept of operations. The group also drafted operating procedures that it used during a national cyber exercise in February 2006, and it plans to incorporate lessons learned from the exercise into the operating procedures and to issue revised procedures by June 2006. The group also reported that it has made progress on initiatives to (1) map the current capabilities of government agencies to detect, respond to, and recover from cyber incidents; (2) identify secure communications capabilities within the government that can be used to respond to cyber incidents; (3) perform a gap analysis of different agencies' capabilities for responding to cyber incidents; and (4) establish formal resource-sharing agreements with other federal agencies as well as state and local governments. However, much remains to be done to complete these initiatives. One challenge facing the National Cyber Response Coordination Group is the "trigger" for government involvement. Currently, the group can be activated by: * a cyber incident that may relate to or constitute a terrorist attack, a terrorist threat, a threat to national security, a disaster, or any other cyber emergency requiring federal government response; * a confirmed, significant cyber incident directed at one or more national critical infrastructures; * a cyber incident that impacts or potentially impacts national security, national economic security, public health or safety, or public confidence and morale; * discovery of an exploitable vulnerability in a widely used protocol; * other complex or unusual circumstances related to a cyber incident that requires interagency coordination; or: * any cyber incident briefed to the President. DHS officials acknowledged that the trigger to activate this group is imprecise and will need to be clarified. Because key activities to define roles, responsibilities, capabilities, and the appropriate trigger for government involvement are still under way, the group is at risk of not being able to act quickly and definitively during a major Internet disruption. The Internet Disruption Working Group Was Established to Work with the Private Sector to Establish Plans to Respond to Major Internet Disruptions, but It Lacks Time Lines and Priorities for Its Initiatives: Since most of the Internet is owned and operated by the private sector, NCSD and NCS established the Internet Disruption Working Group to work with the private sector to establish priorities and develop action plans to prevent major disruptions of the Internet and to identify recovery measures in the event of a major disruption. The group includes representatives of both domestic and international government agencies and private Internet-related companies. According to DHS officials who organized the group, the group held its first forum in November 2005 to begin to identify real versus perceived threats to the Internet, refine the definition of an Internet disruption, determine the scope of a planned analysis of disruptions, and identify near-term protective measures. DHS officials stated that they had identified a number of potential future plans, including meeting with industry representatives to: * better understand what constitutes normal network activity and what suggests malicious activity; * further refine the definition of an Internet disruption; * determine which public/private organizations would be contacted in an emergency and what contingency plans the government could establish; * encourage implementation of best practices for protecting key Internet infrastructure, including the Domain Name System; and: * consider requiring improved security technologies for the Domain Name System and the Border Gateway Protocol in government contracts. Efforts such as those previously mentioned appear to be worthwhile; however, agency officials have not yet finalized plans, resources, or milestones for these efforts. Until they do, the benefits of these efforts will not be fully realized. The North American Incident Response Group Is an Additional Mechanism for Outreach to the Private Sector, but Its Efforts Are Early: In addition to the Internet Disruption Working Group, US-CERT officials formed the North American Incident Response Group. The group, modeled on similar groups in Asia and Europe, includes both public and private- sector network operators who would be the first to recognize and respond to cyber disruptions. In September 2005, US-CERT officials conducted regional workshops with group members to share information on structure and programs and incident response, and to seek ways for the government and industry to work together operationally. The attendees included 32 organizations, such as computer security incident response teams; information sharing and analysis centers; members of private firms that provide security services; information technology vendors; and other organizations that participate in cyber watch, warning, and response functions. US-CERT officials stated that these events were highly successful, and that they hope to continue to hold such events quarterly beginning in 2006. As a result of the first meetings, US-CERT officials developed a list of action items and assigned milestones to some of these items. For example, US-CERT has established a secure instant messaging capability to communicate with group members. In addition, it plans to conduct a survey of the group members to determine what they need from US-CERT and what types of information they can provide. While the outreach efforts of the North American Incident Response Group are promising, DHS has only just begun developing plans and activities to address the concerns of private-sector stakeholders. DHS Has Conducted Initial Exercises That Address Cyber Disruption, but Efforts to Incorporate Lessons Learned into DHS Operations Are Lacking: Over the last few years, DHS has conducted several broad intergovernmental exercises to test regional responses to significant incidents that could affect the critical infrastructure. These regional exercises included incidents that could cause localized Internet disruptions, and they resulted in numerous findings and recommendations regarding the government's ability to respond to and recover from a major Internet disruption. For example, selected exercises found that both the government and private-sector organizations were poorly prepared to effectively respond to cyber events. They cited the lack of clarity on roles and responsibilities, the lack of coordination and communication, and a limited understanding of cybersecurity concerns as serious obstacles to effective response and recovery from cyber attacks and disruptions. Furthermore, regional participants reported being unclear regarding who was in charge of incident management at the local, state, and national levels. More recently, in February 2006, DHS conducted an exercise called Cyber Storm, which was focused primarily on testing responses to a cyber- related incident of national significance. The exercise involved a simulated large-scale attack affecting the energy and transportation infrastructures, using the telecommunications infrastructure as a medium for the attack. The results of this exercise have not yet been published. (Details on these exercises are provided in app. IV.) Exercises that include Internet disruptions can help to identify issues and interdependencies that need to be addressed. However, DHS has not yet identified planned activities and milestones or identified which group should be responsible for incorporating into its plans and initiatives lessons learned from the regional and Cyber Storm exercises. Without a coordination process, plans, and milestones, there is less chance that the lessons learned from the exercises will be successfully transferred to operational improvements. The Relationships and Interdependencies among Various DHS Initiatives Are Not Evident: While DHS has various initiatives under way--including efforts to update the National Response Plan, task forces assessing changes to NCS, working groups on responding to cyber incidents, and exercises to practice recovery efforts--the relationships and interdependencies among these various efforts are not evident. For example, plans to update the National Response Plan to better reflect the Internet infrastructure are related to task force efforts to suggest changes to NCS to deal with the convergence of voice and data technologies. However, it is not clear how these initiatives are being coordinated. Furthermore, the National Cyber Response Coordination Group, the Internet Disruption Working Group, and the North American Incident Response Group are all meeting to discuss ways to address Internet recovery, but the interdependencies among the groups have not been clearly established. Additionally, it is not evident that lessons learned from the various cyber-related exercises are being incorporated in the planned revision of the National Response Plan or the ongoing efforts of the various working groups. Without a thorough understanding of the interrelationships among its various initiatives, DHS risks pursuing redundant efforts and missing opportunities to build on related efforts. DHS officials acknowledged that they have not yet fully coordinated the various initiatives aimed at enhancing the department's ability to help respond to and recover from a major Internet disruption, but they noted that the complexity of this undertaking and the number of entities involved in Internet recovery make this effort challenging. Multiple Challenges Exist to Planning for Recovery from Internet Disruptions: Although DHS has various initiatives under way to improve Internet recovery planning, it faces key challenges in developing a public/ private plan for Internet recovery, including (1) innate characteristics of the Internet that make planning for and responding to a disruption difficult, (2) a lack of consensus on DHS's role and on when the department should get involved in responding to a disruption, (3) legal issues affecting DHS's ability to provide assistance to restore Internet service, (4) reluctance of the private-sector to share information on Internet disruptions with DHS, and (5) leadership and organizational uncertainties within DHS. Until it addresses these challenges, DHS will have difficulty achieving results in its role as the focal point for recovering the Internet from a major disruption. Key Internet Characteristics Make Recovery More Difficult: The Internet's diffuse structure, vulnerabilities in its basic protocols, and lack of agreed-upon performance measures make planning for and responding to a disruption more difficult. Control of the Internet Is Diffuse: The diffuse control of the Internet makes planning for recovering from a disruption more challenging. The components of the Internet are not all governed by the same organization. Some components of the Internet are controlled by government organizations, while others are controlled by academic or research institutions. However, the vast majority of the Internet is owned and operated by the private sector. Each organization makes decisions to implement or not implement various standards based on issues such as security, cost, and ease of use. Therefore, any plan for responding to a disruption requires the agreement and cooperation of these private-sector organizations. In addition, the Internet is international. According to private-sector estimates, only about 20 percent of Internet users are in the United States. Cyber actors in one country have the potential to impact systems connected to the Internet in another country. This geographical diversity makes planning for Internet recovery more difficult. Vulnerabilities in Internet-Related Protocols Make Responding to Disruptions Difficult: The Internet's protocols have vulnerabilities that can be exploited. Examples of these vulnerabilities include the following: * The version of Internet Protocol (IPv4) that is widely used today has certain security limitations that have been addressed but are not fully integrated into the protocol. The newest version of the protocol (IPv6) addresses some of these limitations, but it has not yet been fully adopted.[Footnote 27] * The Domain Name System, which directs users to the correct Web site based on the name they typed in, was not originally built with the intent of being resistant to attacks. Domain name servers or caches storing Domain Name System information can be corrupted. Although some protective measures have been implemented, a method to encrypt and protect Domain Name System information has not yet been widely deployed. * Border Gateway Protocol, the protocol that transmits routing information among separate networks, has vulnerabilities that, if not mitigated, could subject those networks to attack. For example, a malicious actor could advertise incorrect routing information. Because this protocol provides the basis for all Internet connectivity, a successful attack could have wide-ranging effects. Lack of Standards for Measuring Internet Performance Hinders the Ability to Recognize Disruptions and Recover Accordingly: There are no well-accepted standards for measuring and monitoring the Internet infrastructure's availability and performance. Instead, individuals and organizations rate the Internet's performance according to their own priorities. The commonly used version of Internet Protocol (IPv4) does not guarantee a priority or speed for delivery, but rather provides "best effort" service. The next version (IPv6) has features that may help the delivery of future Internet traffic, but it is not yet widely used.[Footnote 28] The topic of guaranteeing a particular level of service, called "quality of service," is currently the subject of much research. For example, NCS requested information from private companies on the potential for prioritizing certain types of Internet service over others if network capacity was limited; NCS found that there is currently no offering of a priority service, nor is there any consensus by industry on a standard approach to prioritization. Obstacles to offering the service include both technical and financial challenges. Since there are no clear standards for quality of service, prioritizing service if capacity is limited or setting thresholds that indicate a disrupted network can be difficult. Private-sector representatives identified additional challenges to network measurement and performance standards, including a reluctance to share proprietary performance data that other companies could use for competitive advantage, flaws in measurement techniques, and the ability to "spoof" performance data. The lack of agreement on standards for measurement and performance limits the ability of the government and private sector to readily identify poor performance and identify when recovery efforts should begin. There Is No Consensus on DHS's Role in Responding to Internet Disruption or the Appropriate Trigger for Its Involvement: There is a lack of consensus about the role DHS should play in responding to a major Internet disruption and about the appropriate trigger for its involvement. As we previously noted in this report, the lack of clear legislative authority for Internet recovery efforts complicates the definition of this role. DHS's Role Lacks Consensus: DHS is currently providing information to private industry through existing US-CERT and National Coordinating Center relationships and conducting exercises such as Cyber Storm. US-CERT and National Coordinating Center officials are also working to improve their relationships with the private sector. However, DHS officials acknowledged that their role in recovering from an Internet disruption needs additional clarification, because private industry owns and operates the vast majority of the Internet. Private-sector officials representing telecommunication backbone providers and Internet service providers were also unclear about the types of assistance DHS could provide in responding to an incident and about the value of such assistance. While many officials stated that the government did not have a direct recovery role, others identified a variety of roles ranging from providing information on specific threats (which DHS currently does through US-CERT), providing security and disaster relief support during a crisis, funding backup communication infrastructures, and driving improved Internet security through requirements for its own procurement. Clearly, there was no consensus among the officials on this issue. Table 6 summarizes potential roles suggested by private-sector representatives and DHS officials' assessments of each area. Table 6: Potential DHS Roles: Potential role: Serve as a focal point with state and local governments to establish standard credentials to allow Internet and telecommunications companies access to areas that have been restricted or closed in a crisis; DHS assessment of activities: NCS officials stated that credentials are primarily controlled by state and local government officials. However, NCS stated that it is working with a telecommunications company and Georgia on a pilot credentialing process for telecommunications and electric power teams in a disaster area to restore critical infrastructure. Once the pilot process is generally agreed to with Georgia officials, NCS stated it will share this information with other state and local officials to provide them with the option of adopting it the next hurricane season. The agency may consider a formal credentialing system for the next hurricane season. Potential role: Provide logistical assistance, such as fuel, power, and security, to Internet infrastructure operators; DHS assessment of activities: NCS currently does not provide such services directly, and the Stafford Act does not authorize DHS to provide direct assistance to private companies. However, the National Coordinating Center has assisted companies in obtaining these services from other companies in previous physical disruptions. An NCS official acknowledged that providing these services in the case of Hurricane Katrina was challenging because of the scale of the disaster and difficulties in coordination with other government organizations. Potential role: Conduct a more formal analysis of physical diversity in service routes so that a customer with multiple telecommunications vendors would be able to determine the extent to which the vendors' circuits physically overlap; DHS assessment of activities: NCS stated it has developed a formal analysis process to assist federal agencies in conducting analyses of physical diversity in service routes for any given site. The formal NCS analysis process requires full collaboration between NCS and the requesting agency. An abbreviated analysis process is also available for those agencies wishing to conduct their analyses independently. However, DHS stated that an overall analysis of physical diversity in service routes for all federal agency locations would be a massive undertaking. It would also be extremely expensive and is currently beyond even industry's capability to maintain. Potential role: Focus on smaller scale exercises targeted at specific Internet disruption issues. An example would be an exercise focused on root server/top-level domain attacks; DHS assessment of activities: DHS officials stated that they agree with this premise and are planning a tabletop exercise specifically focused on the Internet. A group of government and private-sector experts first met to plan the exercise in March 2006. The exercise is currently planned for June 2006. Potential role: Limit the initial focus for Internet recovery planning to key national security and emergency preparedness functions, such as public health and safety, similar to NCS's approach to telephone service. This would make the scope of planning efforts more manageable; DHS assessment of activities: DHS officials agree that this may be a more appropriate place to start. They stated that a focus on these areas would likely be more positively received by the private sector than larger scale planning efforts. However, they stated that this prioritization will require discussions among stakeholders. These officials noted that the Next Generation Network Task Force addressed prioritization. However, there are no immediate plans that target this particular issue. Potential role: Fund backup communications systems; DHS assessment of activities: NCS initiated a program, called the Shared Resources High- Frequency Radio Program, to provide backup radio communications during an emergency. The purpose of the program is to provide a single, interagency emergency message-handling system by bringing together existing radio resources of federal, state, and industry organizations when normal communications are destroyed or unavailable for the transmission of national security and emergency preparedness information. In addition, DHS operates the Critical Infrastructure Warning Information Network, a private communications network designed to serve as a reliable and survivable network capability with no logical dependency on the Internet or the public-switched network. In the event of a significant cyber attack that disrupts telecommunications networks and/or the Internet, this network is expected to provide a secure capability for interagency incident managers to communicate. DHS plans to extend the network to private- sector communications backbone providers. Potential role: Establish a system for prioritizing recovery of Internet service similar to the existing Telecommunications Service Priority Program; DHS assessment of activities: DHS officials and industry representatives noted that the existing Telecommunications Service Priority Program applies to physical restoration of both voice circuits and data circuits, including Internet traffic. However, prioritization of particular traffic on the Internet faces numerous technical challenges and is not supported by current legislation. DHS stated that this issue will become more significant as existing telecommunications circuit-switched networks migrate to packet- switched networks. Potential role: Use federal contracting mechanisms to require use of more secure Internet technologies, such as secure Domain Name System and secure Border Gateway Protocols; DHS assessment of activities: DHS officials noted that they can coordinate with the Office of Management and Budget in addressing this issue, but that the office has authority for providing federal agencies with overarching policy. They also stated that DHS's Science and Technology Directorate and the National Institute of Standards and Technology have developed guidance documents to encourage the use of a secure Domain Name System in federal information technology systems. The Science and Technology Directorate is also coordinating with the General Services Administration to begin to implement a secure Domain Name System in the .gov and global root Domain Name System servers. These officials noted that standards for securing Border Gateway Protocol are still not fully agreed to--beyond some common best practices for simple security--and that DHS and the National Institute of Standards and Technology are working to develop standards and technology to support securing Border Gateway Protocol. These officials cautioned that expenses and the timing of implementation are key issues. Federal agencies can specify what they want, but ultimately the costs of enhanced services will have to be paid. Sources: GAO interviews with private-sector infrastructure owners and operators to identify potential roles and a written assessment by DHS on these potential roles. [End of table] The Trigger for Government Involvement Is Unclear: The difference between a minor and a major Internet disruption can be a combination of factors. The severity of a disruption can be influenced by: * the length of time that the disruption lasts; * the impact of the disruption on the operation of the Internet, both in quality of operation (e.g., if the speed of the Internet is affected), and the number of users that cannot access the Internet; * the impact that the disruption has on society, such as the impact on national security or economic security; and: * the simultaneity of events (e.g., a disruption coinciding with a national disaster or terrorist attack could be more severe than a disruption occurring on an uneventful day). However, it is not clear when the government should get involved in a disruption. For example, the lessons learned from the DHS-sponsored regional exercises show that: * organizations do not know how and to whom they should report a cyber attack and what information to convey; * local and state emergency operations centers often lack procedures to determine when they should activate for a cyber event; * private-sector participants often do not inform government authorities about what they see as routine events because of company policy, legal constraints, or liability concerns; and: * it is unclear when a cybersecurity incident becomes a source of concern and what types of incidents should be communicated to local and federal law enforcement. The trigger for the National Response Plan, which is DHS's overall framework for incident response, is poorly defined and has been found by both GAO and the White House to need revision.[Footnote 29] DHS officials acknowledged that the definition for activation of its National Cyber Response Coordination Group is very broad and needs clarification. In addition, other DHS officials stated that, in their meetings with private-sector firms and other government agencies, they have determined that they need to further refine the definition of when government should be involved during an Internet disruption. DHS officials have stated that a successful public/private partnership is critical to the success of efforts to plan for responding to Internet disruptions. Since private-sector participation in DHS planning activities for Internet disruption is voluntary, agreement on the appropriate trigger for government involvement and on the role of government in resolving an Internet disruption are essential to any plan's success. Without a consensus on the appropriate role of government in responding to the disruption, or on the trigger for government involvement, planning for response to the disruption is difficult. Legal Issues Affect DHS's Ability to Provide Assistance during Recovery Efforts: There are key legal issues affecting DHS's ability to provide assistance to help restore Internet service. As previously noted, key legislation and regulations guiding critical infrastructure protection, disaster recovery, and the telecommunications infrastructure do not provide specific authorities for Internet recovery. As a result, there is no clear legislative guidance on what government entity would be responsible in the case of a major Internet disruption. In addition, while the Stafford Act authorizes the government to provide federal assistance to states, local governments, nonprofit entities, and individuals in the event of a major disaster or emergency, it does not authorize assistance to for-profit corporations. Several representatives of telecommunications companies reported that they had requested federal assistance from DHS during Hurricane Katrina. Specifically, they requested food, water, and security for the teams they were sending in to restore the communications infrastructure, and fuel to power their generators. DHS responded that it could not fulfill these requests, noting that the Stafford Act did not extend to for-profit companies. Many in the Private Sector Are Reluctant to Share Internet Information with the Government: Because a large percentage of the nation's critical infrastructure-- including the Internet--is owned and operated by the private sector, public/private partnerships are crucial for successful critical infrastructure protection. Although certain policies direct DHS to work with the private sector to ensure infrastructure protection, DHS does not have the authority to direct Internet owners and operators in their recovery efforts. Instead, it must rely on the private sector to share information on incidents, disruptions, and recovery efforts. We have previously reported that many in the private sector are reluctant to share information with the federal government.[Footnote 30] Many private-sector representatives questioned the value of providing information to DHS regarding planning for and recovery from Internet disruption. Concerns included the potential for disclosure of the information and the perceived lack of benefit in providing the information. In addition, DHS identified provisions of the Federal Advisory Committee Act[Footnote 31] as having a "chilling effect" on cooperation with the private sector. The act governs the structure of certain federal advisory groups and requires that membership in and information about the groups' activities be public record. However, both the act itself and other federal legislation provide the ability to limit disclosure of sensitive information provided to the government. While DHS officials stated that the agency was working on a solution to problems posed by the act, they did not provide us with information on potential solutions or milestones for completing these activities. The uncertainties regarding the value and risks of cooperation with the government limit incentives for the private sector to cooperate in Internet recovery planning efforts. DHS's Leadership and Organizational Issues Impact Its Ability to Address Internet Disruption: In 2003 and again in 2005, we identified the transformation of DHS from 22 agencies into one department as a high-risk area.[Footnote 32] As part of this body of work, we noted that organizational and management practices are critical to successfully transforming an organization. Additionally, we reported on the importance of top leadership driving any transformation and the need for a stable and authoritative organizational structure. However, DHS has lacked permanent leadership while developing its plans for Internet recovery and reconstitution. In addition, the organizations with roles in Internet recovery have overlapping responsibilities and may be reorganized once DHS selects permanent leadership. As a result, it is difficult for DHS to develop a clear set of organizational priorities and to coordinate among the various activities responsible for Internet recovery planning. DHS Has Lacked Permanent Leadership in Key Roles: In recent years, DHS has experienced a high level of turnover in its cybersecurity division and has lacked permanent leadership in key roles. In May 2005, we reported that multiple senior DHS cybersecurity officials had recently left the department.[Footnote 33] These officials included the NCSD Director, the Deputy Director responsible for Outreach and Awareness, the Director of the US-CERT Control Systems Security Center, the Under Secretary for the Information Analysis and Infrastructure Protection Directorate, and the Assistant Secretary responsible for the Information Protection Office. Subsequently, in July 2005, the DHS Secretary announced a major reorganization of the department. Under this reorganization, the Information Analysis and Infrastructure Protection Directorate, which contained NCS and NCSD, was renamed the Directorate for Preparedness, which would be managed by an appointed under secretary. The responsibilities of NCS and NCSD were placed under a new Assistant Secretary for Cyber Security and Telecommunications. DHS stated that the creation of a position for Assistant Secretary for Cyber Security and Telecommunications within the department would elevate the position of cybersecurity in the department and by doing so raise visibility for the issue. However, as of May 2006, no candidate for the assistant secretary position had yet been publicly announced. In addition, the current head of NCSD is in an acting position and has been since October 2004. While DHS stated that the lack of a permanent assistant secretary has not hampered its efforts in protecting critical infrastructure, several private-sector representatives stated that DHS's lack of leadership in this area has limited progress. Specifically, these representatives stated that filling key leadership positions would enhance DHS's visibility to the Internet industry and potentially improve its reputation. DHS Organizations Have Overlapping Responsibilities: DHS officials acknowledged that the current organizational structure has overlapping responsibilities in planning for and recovering from a major Internet disruption. NCSD is responsible for planning and response activities governing information technology, while NCS has the lead for telecommunications. However, because of the convergence of voice and data networks, NCS has become more involved in Internet issues. There is currently no written division of responsibilities between NCS and NCSD related to Internet recovery. NCS officials stated that a revision of the Emergency Support Function 2 would help address the apparent overlap, but DHS has not established a date for finalizing this document. Furthermore, DHS officials stated that the new assistant secretary would have discretion to reorganize NCS and NCSD. For example, NCS and NCSD could be combined, or one or more program areas could be modified. As a result, it is difficult for DHS to develop a clear set of organizational priorities and to coordinate among the various activities responsible for Internet recovery planning. Conclusions: As a critical information infrastructure supporting our nation's commerce and communications, the Internet is subject to disruption-- from both intentional and unintentional incidents. While major incidents to date have had regional or local impacts, the Internet has not yet suffered a catastrophic failure. Should such a failure occur, however, existing legislation and regulations supporting critical infrastructure protection, disaster response, and the telecommunications infrastructure do not specifically address roles and responsibilities for Internet recovery. A national policy, the National Strategy to Secure Cyberspace, establishes DHS as the focal point for ensuring the security of cyberspace--a role that includes developing joint public/private plans for facilitating a recovery from a major Internet disruption. While DHS has initiated efforts to refine high-level disaster recovery plans, the components of these plans that pertain to the Internet are not complete. Additionally, while DHS has undertaken several initiatives to improve Internet recovery planning, much remains to be done. Specifically, some initiatives lack clear time lines, lessons learned are not consistently being incorporated in recovery plans, and the relationships between the various initiatives are not clear. DHS faces numerous challenges to developing integrated public/private recovery plans--not the least of which is the fact that the government does not own or operate much of the Internet. In addition, there is no consensus among public and private stakeholders about the appropriate role of DHS and when it should get involved; legal issues limit the actions the government can take; the private sector is reluctant to share information on Internet performance with the government; and DHS is undergoing important organizational and leadership changes. As a result, the exact role of the government in helping to recover the Internet infrastructure following a major disruption remains unclear. Matters for Congressional Consideration: Given the importance of the Internet as a critical infrastructure supporting our nation's communications and commerce, Congress should consider clarifying the legal framework that guides roles and responsibilities for Internet recovery in the event of a major disruption. This effort could include providing specific authorities for Internet recovery as well as examining potential roles for the federal government, such as providing access to disaster areas, prioritizing selected entities for service recovery, and using federal contracting mechanisms to encourage more secure technologies. This effort also could include examining the Stafford Act to determine if there would be benefits in establishing specific authority for the government to provide for-profit companies--such as those that own or operate critical communications infrastructures--with limited assistance during a crisis. Recommendations for Executive Action: To improve DHS's ability to facilitate public/private efforts to recover the Internet in case of a major disruption, we recommend that the Secretary of the Department of Homeland Security implement the following nine actions: * Establish dates for revising the National Response Plan and finalizing the National Infrastructure Protection Plan--including efforts to update key components relevant to the Internet. * Use the planned revisions to the National Response Plan and the National Infrastructure Protection Plan as a basis, draft public/ private plans for Internet recovery, and obtain input from key Internet infrastructure companies. * Review the NCS and NCSD organizational structures and roles in light of the convergence of voice and data communications. * Identify the relationships and interdependencies among the various Internet recovery-related activities currently under way in NCS and NCSD, including initiatives by US-CERT, the National Cyber Response Coordination Group, the Internet Disruption Working Group, the North American Incident Response Group, and the groups responsible for developing and implementing cyber recovery exercises. * Establish time lines and priorities for key efforts identified by the Internet Disruption Working Group. * Identify ways to incorporate lessons learned from actual incidents and during cyber exercises into recovery plans and procedures. * Work with private-sector stakeholders representing the Internet infrastructure to address challenges to effective Internet recovery by: * further defining needed government functions in responding to a major Internet disruption (this effort should include a careful consideration of the potential government functions identified by the private sector in table 6 of this report), * defining a trigger for government involvement in responding to such a disruption, and: * documenting assumptions and developing approaches to deal with key challenges that are not within the government's control. Agency Comments: We received written comments from DHS on a draft of this report (see app. V). In DHS's response, the Director of the Departmental GAO/Office of Inspector General Liaison Office concurred with our recommendations. DHS stated that it recognizes that the Internet is an important component of the information infrastructure in which both the information technology and telecommunications sectors share an interest. It also stated that because of the increasing reliance of various critical infrastructure sectors on interconnected information systems, the Internet represents a significant source of interdependencies for many sectors. DHS agreed that strengthened collaboration between the public and private sectors is critical to protecting the Internet. DHS also provided information on initial actions it is taking to implement our recommendations. DHS officials, as well as others who were quoted in our report, also provided technical corrections, which we have incorporated in this report as appropriate. As agreed with your offices, unless you publicly announce the contents of this report earlier, we plan no further distribution of it until 30 days from the report date. At that time, we will send copies of this report to interested congressional committees, the Secretary of the Department of Homeland Security, and other interested parties. In addition, this report will be available at no charge on GAO's Web site at [Hyperlink, http://www.gao.gov.] If you have any questions on matters discussed in this report, please contact us at (202) 512-9286 and at (202) 512-6412, or by e-mail at pownerd@gao.gov and rhodesk@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made major contributions to this report are listed in appendix VI. Signed by: David A. Powner: Director, Information Technology Management Issues: Signed by: Keith A. Rhodes: Chief Technologist: Director, Center for Technology and Engineering: List of Congressional Requesters: The Honorable Joseph I. Lieberman: Ranking Member: Committee on Homeland Security and Governmental Affairs: United States Senate: The Honorable Tom Coburn, MD: Chairman: The Honorable Tom Carper: Ranking Member: Subcommittee on Federal Financial Management, Government Information, and International Security: Committee on Homeland Security and Governmental Affairs: United States Senate: The Honorable Joe Barton: Chairman: Committee on Energy and Commerce: House of Representatives: The Honorable Tom Davis: Chairman: Committee on Government Reform: House of Representatives: [End of section] Appendix I: Objectives, Scope, and Methodology: Our objectives were to (1) identify examples of major disruptions to the Internet, (2) identify the primary laws and regulations governing recovery of the Internet in the event of a major disruption, (3) evaluate the Department of Homeland Security's (DHS) plans for facilitating recovery from Internet disruptions, and (4) assess challenges to such efforts. To determine the types of major disruptions to the Internet, we analyzed our prior work on cybersecurity issues as well as reports by private organizations, research experts, and government agencies. We identified incidents that were representative of types of disruptions that have actually occurred. We compiled case studies by reviewing and summarizing research reports and interviewing private-industry experts and government officials. We also conducted interviews with individuals in the private/public sectors, including representatives of private companies that operate portions of Internet infrastructure. To determine the primary laws and regulations for recovering the Internet in the event of a major disruption, we analyzed relevant laws and regulations related to infrastructure protection, disaster response, and the telecommunications infrastructure. These laws and regulations included the Homeland Security Act of 2002, Homeland Security Presidential Directive 7, the Defense Production Act, the Stafford Act, the Communications Act of 1934, and the National Communications System (NCS) authorities. We also obtained the perspectives of DHS and the Federal Communications Commission on the laws and regulations that govern Internet recovery. Additionally, we conducted interviews with DHS and other government officials as well as representatives of the telecommunications and information technology sectors. To assess plans for recovery of Internet service in the event of a major disruption, we analyzed key documents, such as the interim National Infrastructure Protection Plan, the National Response Plan, a report from the National Coordinating Center Task Force, and reports from regional tabletop security exercises. We observed a portion of DHS's Cyber Storm exercise, which focused on facilitating government and private industry organizations to address an array of cybersecurity issues. We also spoke with the Deputy Manager of NCS and the Deputy Director of the NCSD to identify DHS's initiatives in the area of Internet protection and recovery. Additionally, we interviewed representatives from private companies that operate portions of Internet infrastructure. These included representatives of major telecommunications and cable companies, Internet service providers, and root server operators. We also interviewed representatives from three information sharing and analysis centers[Footnote 34] to obtain their perspectives on DHS's capabilities in the area of Internet recovery. To identify the challenges that may affect current recovery plans, we analyzed DHS plans, congressional testimony, and other evaluations of challenges to Internet recovery. We also interviewed officials at DHS, including NCSD's Deputy Director of Strategic Initiatives and Deputy Director of Operations and NCS's Chief of the Critical Infrastructure Protection Division. In addition, we interviewed other agencies that are involved with the government's efforts in the area of Internet recovery and experts in the private sector and academia. We performed our work from August 2005 to May 2006 in accordance with generally accepted government auditing standards. [End of section] Appendix II: Legislation and Regulations Govern Critical Infrastructure Protection, Disaster Response, and the Telecommunications Infrastructure: Multiple Laws and Regulations Govern Protection of Critical Infrastructure: Federal laws and policies establish critical infrastructure protection as a national goal and describe a strategy for cooperative efforts by government and the private sector to protect the cyber-and physical- based systems that are essential to the minimum operations of the economy and the government. The primary authorities governing protection of critical infrastructure include the Homeland Security Act of 2002 and Homeland Security Presidential Directive 7. The Homeland Security Act of 2002: The Homeland Security Act of 2002[Footnote 35] established DHS and gave it lead responsibility for preventing terrorist attacks in the United States, reducing the vulnerability of the United States to terrorist attacks, and minimizing the damage and assisting in the recovery from attacks that do occur. The act also assigns DHS a number of responsibilities for critical infrastructure protection, including (1) developing a comprehensive national plan for securing the key resources and critical infrastructure of the United States; (2) recommending measures to protect the key resources and critical infrastructure of the United States in coordination with other federal agencies and in cooperation with state and local government agencies and authorities, the private sector, and other entities; and (3) disseminating, as appropriate, information analyzed by the department--both within the department and to other federal, state, and local government agencies and private- sector entities--to assist in the deterrence, prevention, or preemption of or response to terrorist attacks. Additionally, the act specifically charged DHS with providing state and local government entities and, upon request, private entities that own or operate critical infrastructure, with: * analyses and warnings concerning vulnerabilities and threats to critical infrastructure systems, * crisis management support in response to threats or attacks on critical information systems, and: * technical assistance with respect to recovery plans to respond to major failures of critical information systems. Homeland Security Presidential Directive 7: Homeland Security Presidential Directive 7, dated December 17, 2003, superseded Presidential Decision Directive 63 and established a national policy for federal departments and agencies to identify and prioritize critical infrastructures and key resources and to protect them from terrorist attack. The directive defines responsibilities for (1) DHS, (2) sector-specific federal agencies that are responsible for addressing specific critical infrastructure sectors, and (3) other departments and agencies. The directive also makes DHS responsible for coordinating the national effort to enhance the protection of the critical infrastructure and key resources of the United States. Under the directive, the Secretary of DHS is to serve as the principal federal official to lead, integrate, and coordinate implementation of efforts among federal departments and agencies, state and local governments, and the private sector to protect critical infrastructure and key resources. The Secretary also is to work closely with other federal departments and agencies, state and local governments, and the private sector in accomplishing the objectives of the directive. The Secretary is given responsibility to coordinate protection activities for several key infrastructure sectors, including the information technology and telecommunications sectors. Homeland Security Presidential Directive 7 provides that DHS is to collaborate with the appropriate private-sector entities and to encourage the development of information-sharing and analysis mechanisms. Additionally, the department and sector-specific agencies are to collaborate with the private sector and continue to support sector-coordinating mechanisms to: * identify, prioritize, and coordinate the protection of critical infrastructure and key resources and: * facilitate sharing of information about cyber and physical threats, vulnerabilities, incidents, potential protective measures, and best practices. Multiple Laws Govern Federal Response to Disasters and Incidents of National Significance: Federal planning for disaster recovery is governed by legislation including the Defense Production Act and the Stafford Act. Defense Production Act: The Defense Production Act was enacted at the outset of the Korean War to ensure the availability of industrial resources to meet the needs of the Department of Defense.[Footnote 36] The act is intended to facilitate the supply and timely delivery of products, materials, and services to military and civilian agencies, in times of peace as well as in times of war. Presently, only titles I, III, and VII of the Defense Production Act remain in effect.[Footnote 37] DHS identified the act as a primary authority that supports telecommunications emergency planning and response functions. Title I of the act authorizes the President to ensure the timely availability of products, materials, and services needed to meet current defense preparedness and military readiness requirements as well as the requirements of a national emergency. Under section 101 of the act, the President may require preferential performance on contracts and orders to meet approved national defense requirements and may allocate materials, services, and facilities as necessary to promote the national defense in a national emergency. Homeland Security Presidential Directive 7, previously discussed, specifically acknowledges the authority of the Department of Commerce to use the act to ensure the timely availability of industrial products, materials, and services to meet homeland security requirements. Title III of the act authorizes the use of financial incentives to expand productive capacity and supply. It authorizes loan guarantees, loans, purchases, purchase guarantees, and installation of equipment in contractor facilities for those goods necessary for national defense. It is used only in cases where domestic sources are required and domestic firms cannot, or will not, act on their own to meet a national defense production need. Title VII of the Defense Production Act defines national defense to include domestic emergency preparedness and critical infrastructure protection and restoration activities. The act's authorities, therefore, are available to meet requirements in a civil disaster, such as a major Internet disruption. The act also authorizes the President to provide antitrust defenses to private firms participating in voluntary agreements aimed at solving production and distribution problems. The Year 2000 computer transition and the September 11, 2001, attacks prompted new interest in the act and its application to information technology and cybersecurity. Some commentators indicated that the act would be a useful tool in managing a critical infrastructure emergency.[Footnote 38] In January 2001, President Clinton directed the Secretary of Energy to exercise authority under the act, among other statutes, to ensure the availability of natural gas for high-priority uses in California. President Clinton found that ensuring natural gas supplies to California was necessary and appropriate to maximize domestic supplies and to promote the national defense. President Bush subsequently extended this executive order.[Footnote 39] In recent years, Congress has expanded the Defense Production Act's coverage to include crises resulting from natural disasters or "man- caused events" not amounting to an armed attack on the United States.[Footnote 40] The definition of national defense in the act was expanded in 1994 to include emergency preparedness activities authorized by the Stafford Act.[Footnote 41] In 2003, the act was reauthorized through September 30, 2008.[Footnote 42] It was also amended to add explicit authority to use the act for critical infrastructure protection and restoration. In addition, the 2003 Act (section 5) added a definition of critical infrastructure to the act.[Footnote 43] The Stafford Act: The Robert T. Stafford Disaster Relief and Emergency Assistance Act (the Stafford Act)[Footnote 44] authorizes federal assistance to states, local governments, nonprofit entities, and individuals in the event of a major disaster or emergency. For example, the President, at the request of a governor, may declare a "major disaster," which is defined as follows: "Major disaster means any natural catastrophe (including any hurricane, tornado, storm, high water, winddriven water, tidal wave, tsunami, earthquake, volcanic eruption, landslide, mudslide, snowstorm, or drought), or, regardless of cause, any fire, flood, or explosion, in any part of the United States, which in the determination of the President causes damage of sufficient severity and magnitude to warrant major disaster assistance under this Act to supplement the efforts and available resources of States, local governments, and disaster relief organizations in alleviating the damage, loss, hardship, or suffering caused thereby." A presidential declaration that a major disaster has occurred activates the federal response plan for the delivery of federal disaster assistance. The Federal Emergency Management Agency is responsible for coordinating the federal and private response effort. A presidential declaration of a major disaster[Footnote 45] triggers several Stafford Act authorities, including, for example, federal activities to: * support state and local governments to facilitate the distribution of consumable supplies; * help distribute aid to victims through state and local governments and voluntary organizations, perform life-and property-saving assistance, clear debris, and use the resources of the Department of Defense; * repair and reconstruct federal facilities; * repair, restore, and replace damaged facilities owned by state and local governments, as well as private nonprofit facilities that provide essential services or contributions for other facilities or hazard mitigation measures in lieu of repairing or restoring damaged facilities; and: * establish--during or in anticipation of an emergency--temporary communications systems, and make such communications available to state and local government officials. Specific Laws and Regulations Govern the Telecommunications Infrastructure That Supports the Internet: The Internet is enabled by the telecommunications infrastructure that supports transmission of data. Key laws and regulations include the Communications Act of 1934, as amended, and the National Communications System (NCS) authorities. Communications Act of 1934, as Amended: The primary federal telecommunications law is the Communications Act of 1934. Its original purpose was to regulate interstate and foreign commerce in communications by wire and radio by licensing radio stations and regulating the telecommunications monopolies of the time.[Footnote 46] The 1934 Act also created the Federal Communications Commission to implement the act.[Footnote 47] The 1934 act, as amended, has remained for more than 60 years as the basis of federal regulation of telecommunications services.[Footnote 48] The Telecommunications Act of 1996[Footnote 49] amended the 1934 Act to enhance competition in the telecommunications market. These laws govern regulation of forms of transmission upon which the Internet depends. There is, however, no general regulatory provision for the Internet in the act and no specific provision providing authorities and responsibilities for Internet recovery. NCS Authorities: NCS was established by a memorandum signed by President Kennedy in 1963, following the Cuban Missile Crisis.[Footnote 50] The memorandum called for establishing a national communications system by linking together and improving the communication facilities and components of various federal agencies. This original memorandum has since been amended and superseded over time. The executive order currently in force is Executive Order 12472, April 3, 1984, which was amended slightly by Executive Order 13286 on February 28, 2003. Executive Order 12472, as amended by Executive Order 13286, established NCS and provided that its mission was to assist the President, the National Security Council, the Homeland Security Council, the Director of the Office of Science and Technology Policy, and the Director of the Office of Management and Budget in, among other responsibilities, "the coordination of the planning for and provision of national security and emergency preparedness communications for the Federal government under all circumstances, including crisis or emergency, attack, recovery and reconstitution." The administrative structure includes a National Communications System Committee of Principals, an executive agent, and a manager. The Homeland Security Act of 2002 transferred NCS to DHS. To reflect this change, Executive Order 13286 made the Secretary of DHS the Executive Agent. NCS's mission with regard to critical infrastructure protection is to ensure the reliability and availability of telecommunications for national security and emergency preparedness. Its mission includes, but it is not necessarily limited to, responsibility for (1) ensuring the government's ability to receive priority services for national security and emergency preparedness purposes in current and future telecommunications networks by conducting research and development and participating in national and international standards bodies and (2) operationally coordinating with industry for protecting and restoring national security and emergency preparedness services in an all-hazards environment.[Footnote 51] Section 706 of the Communications Act of 1934 grants the President certain emergency powers regarding telecommunications, including the authority to grant essential communications "preference or priority with any carrier" subject to this act.[Footnote 52] The President may also, in the event of war or national emergency, suspend regulations governing wire and radio transmissions and "authorize the use or control of any such facility or station and its apparatus and equipment by any department of the Government." Section 706 is implemented in Executive Order 12472, which provides that the Director of the Office of Science and Technology Policy shall direct the exercise of the war power functions of the President under section 706(a), (c)-(e) of the Communications Act of 1934, as amended (47 U.S.C. 606). Section 706 is implemented in the Code of Federal Regulations at title 47, chapter II. [End of section] Appendix III: Two Task Forces Have Assessed NCS Roles and Mission: The National Security Telecommunications Advisory Committee advises the President on issues and problems related to implementing national security and emergency preparedness telecommunications policy. The committee recently formed two task forces to provide recommendations on changes to DHS's NCS division and operations. Next Generation Network Task Force: In May 2004, the Next Generation Network Task Force was formed to develop recommendations on changes that needed to be made to NCS as a result of issues such as the convergence of voice and data communications. The task force was to (1) define the expected structure for next-generation networks, such as those using Internet-based protocols; (2) identify national security and emergency preparedness user requirements for next-generation networks and outline how these requirements will be met; and (3) examine relevant user scenarios and expected cyber threats and recommend optimal actions to address these threats. The task force agreed to present its findings and recommendations in two separate reports to the President--a near-term recommendations report and a final comprehensive report. In March 2005, the task force issued near-term recommendations for the federal government. While the recommendations did not address NCS's role in recovering from an Internet disruption, they included: * exploring the use of government networks as alternatives for critical emergency communications during times of national crisis; * using and testing existing and leading-edge technologies and commercial capabilities to support critical emergency user requirements for security and availability; * studying and supporting industry efforts in areas that present the greatest emergency communications risks during the period of convergence, including gateways, control systems, and first responder communications systems; and: * reviewing the value of satellite systems as a broad alternative transmission channel for critical emergency communications. The final report, issued in March 2006, contained recommendations that the federal government: * require federal agencies to plan for and invest in resilient and alternate communications mechanisms to be used in a crisis, * develop identity management tools to support priority emergency communication on next-generation networks, * develop supporting policies for emergency communications on next- generation networks, and: * improve DHS incident management capabilities. DHS has not yet developed specific plans to address the recommendations from either report. National Coordinating Center Task Force: In October 2004, a task force was established to examine the future mission and role of the National Coordinating Center, which is part of NCS. This task force was to study the direction of the center over the next year, 3 years, and 5 years, including how industry members of the center should continue to partner with the government and how the center should be structured. The task force researched the center's functions and mapped the center's authorities to its missions. It studied the center's organizational structure, information sharing and analysis, incident management and leadership, and international mutual-aid abilities. In its report issued in May 2006, the task force found that since the September 11 attacks the number of companies participating in the National Coordinating Center has more than doubled, but the influx of new members has hindered information sharing because of the time it takes to develop trusted relationships between members. The report also found that members wanted government to increase its sharing of threat information with the communications industry through the National Coordinating Center. The report recommended that: * the National Coordinating Center broaden center membership by including additional firms, such as cable operators, satellite operators, and Internet service providers; * NCS examine the possible combination of the National Coordinating Center and the Information Technology Information Sharing and Analysis Center; * DHS clarify responsibilities and authorities in emergency situations to facilitate response to telecommunications disruptions; * DHS revise the Cyber Incident Annex to the National Response Plan to clarify the trigger for the annex and the appropriate role of the government in responding to such an incident; * the National Coordinating Center develop a concept of operations for responding to cyber events; and: * DHS resolve confusion over legal or jurisdictional issues in responding to cyber or communications crises. DHS has not yet developed a plan to address these findings and recommendations. [End of section] Appendix IV: DHS Has Conducted Disaster Response Exercises That Include Cyber Incidents: DHS Has Conducted Regional Exercises Involving Cyber Attacks: Over the last few years, DHS has conducted several exercises to test the federal and regional response to incidents affecting critical infrastructures. Among other events, these exercises included incidents that could cause localized Internet disruptions. Specifically, DHS sponsored two cyber tabletop exercises with Connecticut and New Jersey, as well as a series of exercises in the Pacific Northwest and Gulf Coast regions of the United States. The series of exercises in the Pacific Northwest was named Blue Cascades. Blue Cascades II, conducted in September 2004, addressed a scenario involving cyber attacks and attacks that disrupted infrastructure, including telecommunications and electric power. The scenario explored regional capabilities to deal with threats, interdependences, cascading impacts, and incident response. Blue Cascades III, conducted in March 2006, focused on the impact of a major earthquake in the area and the resulting efforts to recover and restore services. Both exercises were sponsored by NCSD and organized by the Pacific Northwest Economic Region. Purple Crescent II, held in New Orleans, Louisiana, in October 2004, was also designed to raise awareness of infrastructure interdependencies and to identify how to improve regional preparedness. The scenario involved a cell of terrorists that used an approaching major hurricane to test their ability to disrupt regional infrastructures, government and private organizations, and particularly disaster preparedness operations using cyber attacks. The exercise was sponsored by the Gulf Coast Regional Partnership for Infrastructure Security and funded by NCSD. The objectives of these exercises included: * raising awareness of infrastructure-related cybersecurity issues and vulnerabilities; * identifying response and recovery challenges; * bringing together physical security, emergency management, and other disciplines involved in homeland security and disaster response; * identifying roles and responsibilities in addressing cyber attacks and disruptions; * determining ways to foster public/private cooperation and information sharing; * identifying preparedness gaps associated with cybersecurity and related interdependencies; and: * producing an action plan of activities. The exercises resulted in many findings regarding the overall preparedness for cyber incidents (see table 7). Overall, the exercises found that both the government and private-sector organizations were poorly prepared to effectively respond to cyber events. The lack of clarity on roles and responsibilities coupled with both the lack of coordination and communication and limited understanding of cybersecurity concerns pose serious obstacles to effective response and recovery from cyber attacks and disruptions. Furthermore, it was unclear who was in charge of incident management at the local, state, or national levels. Table 7: Selected Lessons Learned from DHS Regional Exercises with Cyber Components: Area: Skills, knowledge, and preparedness; Selected lessons learned: * Many exercise participants demonstrated a basic understanding of high- level cybersecurity issues, but they were not knowledgeable about more complex cyber vulnerabilities and interdependencies that could cause cascading impacts; * Organizations overestimated their technical capabilities to protect against threats and attacks and to respond and recover expeditiously in the exercise scenario; * It appeared that few organizations had any formal alternative communications plans; * The dependence of emergency preparedness activities on information systems and electronic communications needs to be tested and assessed. Furthermore, vulnerabilities need to be identified and cost-effective mitigation measures need to be adopted; * It was unclear what redundant and alternative communications were available to organizations in a major cyber disruption, or if available, whether these capabilities were regularly tested. Area: Coordination; Selected lessons learned: * While a cooperative spirit was demonstrated by participating organizations during the exercise, this cooperation appeared to be based on ad hoc personal relationships, and it is focused on physical incidents; * Participants for the most part focused on their own organizational interests, with minimal public/private coordination or formalized relationships; * With the exception of sector-specific Information Sharing and Analysis Centers and cybersecurity professional associations, organizations rarely coordinate on cyber threat and incident response activities, chiefly for legal and liability reasons; * Government agencies at the state level interact with other state entities, and federal agencies with federal offices, with little coordination at federal and state levels. There appears to be little coordination among the many federal, other government and private organizations with cybersecurity missions; * Private-sector participants emphasized that their organizations do not inform government authorities about what is seen as routine events because of company policy, legal constraints or liability concerns. Area: Triggers and thresholds for reporting; Selected lessons learned: * Regional organizations lack information on what organization they should contact to report a cyber event or to seek guidance in dealing with an incident; * State and local emergency operations centers lack threshold criteria to determine when they should activate for a cyber attack; * It is unclear when a cybersecurity incident becomes a source of concern and what types of incidents should be communicated to local and federal law enforcement. Area: Government actions; Selected lessons learned: * No one organization is mandated as the focal point for cybersecurity threats and incident response. The federal government has a number of organizations that have missions to respond to cyber incidents and there are also state and private-sector response organizations and vendors. As a result, it was not clear to the participants what role DHS elements and other federal agencies would play in a cyber incident; * Some participants believed DHS and US-CERT should undertake the lead role in dealing with major cyber attacks while other participants-- chiefly private-sector representatives--did not see a federal government lead role as appropriate or desirable; * Participants described cyber incident management as "confused" or "loose.". Source: GAO analysis of the Purple Crescent II exercise held in October 2004 and the Blue Cascades II exercise held in September 2004. [End of table] The after-action reports from the exercises recommended areas for additional study and planning, including: * additional study of the vulnerabilities of critical infrastructures to cyber attack; * improved information on training, assessments, and resources to be used against cyber attacks; * improved federal, state, local, and private-sector planning and coordination; and: * defined thresholds for what constitutes a major cyber attack. Cyber Storm Was DHS's First National Exercise Focused on Cyber Attacks: Cyber Storm, held in February 2006 in Washington, D.C., was the first DHS-sponsored national exercise to test response to a cyber-related incident of national significance. The exercise involved a simulated, large-scale attack affecting the energy, information technology, telecommunications, and transportation infrastructures. DHS officials stated that they plan to hold a similar exercise every other year. According to information provided by agency officials, the exercise involved eight federal departments and three agencies, three states, and four foreign countries. The exercise also involved representatives from the private sector, including nine information technology companies, six electric companies, and two airlines. The exercise objectives included testing interagency, intergovernmental, and public/private coordination of incident response. Representatives of private-sector companies provided mixed responses on the value of exercises such as Cyber Storm. Selected representatives expressed concerns about the overly broad scope and the difficulty in justifying dedicating resources for the exercises due to the lack of clear goals and outcomes. Another representative stated that government exercises help the government but exercises involving private-sector coordination with multiple agencies would also be helpful. Another representative stated that exercises were only of value if there was a process for integrating lessons learned from the exercises into policies and procedures. Two representatives, from a private-sector company that participated in Cyber Storm, stated that, while useful, the exercise was not designed for network operators, who would benefit from more comprehensive training in incident response. [End of section] Appendix V: Comments from the Department of Homeland Security: Homeland Security: June 2, 2006: Mr. David A. Powner: Director, Information Technology Management Issues: U.S. Government Accountability Office: 441 G Street, NW Washington, DC 20548: Dear Mr. Powner: RE: Draft Report GAO-06-672, Internet Infrastructure: DHS Faces Challenges in Developing a Joint Public/Private Recovery Plan (GAO Job Code 310499): The Department of Homeland Security (DHS) appreciates the opportunity to review and comment on the draft report. We recognize that the Internet is an important component of the information infrastructure in which both the information technology (IT) and telecommunications sectors share an interest. Moreover, because of the increasing reliance of various Critical Infrastructure and Key Resources (CI/KR) sectors on interconnected networked information systems, the Internet represents a significant source of interdependencies for many sectors. In this regard, we agree with the Government Accountability Office (GAO) that recent incidents have shown the Internet as a whole is resilient. We also agree that strengthening collaboration between the public and private sector with constant attention to risk mitigation, response and recovery planning is critical to protect the Internet[Footnote 53]. Finally, as noted in each response, DHS has already focused on issues raised in the recommendations and has either addressed a recommendation or is in the process of implementing a recommendation. Nevertheless, we welcome GAO's review and appreciate the opportunity to comment on each of the nine recommended actions that are intended to improve DHS' ability to facilitate public and private efforts to recover the Internet in case of a major disruption. Recommendation 1: Establish dates for revising the National Response Plan and finalizing the National Infrastructure Protection Plan - including efforts to update key components relevant to the Internet. Response: We agree with the recommendation. Implementation of the National Infrastructure Protection Plan (NIPP) is one of the three priorities called for as part of the National Preparedness Goal. The final draft of the NIPP Base Plan was provided to the Homeland Security Council Critical Infrastructure Protection Policy Coordinating Committee, which recently gave its concurrence. We anticipate the final interagency approval and signatures from the HSPD-7 departments and agencies will be forthcoming. The pending release of the final NIPP Base Plan is an important milestone, but it is the implementation of that plan and the accompanying seventeen Sector-Specific Plans (SSPs) that will help build a safer, more secure, and more resilient America by enhancing protection of the Nation's CI/KR. Combined with the updated cyber component of the NIPP Base Plan, the development of these SSPs represents progress in efforts to update the key NIPP components relevant to the Internet. Specifically, the SSPs for the IT and telecommunications sectors will address plans for protecting the Internet, and will include consideration of the interdependencies between the two sectors. These plans are already undergoing development in collaboration with public and private sector security partners. Significant progress has been made on both, and completion of all SSPs is scheduled for 180 days after the release of the NIPP Base Plan. With regard to the National Response Plan (NRP) revision, the Homeland Security Council (HSC) directed DHS to complete an interagency review of the NRP to incorporate critical revisions prior to the onset of the 2006 Hurricane Season. On May 25, 2006, DHS incorporated the revisions into the NRP in a Notice of Change. The revisions are based on organizational changes within DHS, as well as the lessons learned from the experience of responding to Hurricanes Katrina, Wilma, and Rita in 2005. As one part of the NRP Notice of Change, DHS created a NRP Quick Reference Guide as an appendix to the NRP, which provides senior officials with a concise summary of key concepts, relationships and roles and responsibilities outlined in the NRP. In addition, DHS intends to initiate a comprehensive stakeholder review of the NRP in the fall of 2006. Recommendation 2: Using the planned revisions to the National Response Plan and National Infrastructure Protection Plan as a basis, draft public/private plans for Internet recovery and obtain input from key Internet infrastructure companies. Response: We agree with the recommendation. DHS' National Cyber Security Division (NCSD) and the National Communications System (NCS), both located within the Directorate of Preparedness, are actively engaged with the private sector in furthering a mutual understanding of government's and industry's respective roles and responsibilities in connection with a disruption of the Internet or its supporting infrastructure. In August 2005, the President's National Security Telecommunications Advisory Committee (NSTAC) hosted an event entitled, "Incident Management in Next Generation Network," between key industry and government leaders regarding next steps for collaboratively responding to incidents affecting the shared public Internet infrastructure. These types of events build relationships and are key because the Internet infrastructure is, for the most part, owned and operated by the private sector. NCSD has several initiatives underway specifically focused on building relationships with private industry to determine risks and needs in the event of an Internet disruption. For example, the United States Computer Emergency Readiness Team (US-CERT), through its leadership of the North American Incident Response Group (NAIRG), continues to develop operational relationships and processes to enhance US-CERT's ability to respond to an Internet disruption of national significance. Additionally, the National Cyber Response Coordinating Group (NCRCG) has developed thresholds for activating the Group and a concept of operations for responding to cyber incidents, which would include Internet disruptions. Although the NCRCG role is not operational, it plays a key role in facilitating effective Federal response to incidents. Finally, ongoing collaboration with subject matter experts from the private sector and academia through the Internet Disruption Working Group (IDWG) further supports and validates government/industry efforts to identify key Internet infrastructure contacts, thresholds, and processes to facilitate situational awareness, incident management, and recovery actions. This collaboration, along with simulations such as the recent Cyber Storm exercise and the upcoming IDWG tabletop exercise, provide data points to clarify industry and government roles and responsibilities during an Internet disruption, and will lead to the enhancement of mitigation measures to be included in the public/ private plans. Recommendation 3: Review the NCS and NCSD organizational structure and roles in light of the convergence of voice and data communications. Response: We agree with the recommendation and believe it can be closed. DHS has addressed the organizational structure by placing NCS and NCSD in a newly created Office of Cyber Security and Telecommunications within the Directorate of Preparedness. This reorganization clearly acknowledges the increasing convergence between the telecommunications and IT sectors. NCSD and NCS work closely together to coordinate efforts to protect the Nation's critical cyber systems and telecommunications transport layer. In addition, NCSD's operational division, US-CERT and the NCS's National Coordinating Center for Telecommunications work together to analyze potential threats, mitigate risks and collaborate as appropriate with respect to response and recovery initiatives. NCS and NCSD together chair the IDWG and play a lead role in the NCRCG as discussed below. Recommendation 4: Identify the relationships and interdependencies between the various Internet-recovery related activities currently under way in NCS and NCSD, including initiatives by US-CERT, the National Cyber Response Coordination Group, the Internet Disruption Working Group, the North American Incident Response Group, and the groups responsible for developing and implementing cyber recovery exercises. Response: We agree with the recommendation. NCS and NCSD have identified and capitalized on relationships and interdependencies between Internet-recovery related activities within DHS. There has been significant and strategic collaboration between IDWG, NCRCG, and US- CERT through major initiatives such as the IDWG Forum, Exercise Cyber Storm, NCRCG meetings and working groups, as well as the upcoming IDWG Tabletop exercise. Further, in the event of an Internet disruption of national significance, the Secretary of DHS may activate the Interagency Advisory Committee (IAC)[Footnote 54] ,which would work in coordination with the NCRCG. US-CERT is the operational entity having real-time responsibility for responding to a Federal cyber incident and, when applicable, an incident that has an actual or perceived potential to require the activation of the NCRCG. DHS//NCSD co-chairs the NCRCG with the Department of Justice and the Department of Defense. The NCRCG and US- CERT collaborate with respect to information sharing, and work in coordination with the IAC. During an incident of national significance that involves cyber, the NCRCG would provide a cyber incident management role to the IAC. The IDWG is not an operational entity and has no incident response or recovery responsibilities. The IDWG engages with the private sector, academia, and international security experts to examine risks and develop recommendations to improve preparedness. Findings and recommendations developed by the IDWG are provided to the US-CERT, NCRCG, and other like entities having direct response and recovery roles within their respective organizations. With respect to the North American Incident Response Group (NAIRG), it is the intent of US-CERT to foster operational relationships with incident response organizations such as NAIRG within the private sector. In this regard, the NAIRG is not a government organization and is without any extant actions/taskings. In regard to groups responsible for cyber exercises, the NCSD Exercise Program is the focal point for cyber exercise management and execution within DHS. It supports those activities (US-CERT, NCRCG, IDWG, etc.) that have identified requirements for further discovery to better understand roles, responsibilities and processes, and identification of gaps. In addition, the NCSD Exercise Program is the exercise sponsor for the National Cyber Exercise: Cyber Storm, a biennial cyber exercise focused on strategic and operational issues such as interagency preparedness, response and recovery under the Cyber Annex to the NRP; cross-sector interdependencies on the underlying information systems including control systems; and, public-private collaboration and coordination. It should be noted that the US-CERT, NCRCG and other industry experts were significant players during the February, 2006 Cyber Storm Exercise. Recommendation 5: Establish timelines and priorities for key efforts identified by the Internet Disruption Working Group. Response: We agree with the recommendation. The IDWG has identified milestones and priorities for key efforts along with their respective timelines as part of the NCSD strategic plan. The initial activity of the IDWG was a one day forum of facilitated discussion among Internet and policy experts addressing perceived and real vulnerabilities and threats to key Internet resources. A draft report outlining key efforts is in the process of being finalized. In collaboration with US-CERT, NCRCG, and the private sector, the IDWG continues to refine a project plan that addresses timelines and priorities. Recommendation 6: Identify ways to incorporate lessons learned from actual incidents and during cyber exercises into recovery plans and procedures. Response: We agree with the recommended action. As the cyber exercise focal point for DHS, NCSD has the responsibility to provide the venue and environment for participants to take part in exercises and garner lessons learned both during the planning process and actual exercise execution. In this role as facilitator of Cyber Storm, the NCSD Exercise Program has conducted 5 after action conferences to date (Federal, NCRCG, Private Sector, States and International) as part of the process to draft an exercise After Action Report (AAR) for all stakeholders/participants. The Cyber Storm AAR will cover macro lessons learned based on the exercise objectives. In addition to this process, many participants will conduct their own internal AAR efforts in order to develop specific organizational lessons learned and internal action recommendations. NCSD has also begun its own process to develop an action plan based on the AAR and is collaborating with other Departments and Agencies as well as the private sector on implementing changes to policy and procedures. Further, US-CERT has already developed specific internal action recommendations and has begun to implement them based on the lessons learned from Cyber Storm. Recommendation 7: Working with the private-sector stakeholders representing the Internet infrastructure, address challenges to effective Internet recovery by further defining needed government functions during a major Internet disruption (this effort should include a careful consideration of the potential government functions identified by the private sector in table 6 of this report). Response: We agree with the recommendation. DHS recognizes NCS and NCSD face challenges in planning comprehensive strategies for responding to and reconstituting after a cyber incident of national significance. It is axiomatic, that only a truly functioning private/public partnership will result in the plans and strategies necessary as the majority of the Internet infrastructure is owned and operated by the private sector. DHS will continue to make progress by exercising and testing response actions and capabilities, building relationships, and bringing attention to the severity of the threat against the infrastructure. DHS has formed a strategic partnership through the IDWG to combine resources, avoid duplication of effort, and leverage Federal government, academia, and private sector work on the issue of Internet disruptions. The IDWG works with major stakeholders to identify and prioritize short-term protective measures necessary to prevent major disruptions of the Internet, especially as it relates to identifying necessary government functions during such an incident, and to identify responsive/reconstitution measures in the event of a major disruption. This group has reviewed previous Internet disruption reports to identify and leverage high priority actions to improve the resiliency of the Internet quickly and effectively. In addition, US-CERT has been attending the North American Network Operator's Group (NANOG) meetings for the last three years to continue to establish closer ties to tier one through tier three Internet providers to work issues of national significance. US-CERT also participates in a number of technical venues to further coordination efforts and works with subject matter experts on topics ranging from Domain Name Systems (DNS) issues to core Internet Protocol topics. The US-CERT also works within the Forum of Incident Response Teams community (www.first.org) and a number of other international incident response teams for situational awareness and collaboration. Recommendation 8: Define a trigger for government involvement in responding to such a disruption. Response: We generally agree with the recommendation. However, the dynamics of the Internet, and business processes and policies of its owners and operators pose a significant challenge to defining a standard set of thresholds. As noted above, DHS continues to address this challenge and is collaborating with the private sector to better understand existing operational and corporate governance policies. The IDWG has begun an information sharing study to review the information sharing environment. This study should provide insights regarding a consensus on the effectiveness of establishing standard thresholds and/ or processes for sharing information between private sector Internet owners/operators and DHS. Recommendation 9: Document assumptions and develop approaches to deal with key challenges that are not within the government's control. Response: We concur with the recommendation. Many of the challenges confronting enhancement of existing processes are, for the most part, identified in the report. These challenges include: lack of authority, dynamics of the Internet infrastructure, technology enhancement (to include technology convergence), defining thresholds, understanding of government's role, and private sector business processes/governance policies. DHS is addressing challenges with the Internet owners and operators through forums, tabletop exercises, and smaller action teams consisting of subject matter experts who will address those actions identified within the IDWG forum. Related Issues: An ongoing DHS focus is cyber threat analysis. This effort encompasses many different organizations and elements, including threat information collection requirements, scenario development, and cyber threat products for all sectors. Dialogue between public and private IT sector partners, DHS' Homeland Infrastructure Threat and Risk Analysis Center (HITRAC) and the intelligence community will help to promote and invigorate cyber threat analysis by leveraging the capabilities, insights, and experience that each organization represents. Thank you again for the opportunity to review this report and provide additional comments. Sincerely, Signed by: Steven J. Pecinovsky: Director: Departmental GAO/OIG Liaison Office: [End of section] Appendix VI: GAO Contacts and Staff Acknowledgments: GAO Contacts: David A. Powner, (202) 512-9286 or pownerd@gao.gov Keith A. Rhodes, (202) 512- 6412 or rhodesk@gao.gov: Staff Acknowledgments: In addition to those named above, Don R. Adams, Naba Barkakati, Scott Borre, Neil Doherty, Vijay D'Souza, Joshua A. Hammerstein, Bert Japikse, Joanne Landesman, Frank Maguire, Teresa M. Neven, and Colleen M. Phillips made key contributions to this report. (310499): FOOTNOTES [1] Homeland Security Presidential Directive 7: Critical Infrastructure Identification, Prioritization, and Protection (Dec. 17, 2003). [2] The White House, National Strategy to Secure Cyberspace (Washington, D.C.: February 2003). [3] GAO, Critical Infrastructure Protection: Department of Homeland Security Faces Challenges in Fulfilling Cybersecurity Responsibilities, GAO-05-434 (Washington, D.C.: May 26, 2005). [4] We reported on issues associated with these protocols in Internet Protocol Version 6: Federal Agencies Need to Plan for Transition and Manage Security Risks, GAO-05-471 (Washington, D.C.: May 20, 2005). [5] This example assumes that the required domain name information is not available on the user's local network. [6] Although the Department of Commerce has authority to modify the root file containing this top-level domain information, it has delegated this authority to the Internet Corporation for Assigned Names and Numbers, a nonprofit organization, and VeriSign, a private corporation. [7] An autonomous system is a set of routers that are administered using an interior gateway protocol to route packets among that set of routers and an exterior gateway protocol, such as Border Gateway Protocol, to route packets to other autonomous systems. [8] Homeland Security Presidential Directive 7 (Dec. 17, 2003). [9] DHS, National Infrastructure Protection Plan. [10] The White House, National Strategy to Secure Cyberspace. [11] The National Intelligence Council, Mapping the Global Future (December 2004). [12] These federal policies and plans include the National Strategy to Secure Cyberspace, the interim National Infrastructure Protection Plan, the Cyber Incident Annex to the National Response Plan (December 2004), and Homeland Security Presidential Directive 7. [13] These entities include the Department of State, the Central Intelligence Agency, the Department of the Treasury, the Federal Emergency Management Agency, the Department of Defense, the Joint Staff, the Department of Justice, the General Services Administration, the Department of the Interior, the National Aeronautics and Space Administration, the Department of Agriculture, the Nuclear Regulatory Commission, the Department of Commerce, the National Security Agency, the Department of Health and Human Services, the National Telecommunications and Information Administration, the Department of Transportation, the United States Postal Service, the Department of Energy, the Federal Reserve Board, the Department of Veterans Affairs, the Federal Communications Commission, and the Department of Homeland Security. [14] The Network Reliability and Interoperability Council, NRIC Best Practices, NRIC Best Practices Selector Tool, http://www.bell- labs.com/cgi-user/krauscher/bestp.pl (viewed Apr. 19, 2006). [15] GAO-05-434. [16] GAO, Information Security: Code Red, Code Red II, and SirCam Attacks Highlight Need for Proactive Measures, GAO-01-1073T (Washington, D.C.: Aug. 29, 2001). [17] Top-level domains are the right-most label following the last period in a domain name; for example, for www.senate.gov, .gov is the top-level domain. There are generic top-level domains, which include .com, .edu, .gov, .int, .mil, .net, and .org, among others. There are also country code top- level domains, such as .us, .uk, and .jp. [18] The Homeland Security Act of 2002, Pub. L. No. 107-296 (Nov. 25, 2002). [19] Homeland Security Presidential Directive 7 (Dec. 17, 2003). [20] Act of September 8, 1950, c. 932, 64 Stat. 798, as amended; codified at 50 U.S.C. App. Section 2061 et seq. [21] Pub. L. No. 93-288, 88 Stat. 143 (1974). [22] Communications Act of 1934 (June 19, 1934), ch. 652, 48 Stat. 1064. [23] Executive Order 12472 (Apr. 3, 1984), as amended by Executive Order 13286 (Feb. 28, 2003). [24] Communications Act of 1934, Section 706, 47 U.S.C § 606. [25] The White House, National Strategy to Secure Cyberspace. [26] The National Security Telecommunications Advisory Committee advises the President on issues and problems related to implementing national security and emergency preparedness telecommunications policy. [27] GAO-05-471. [28] GAO-05-471. [29] GAO, Hurricane Katrina: GAO's Preliminary Observations Regarding Preparedness, Response, and Recovery, GAO-06-442T (Washington, D.C.: Mar. 8, 2006); and the White House, The Federal Response to Hurricane Katrina: Lessons Learned (Washington, D.C.: February 2006). [30] GAO, Information Sharing: DHS Should Take Steps to Encourage More Widespread Use of Its Program to Protect and Share Critical Infrastructure Information, GAO-06-383 (Washington, D.C.: Apr. 17, 2006); Information Sharing: The Federal Government Needs to Establish Policies and Processes for Sharing Terrorism-Related and Sensitive but Unclassified Information, GAO-06-385 (Washington, D.C.: Mar. 17, 2006); and GAO-05-434. [31] Pub. L. No. 92-463, 86 Stat. 770 (1972) codified at 5 U.S.C. app. 2. [32] GAO, High-Risk Series: An Update, GAO-05-207 (Washington, D.C.: January 2005); and High-Risk Series: An Update, GAO-03-119 (Washington, D.C.: January 2003). [33] GAO-05-434. [34] These were the Telecommunications, Information Technology, and Multi-State Information Sharing and Analysis Centers. [35] Pub. L. No. 107-296 (Nov. 25, 2002). [36] Act of September 8, 1950, c. 932, 64 Stat. 798, as amended; codified at 50 U.S.C. App. Section 2061 et seq. [37] Congressional Research Service, David E. Lockwood, Defense Production Act: Purpose and Scope, RS20587 (Oct. 16, 2002). [38] For example, Joseph J. Petrillo, "Time to dust off emergency procurement rules?," Government Computer News (Nov. 5, 2001); Lee M. Zeichner, "Use of the Defense Production Act for 1950 for Critical Infrastructure Protection," reprinted in Security in the Information Age; New Challenges, New Strategies, Joint Economic Committee, United States Congress (May 2002); and Major Federal Legislation, A "Legal Foundations" Study, Report 6 of 12, Report to the President's Commission on Critical Infrastructure Protection (1997). [39] The California Energy Crisis and Use of the Defense Production Act, Hearing Before the Committee on Banking, Housing, and Urban Affairs, United States Senate, 107th Cong. 1st Sess. (Feb. 9, 2001). [40] S. Rep. No. 108-156, 108th Cong. 1st Sess. September 30, 2003, at 1-2. [41] Pub. L. No. 103-337, section 3411(b) (Oct. 5, 1994). [42] Pub. L. No. 108-195 (Dec. 19, 2003). [43] That definition reads as follows: "The term 'critical infrastructure' means any systems and assets, whether physical or cyber- based, so vital to the United States that the degradation or destruction of such systems and assets would have a debilitating impact on national security and national public health or safety." [44] Pub. L. No. 93-288, 88 Stat. 143 (1974). [45] The Stafford Act also authorizes declaration of an emergency, which has less stringent requirements and triggers less comprehensive forms of assistance. Congressional Research Service, Keith Bea, Federal Stafford Act Disaster Assistance: Presidential Declarations, Eligible Activities, and Funding, RL33053 (Jan. 24, 2006). [46] Congressional Research Service, Charles B. Goldfarb, Telecommunications Act: Competition, Innovation, and Reform, RL33034 (Aug. 12, 2005) and 47 U.S.C. 151 et seq. [47] Communications Act of 1934, June 19, 1934, ch. 652, 48 Stat. 1064. [48] Section 706 of the act, discussed below, grants wartime powers to the President, enabling the federal government to provide telecommunications services deemed critical to national security interest during times of war or national emergency. [49] Pub. L. No. 104-104, 110 Stat. 56 (1996). [50] Congressional Research Service, John Moteff, Computer Security: A Summary of Selected Federal Laws, Executive Orders, and Presidential Directives, RL32357 (Apr. 16, 2004). [51] GAO, Critical Infrastructure Protection: Significant Homeland Security Challenges Need to Be Addressed, GAO-02-918T (Washington, D.C.: July 9, 2002). [52] 47 U.S.C. § 606. [53] The Internet is generally understood as a vast network of interconnected global information systems that are logically linked together by a globally unique address space based on the Internet Protocol (IP) or its subsequent extensions/follow-ons. This network supports communications using the Transmission Control Protocol/ Internet Protocol (TCP/IP) suite or its subsequent extensions/follow- ons, and/or other IP-compatible protocols. [54] Pursuant to recommendations made in numerous after action reports examining the Federal government's response to Hurricanes Katrina, Rita, and Wilma, the Department has recently put forward a proposal for a number of changes to the National Response Plan. One of these changes would replace the existing Interagency Incident Management Group (IIMG) with an Interagency Advisory Committee, "a task organized advisory body comprised of senior representatives from DHS components and headquarters staff offices, other Federal departments and agencies, and NGOs . . . [which] provide[s] the Secretary with strategic recommendations that facilitate immediate and effective action(s) to prevent, prepare for, respond to, and/or recover from an incident." GAO's Mission: The Government Accountability Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: