Information Security: Progress Made, But Challenges Remain to
Protect Federal Systems and the Nation's Critical Infrastructures
(08-APR-03, GAO-03-564T).
Protecting the computer systems that support federal agencies'
operations and our nation's critical infrastructures--such as
power distribution, telecommunications, water supply, and
national defense--is a continuing concern. These concerns are
well-founded for a number of reasons, including the dramatic
increases in reported computer security incidents, the ease of
obtaining and using hacking tools, the steady advance in the
sophistication and effectiveness of attack technology, and the
dire warnings of new and more destructive attacks. GAO first
designated computer security as high risk in 1997, and in 2003
expanded this high-risk area to include protecting the systems
that support our nation's critical infrastructures, referred to
as cyber critical infrastructure protection or cyber CIP. GAO has
made previous recommendations and periodically testified on
federal information security weaknesses--including agencies'
progress in implementing key legislative provisions on
information security--and the challenges that the nation faces in
protecting our nation's critical infrastructures. GAO was asked
to provide an update on the status of federal information
security and CIP.
-------------------------Indexing Terms-------------------------
REPORTNUM: GAO-03-564T
ACCNO: A06617
TITLE: Information Security: Progress Made, But Challenges
Remain to Protect Federal Systems and the Nation's Critical
Infrastructures
DATE: 04/08/2003
SUBJECT: Computer crimes
Computer security
Information technology
Internal controls
National preparedness
Information resources management
Noncompliance
Strategic planning
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO Product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
******************************************************************
GAO-03-564T
Testimony Before the Subcommittee on Technology, Information Policy,
Intergovernmental Relations and the Census, Committee on Government
Reform, House of Representatives
United States General Accounting Office
GAO For Release on Delivery Expected at 9: 30 a. m. EDT Tuesday, April 8,
2003 INFORMATION SECURITY
Progress Made, But Challenges Remain to Protect Federal Systems and the
Nation*s Critical Infrastructures
Statement of Robert F. Dacey Director, Information Security Issues
GAO- 03- 564T
This is a work of the U. S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.
With the enactment of the Federal Information Security Management Act of
2002, the Congress continued its efforts to improve federal information
security by permanently authorizing and strengthening key information
security requirements. The administration has also made progress through a
number of efforts, among them the Office of Management and Budget*s
emphasis of information security in the budget process.
However, significant information security weaknesses at 24 major agencies
continue to place a broad array of federal operations and assets at risk
of fraud, misuse, and disruption. Although recent reporting by these
agencies showed some improvements, GAO found that agencies still have not
established information security programs consistent with the legal
requirements. For example, periodic testing of security controls is
essential to security program management, but for fiscal year 2002, 14
agencies reported they had tested the controls of less than 60 percent of
their systems
(see figure below). Further information security improvement efforts are
also needed at the governmentwide level, and these efforts need to be
guided by a comprehensive strategy in which roles and responsibilities are
clearly
delineated, appropriate guidance is given, adequate technical expertise is
obtained, and sufficient agency information security resources are
allocated. Although improvements have been made in protecting our nation*s
critical infrastructures and continuing efforts are in progress, further
efforts are needed to address critical challenges that GAO has identified
over the last several years. These challenges include
developing a comprehensive and coordinated national CIP plan;
improving information sharing on threats and vulnerabilities between the
private sector and the federal government, as well as within the
government itself;
improving analysis and warning capabilities for both cyber and physical
threats; and
encouraging entities outside the federal government to increase their CIP
efforts.
Percentage of systems with security controls tested during fiscal year
2002
Protecting the computer systems that support federal agencies* operations
and our nation*s critical infrastructures* such as power distribution,
telecommunications,
water supply, and national defense* is a continuing concern. These
concerns are well- founded for a number of reasons, including the dramatic
increases in reported computer security incidents, the ease of obtaining
and using hacking
tools, the steady advance in the sophistication and effectiveness of
attack technology, and the dire
warnings of new and more destructive attacks. GAO first designated
computer security as high risk in 1997, and in 2003 expanded this high-
risk area to include protecting the systems that support our nation*s
critical
infrastructures, referred to as cyber critical infrastructure protection
or cyber CIP.
GAO has made previous recommendations and periodically testified on
federal information security weaknesses* including agencies* progress in
implementing key legislative provisions on information security* and the
challenges that the nation faces in protecting our nation*s critical
infrastructures. GAO was asked to provide an update on the status of
federal information security and CIP.
www. gao. gov/ cgi- bin/ getrpt? GAO- 03- 564T. To view the full
testimony, click on the link above. For more information, contact Robert
F. Dacey at (202) 512- 3317 or daceyr@ gao. gov. Highlights of GAO- 03-
564T, a testimony
before the Subcommittee on Technology, Information Policy,
Intergovernmental Relations and the Census, Committee on Government
Reform, House of Representatives
April 8, 2003
INFORMATION SECURITY
Progress Made, But Challenges Remain to Protect Federal Systems and the
Nation*s Critical Infrastructures
Page 1 GAO- 03- 564T Mr. Chairman and Members of the Subcommittee: I am
pleased to be here today to discuss the challenges that our nation
faces concerning federal information security and critical infrastructure
protection (CIP). Federal agencies and other public and private entities
rely extensively on computerized systems and electronic data to support
their missions. CIP involves activities that enhance the security of the
cyber and physical public and private infrastructures that are essential
to our national security, national economic security, and/ or national
public health and safety. Accordingly, the security of these systems and
data is essential to avoiding disruptions in critical operations, data
tampering, fraud, and inappropriate disclosure of sensitive information.
Further, protecting against computer- based attacks on critical
infrastructures is an important aspect of homeland security.
The Congress has continued to hold important hearings and has passed
legislation that the President has signed into law to strengthen
information security practices throughout the federal government and to
better address threats to the nation*s critical computer- dependent
infrastructures. Such legislation includes Government Information Security
Reform provisions (commonly known as *GISRA*), which established
information security program, evaluation, and reporting requirements for
federal agencies; 1 the recently enacted Federal Information Security
Management Act of 2002 (* FISMA*), which permanently authorized and
strengthened GISRA; 2 and the Homeland Security Act of 2002, which, among
other things, consolidated certain essential CIP functions and
organizations in the Department of Homeland Security.
In my testimony today, I will provide an overview of the increasing nature
of cyber security threats and vulnerabilities and of the continuing
pervasive weaknesses that led GAO to initially begin reporting information
security as a governmentwide high- risk issue in 1997. I will then discuss
the status of actions taken by the Office of Management and Budget (OMB)
to address overall weaknesses and challenges identified through its
1 Title X, Subtitle G* Government Information Security Reform, Floyd D.
Spence National Defense Authorization Act for Fiscal Year 2001, P. L. 106-
398, October 30, 2000. 2 Title III* Federal Information Security
Management Act of 2002, E- Government Act of 2002, P. L. 107- 347,
December 17, 2002. This act superseded an earlier version of FISMA that
was enacted as Title X of the Homeland Security Act of 2002.
Page 2 GAO- 03- 564T GISRA analyses, as well as the federal government*s
continuing need to be guided by a comprehensive improvement strategy. I
will also discuss the results of our evaluation of efforts by 24 of the
largest federal agencies to
implement the requirements of GISRA and to identify and correct their
information security weaknesses. 3 Finally, I will discuss the federal
government*s evolving approach to and current strategies for protecting
our nation*s critical infrastructures. In this discussion, I will
highlight the challenges, identified in prior GAO work that the nation
continues to face in implementing CIP. These challenges include developing
a comprehensive and coordinated national CIP plan, implementing better
information sharing on threats and vulnerabilities, improving analysis and
warning capabilities, and ensuring appropriate incentives to encourage
nonfederal CIP efforts. In January 2003, GAO expanded its information
security high- risk issue to include cyber CIP. 4 As agreed, this
testimony incorporates the preliminary results of our
analyses of federal agencies* efforts to implement GISRA information
security requirements during fiscal year 2002, which was originally
requested by the chair and ranking minority member of a former
subcommittee of the House Government Reform Committee. In conducting this
review, we analyzed (1) executive summaries and reports that summarized
management reviews by the 24 agencies for their information security
programs, (2) inspector general (IG) summaries and reports on their
independent evaluations of these agencies* programs, and (3) agency plans
to correct their identified information security weaknesses. We did not
validate the accuracy of the data provided in these
summaries, reports, and plans. We also discussed with OMB officials the
status of their actions and initiatives to improve and provide additional
guidance for federal information security. We performed our work from
September 2002 to April 2003 in accordance with generally accepted
government auditing standards. 3 These are the Departments of Agriculture,
Commerce, Defense, Education, Energy, Health and Human Services, Housing
and Urban Development, Interior, Justice, Labor, State, Transportation,
Treasury, and Veterans Affairs, the Environmental Protection Agency,
Federal Emergency Management Agency, General Services Administration,
Office of Personnel Management, National Aeronautics and Space
Administration, National Science Foundation, Nuclear Regulatory
Commission, Small Business Administration, Social
Security Administration, and U. S. Agency for International Development. 4
U. S. General Accounting Office, High Risk Series: Protecting Information
Systems Supporting the Federal Government and the Nation*s Critical
Infrastructures,
GAO- 03- 121 (Washington, D. C.: January 2003).
Page 3 GAO- 03- 564T Protecting the computer systems that support our
nation*s critical operations and infrastructures is a continuing concern.
Telecommunications, power distribution, water supply, public health
services, national defense (including the military*s warfighting
capability), law enforcement, government services, and emergency services
all depend on the security of their computer operations. Yet with this
dependency comes an increasing concern about attacks from individuals and
groups with malicious intent, such as crime, terrorism, foreign
intelligence gathering, and acts of war. Such concerns are well founded
for a number of reasons, including the dramatic increases in reported
computer security incidents, the ease of obtaining and using hacking
tools, the steady advance in the sophistication and effectiveness of
attack technology, and the dire warnings of new and more destructive
attacks.
With the enactment of FISMA, the Congress continued its efforts to improve
federal information security by permanently authorizing and strengthening
the information security program, evaluation, and reporting requirements
established by GISRA. The administration has also made progress through a
number of efforts, including OMB*s emphasis of information security in the
budget process and e- government initiatives and the National Institute of
Standards and Technology*s (NIST) issuance of additional computer security
guidance. However, our recently reported analyses of audit and evaluation
reports issued from October 2001 to October 2002 for 24 major agencies
showed that significant information
security weaknesses continue to place a broad array of federal operations
and assets at risk of fraud, misuse, and disruption. For example, all 24
agencies had weaknesses in security program management, which provides the
framework for ensuring that risks are understood and that effective
controls are selected and properly implemented. In addition, although our
most recent analyses of fiscal year 2002 GISRA reporting by these agencies
showed some improvements, agencies still have not established information
security programs consistent with the requirements of GISRA. For example,
although the percentage of systems assessed for risk increased for 13
agencies, for 9 agencies, less than 60 percent of their systems had risk
assessments (an essential element of risk management and overall security
program management that helps ensure that the greatest risks have been
identified and addressed). Further, although 15 agencies reported
increases in the number of systems for which controls had been tested and
evaluated, 14 reported that controls had been tested for less than 60
percent of their systems.
As we have previously recommended, further information security
improvement efforts are needed at the governmentwide level, and it is
Results in Brief
Page 4 GAO- 03- 564T important that these efforts are guided by a
comprehensive strategy. As the development of this strategy continues,
there are a number of
important steps that the administration and the agencies should take to
ensure that information security receives appropriate attention and
resources and that known deficiencies are addressed. These steps include
delineating the roles and responsibilities of the numerous entities
involved in federal information security and related aspects of CIP;
providing more specific guidance on the controls that agencies need to
implement; obtaining adequate technical expertise to select, implement,
and maintain controls to protect information systems; and allocating
sufficient agency
resources for information security. Federal awareness of the importance of
securing our nation*s critical infrastructures has continued to evolve
since the mid- 1990s. Over the years, a variety of working groups has been
formed, special reports written, federal policies issued, and
organizations created to address the issues that have been raised.
Although the actions taken to date are major steps to more effectively
protect our nation*s critical infrastructures, we have identified and made
numerous recommendations over the last several years concerning critical
infrastructure challenges that need to be addressed. For each of these
challenges, improvements have been made and continuing efforts are in
progress. However, even greater efforts are needed to address them. These
challenges include the following:
Developing a comprehensive and coordinated national CIP plan. A more
complete plan is needed that will address specific roles,
responsibilities, and relationships for all CIP entities; clearly define
interim objectives and milestones; set time frames for achieving
objectives; and establish performance measures.
Improving information sharing on threats and vulnerabilities.
Information sharing is a key element in developing comprehensive and
practical approaches to defending against cyber and physical attacks,
which could threaten the national welfare. Information sharing needs to be
enhanced both within the government and between the federal
government and the private sector and state and local governments.
Improving analysis and warning capabilities. More robust analysis and
warning capabilities, including an effective methodology for strategic
analysis and framework for collecting needed threat and vulnerability
information, are still needed to identify threats and provide timely
warnings. Such capabilities need to address both cyber and physical
threats.
Page 5 GAO- 03- 564T Encouraging entities outside the federal government
to increase their CIP efforts. Although budget requests include funds (1)
to identify key
critical infrastructure vulnerabilities and support the necessary steps to
ensure that our nation*s critical infrastructures are adequately secured
across all critical infrastructure sectors and (2) for outreach efforts to
state and local government and the private sector, incentives will still
be needed to encourage nonfederal entities to increase their CIP efforts.
These incentives could include grants, regulations, tax incentives, and
regional coordination and partnership.
It is also important that CIP efforts are appropriately integrated with
the transition of certain CIP functions and entities to the new Department
of Homeland Security (DHS).
Dramatic increases in computer interconnectivity, especially in the use of
the Internet, continue to revolutionize the way our government, our
nation, and much of the world communicate and conduct business. The
benefits have been enormous. Vast amounts of information are now literally
at our fingertips, facilitating research on virtually every topic
imaginable; financial and other business transactions can be executed
almost instantaneously, often 24 hours a day; and electronic mail,
Internet Web sites, and computer bulletin boards allow us to communicate
quickly and easily with a virtually unlimited number of individuals and
groups.
However, in addition to such benefits, this widespread interconnectivity
poses significant risks to the government*s and our nation*s computer
systems and, more important, to the critical operations and
infrastructures they support. For example, telecommunications, power
distribution, water supply, public health services, national defense
(including the military*s warfighting capability), law enforcement,
government services, and emergency services all depend on the security of
their computer operations. The speed and accessibility that create the
enormous benefits of the computer age on the other hand, if not properly
controlled, allow individuals and organizations to inexpensively eavesdrop
on or interfere with these operations from remote locations for
mischievous or malicious purposes, including fraud or sabotage. Table 1
summarizes the key threats to our nation*s infrastructures, as observed by
the Federal Bureau of Investigation (FBI). Incidents, Threats,
and Potential Attack Consequences are Significantly Increasing
Page 6 GAO- 03- 564T Table 1: Threats to Critical Infrastructure Observed
by the FBI
Source: Federal Bureau of Investigation unless otherwise indicated a
Prepared Statement of George J. Tenet, Director of Central Intelligence,
before the Senate Select Committee on Intelligence, February 2, 2000.
Government officials are increasingly concerned about attacks from
individuals and groups with malicious intent, such as crime, terrorism,
foreign intelligence gathering, and acts of war. According to the FBI,
terrorists, transnational criminals, and intelligence services are quickly
becoming aware of and using information exploitation tools such as
computer viruses, Trojan horses, worms, logic bombs, and eavesdropping
sniffers that can destroy, intercept, degrade the integrity of, or deny
access
Threat Description
Criminal groups There is an increased use of cyber intrusions by criminal
groups who attack systems for purposes of monetary gain. Foreign
intelligence services Foreign intelligence services use cyber tools as
part of their information gathering and espionage activities. Hackers
Hackers sometimes crack into networks for the thrill of the challenge or
for bragging rights in the hacker community. While remote cracking once
required a fair amount of
skill or computer knowledge, hackers can now download attack scripts and
protocols from the Internet and launch them against victim sites. Thus,
while attack tools have become more sophisticated, they have also become
easier to use. Hacktivists Hacktivism refers to politically motivated
attacks on publicly accessible Web pages or e- mail servers. These groups
and individuals overload e- mail servers and hack into Web sites to send a
political message. Information warfare Several nations are aggressively
working to develop information warfare doctrine, programs, and
capabilities. Such capabilities enable a single entity to have a
significant and serious impact by disrupting the supply, communications,
and economic infrastructures that support military power* impacts that,
according to the Director of Central Intelligence, a can affect the daily
lives of Americans across the
country. Insider threat The disgruntled organization insider is a
principal source of computer crimes. Insiders may not need a great deal of
knowledge about computer intrusions because their knowledge of a victim
system often allows them to gain unrestricted access to cause damage to
the system or to steal system data. The insider threat also includes
outsourcing vendors. Virus writers Virus writers are posing an
increasingly serious threat. Several destructive computer
viruses and *worms* have harmed files and hard drives, including the
Melissa Macro Virus, the Explore. Zip worm, the CIH (Chernobyl) Virus,
Nimda, and Code Red.
Page 7 GAO- 03- 564T to data. 5 In addition, the disgruntled organization
insider is a significant threat, since these individuals often have
knowledge that allows them to
gain unrestricted access and inflict damage or steal assets without
possessing a great deal of knowledge about computer intrusions. As greater
amounts of money are transferred through computer systems, as more
sensitive economic and commercial information is exchanged electronically,
and as the nation*s defense and intelligence communities increasingly rely
on commercially available information technology (IT), the likelihood
increases that information attacks will threaten vital national interests.
As the number of individuals with computer skills has increased, more
intrusion or *hacking* tools have become readily available and relatively
easy to use. A hacker can literally download tools from the Internet and
*point and click* to start an attack. Experts also agree that there has
been a steady advance in the sophistication and effectiveness of attack
technology. Intruders quickly develop attacks to exploit vulnerabilities
discovered in products, use these attacks to compromise computers, and
share them with other attackers. In addition, they can combine these
attacks with other forms of technology to develop programs that
automatically scan the network for vulnerable systems, attack them,
compromise them, and use them to spread the attack even further.
Along with these increasing threats, the number of computer security
incidents reported to the CERT(R) Coordination Center 6 has also risen
dramatically from 9,859 in 1999 to 52, 658 in 2001 and 82,094 in 2002. And
these are only the reported attacks. The Director of CERT Centers stated
5 Virus: a program that *infects* computer files, usually executable
programs, by inserting a copy of itself into the file. These copies are
usually executed when the *infected* file is loaded into memory, allowing
the virus to infect other files. Unlike the computer worm, a virus
requires human involvement (usually unwitting) to propagate. Trojan horse:
a computer program that conceals harmful code. A Trojan horse usually
masquerades as a useful program that a user would wish to execute. Worm:
an independent computer program that reproduces by copying itself from one
system to another across a network. Unlike computer viruses, worms do not
require human involvement to propagate. Logic
bomb: in programming, a form of sabotage in which a programmer inserts
code that causes the program to perform a destructive action when some
triggering event occurs, such as terminating the programmer*s employment.
Sniffer: synonymous with packet sniffer. A program that intercepts routed
data and examines each packet in search of specified information, such as
passwords transmitted in clear text. 6 The CERT(R) Coordination Center
(CERT(R) CC) is a center of Internet security expertise at
the Software Engineering Institute, a federally funded research and
development center operated by Carnegie Mellon University.
Page 8 GAO- 03- 564T that he estimates that as much as 80 percent of
actual security incidents goes unreported, in most cases because (1) the
organization was unable to
recognize that its systems had been penetrated or there were no
indications of penetration or attack, or (2) the organization was
reluctant to report. Figure 1 shows the number of incidents reported to
the CERT Coordination Center from 1995 through 2002.
Figure 1: Information Security Incidents Reported to Carnegie- Mellon*s
CERT Coordination Center from 1995 through 2002
According to the National Security Agency, foreign governments already
have or are developing computer attack capabilities, and potential
adversaries are developing a body of knowledge about U. S. systems and
methods to attack these systems. Since the terrorist attacks of September
11, 2001, warnings of the potential for terrorist cyber attacks against
our critical infrastructures have also increased. For example, in February
2002, the threat to these infrastructures was highlighted by the Special
Advisor to the President for Cyberspace Security in a Senate briefing when
he stated that although to date none of the traditional terrorists groups,
such as al Qaeda, have used the Internet to launch a known assault on the
United States* infrastructure, information on water systems was
Page 9 GAO- 03- 564T discovered on computers found in al Qaeda camps in
Afghanistan. 7 Also, in his February 2002 statement for the Senate Select
Committee on
Intelligence, the director of central intelligence discussed the
possibility of cyber warfare attack by terrorists. 8 He stated that the
September 11 attacks demonstrated the nation*s dependence on critical
infrastructure systems that rely on electronic and computer networks.
Further, he noted that attacks of this nature would become an increasingly
viable option for terrorists as they and other foreign adversaries become
more familiar with these targets and the technologies required to attack
them.
Since September 11, 2001, the critical link between cyberspace and
physical space has been increasingly recognized. In his November 2002
congressional testimony, the Director of the CERT Centers at
CarnegieMellon University noted that supervisory control and data
acquisition (SCADA) systems and other forms of networked computer systems
have been used for years to control power grids, gas and oil distribution
pipelines, water treatment and distribution systems, hydroelectric and
flood control dams, oil and chemical refineries, and other physical
systems, and that these control systems are increasingly being connected
to communications links and networks to reduce operational costs by
supporting remote maintenance, remote control, and remote update
functions. 9 These computer- controlled and network- connected systems are
potential targets for individuals bent on causing massive disruption and
physical damage, and the use of commercial, off- the- shelf technologies
for these systems without adequate security enhancements
can significantly limit available approaches to protection and may
increase the number of potential attackers.
The risks posed by this increasing and evolving threat are demonstrated in
reports of actual and potential attacks and disruptions. For example:
7 *Administrative Oversight: Are We Ready for A CyberTerror Attack?*
Testimony before the Senate Committee on the Judiciary, Subcommittee on
Administrative Oversight and the Courts, by Richard A. Clarke, Special
Advisor to the President for Cyberspace Security and Chairman of the
President*s Critical Infrastructure Protection Board (Feb. 13, 2002). 8
Testimony of George J. Tenet, Director of Central Intelligence, before the
Senate Select
Committee on Intelligence, Feb. 6, 2002. 9 Testimony of Richard D. Pethia,
Director, CERT Centers, Software Engineering Institute, Carnegie Mellon
University, before the House Committee on Government Reform, Subcommittee
on Government Efficiency, Financial Management and Intergovernmental
Relations, November 19, 2002.
Page 10 GAO- 03- 564T On February 11, 2003, the National Infrastructure
Protection Center (NIPC) issued an advisory to heighten the awareness of
an increase in
global hacking activities as a result of the increasing tensions between
the United States and Iraq. 10 This advisory noted that during a time of
increased international tension, illegal cyber activity often escalates,
such as spamming, Web page defacements, and denial- of- service attacks.
Further, this activity can originate within another country that is party
to the tension; can be state sponsored or encouraged; or can come from
domestic organizations or individuals independently. The advisory also
stated that attacks may have one of several objectives, including
political activism targeting Iraq or those sympathetic to Iraq by self-
described
*patriot* hackers, political activism or disruptive attacks targeting
United States systems by those opposed to any potential conflict with
Iraq, or even criminal activity masquerading or using the current crisis
to further personal goals.
According to a preliminary study coordinated by the Cooperative
Association for Internet Data Analysis (CAIDA), on January 25, 2003, the
SQL Slammer worm (also known as *Sapphire*) infected more than 90 percent
of vulnerable computers worldwide within 10 minutes of its release on the
Internet, making it the fastest computer worm in history. As the study
reports, exploiting a known vulnerability for which a patch has been
available since July 2002, Slammer doubled in size every 8.5 seconds and
achieved its full scanning rate (55 million scans per second) after about
3 minutes. It caused considerable harm through network outages and such
unforeseen consequences as canceled airline flights and automated teller
machine (ATM) failures. Further, the study emphasizes that the effects
would likely have been more severe had Slammer carried a malicious
payload, attacked a more widespread vulnerability, or targeted a more
popular service.
In November 2002, news reports indicated that a British computer
administrator was indicted on charges that he broke into 92 U. S. computer
networks in 14 states; these networks belonged to the Pentagon, private
companies, and the National Aeronautics and Space Administration during
the past year, causing some $900,000 in damage to computers. According to
a Justice Department official, these attacks were one of the biggest hacks
ever against the U. S. military. This official also said that the attacker
used his home computer and automated software available on the Internet
10 National Infrastructure Protection Center, National Infrastructure
Protection Center Encourages Heightened Cyber Security as Iraq* U. S.
Tensions Increase, Advisory 03- 002 (Washington, D. C.: Feb. 11, 2003).
Page 11 GAO- 03- 564T to scan tens of thousands of computers on U. S.
military networks looking for ones that might suffer from flaws in
Microsoft Corporation*s Windows
NT operating system software. On October 21, 2002, NIPC reported that
all the 13 root- name servers that
provide the primary roadmap for almost all Internet communications were
targeted in a massive *distributed denial of service* attack. Seven of the
servers failed to respond to legitimate network traffic, and two others
failed intermittently during the attack. Because of safeguards, most
Internet users experienced no slowdowns or outages.
In July 2002, NIPC reported that the potential for compound cyber and
physical attacks, referred to as *swarming attacks,* is an emerging threat
to the U. S. critical infrastructure. 11 As NIPC reports, the effects of a
swarming attack include slowing or complicating the response to a physical
attack. For example, cyber attacks can be used to delay the notification
of emergency services and to deny the resources needed to manage the
consequences of a physical attack. In addition, a swarming attack could be
used to worsen the effects of a physical attack. For instance, a cyber
attack on a natural gas distribution pipeline that opens safety valves and
releases fuels or gas in the area of a planned physical attack could
enhance the force of the physical attack. Consistent with this threat,
NIPC also released an information bulletin in April 2002 warning against
possible physical attacks on U. S. financial institutions by unspecified
terrorists. 12 In August 2001, we reported to a subcommittee of the
House Government
Reform Committee that the attacks referred to as Code Red, Code Red II,
and SirCam had affected millions of computer users, shut down Web sites,
slowed Internet service, and disrupted business and government operations.
Then in September 2001, the Nimda worm appeared using some of the most
significant attack profile aspects of Code Red II and 1999*s infamous
Melissa virus that allowed it to spread widely in a short amount of time.
Security experts estimate that Code Red, Sircam, and Nimda have caused
billions of dollars in damage. 13 11 National Infrastructure Protection
Center, Swarming Attacks: Infrastructure Attacks for
Destruction and Disruption (Washington, D. C.: July 2002). 12 National
Infrastructure Protection Center, Possible Terrorism Targeting of US
Financial System* Information Bulletin 02- 003 (Washington, D. C.: Apr.
19, 2002). 13 U. S. General Accounting Office, Information Security: Code
Red, Code Red II, and SirCam Attacks Highlight Need for Proactive
Measures; GAO- 01- 1073T (Washington, D. C.: Aug. 29, 2001).
Page 12 GAO- 03- 564T For the federal government, we have reported since
1996 that poor information security is a widespread problem with
potentially devastating consequences. 14 Although agencies have taken
steps to redesign and
strengthen their information system security programs, our analyses of
information security at major federal agencies have shown that federal
systems were not being adequately protected from computer- based threats,
even though these systems process, store, and transmit enormous amounts of
sensitive data and are indispensable to many federal agency operations.
For the past several years, we have analyzed audit results for 24 of the
largest federal agencies and found that all 24 had significant information
security weaknesses. 15 Further, we have identified information security
as a governmentwide high- risk issue in reports to the Congress since
1997* most recently in January 2003. 16 As we reported in November 2002,
our analyses of reports issued from October 2001 through October 2002,
continued to show significant
weaknesses in federal computer systems that put critical operations and
assets at risk. 17 Weaknesses continued to be reported in each of the 24
agencies included in our review, 18 and they covered all six major areas
of general controls* the policies, procedures, and technical controls that
apply to all or a large segment of an entity*s information systems and
help ensure their proper operation. These six areas are (1) security
program management, which provides the framework for ensuring that risks
are understood and that effective controls are selected and properly
implemented; (2) access controls, which ensure that only authorized
individuals can read, alter, or delete data; (3) software development and
14 U. S. General Accounting Office, Information Security: Opportunities
for Improved OMB Oversight of Agency Practices, GAO/ AIMD- 96- 110
(Washington, D. C.: Sept. 24, 1996). 15 U. S. General Accounting Office,
Information Security: Serious Weaknesses Place
Critical Federal Operations and Assets at Risk, GAO/ AIMD- 98- 92
(Washington, D. C.: Sept. 23, 1998); Information Security: Serious and
Widespread Weaknesses Persist at Federal Agencies, GAO/ AIMD- 00- 295
(Washington, D. C.: Sept. 6, 2000); Computer Security: Improvements Needed
to Reduce Risk to Critical Federal Operations and Assets,
GAO- 02- 231T (Washington, D. C.: Nov. 9, 2001), and Computer Security:
Progress Made, but Critical Federal Operations and Assets Remain at Risk,
GAO- 02- 303T (Washington, D. C.: Nov. 19, 2002).
16 GAO- 03- 121. 17 GAO- 03- 303T. 18 Does not include the Department of
Homeland Security that was created by the Homeland Security Act in
November 2002. Significant
Weaknesses Persist in Federal Information Security
Page 13 GAO- 03- 564T change controls, which ensure that only authorized
software programs are implemented; (4) segregation of duties, which
reduces the risk that one
individual can independently perform inappropriate actions without
detection; (5) operating systems controls, which protect sensitive
programs that support multiple applications from tampering and misuse; and
(6) service continuity, which ensures that computer- dependent operations
experience no significant disruptions. Figure 2 illustrates the
distribution of weaknesses for the six general control areas across the 24
agencies.
Figure 2: Computer Security Weaknesses at 24 Major Federal Agencies
Although our analyses showed that most agencies had significant weaknesses
in these six control areas, as in past years* analyses, weaknesses were
most often identified for security program management and access controls.
Page 14 GAO- 03- 564T For security program management, we identified
weaknesses for all 24 agencies in 2002* the same as reported for 2001, and
compared to 21 of
the 24 agencies (88 percent) in 2000. Security program management, which
is fundamental to the appropriate selection and effectiveness of the other
categories of controls, covers a range of activities related to
understanding information security risks; selecting and implementing
controls commensurate with risk; and ensuring that controls, once
implemented, continue to operate effectively.
For access controls, we found weaknesses for 22 of 24 agencies (92
percent) in 2002 (no significant weaknesses were found for one agency, and
access controls were not reviewed for another). This compares to
access control weaknesses found in all 24 agencies for both 2000 and 2000.
Weak access controls for sensitive data and systems make it possible for
an individual or group to inappropriately modify, destroy, or disclose
sensitive data or computer programs for purposes such as personal gain or
sabotage. In today*s increasingly interconnected computing environment,
poor access controls can expose an agency*s information and operations to
attacks from remote locations all over the world by individuals with only
minimal computer and telecommunications resources and expertise.
Our analyses also showed service- continuity- related weaknesses at 20 of
the 24 agencies (83 percent) with no significant weaknesses found for 3
agencies (service continuity controls were not reviewed for another). This
compares to 19 agencies with service continuity weaknesses found in 2001
and 20 agencies found in 2000. Service continuity controls are important
in that they help ensure that when unexpected events occur, critical
operations will continue without undue interruption and that crucial,
sensitive data are protected. If service continuity controls are
inadequate, an agency can lose the capability to process, retrieve, and
protect electronically maintained information, which can significantly
affect an agency*s ability to accomplish its mission. Further, such
controls are particularly important in the wake of the terrorist attacks
of September 11, 2001.
These analyses of information security at federal agencies also showed
that the scope of audit work performed has continued to expand to more
fully cover all six major areas of general controls at each agency. Not
surprisingly, this has led to the identification of additional areas of
weakness at some agencies. These increases in reported weaknesses do not
necessarily mean that information security at federal agencies is getting
worse. They more likely indicate that information security weaknesses are
becoming more fully understood* an important step
Page 15 GAO- 03- 564T toward addressing the overall problem. Nevertheless,
the results leave no doubt that serious, pervasive weaknesses persist. As
auditors increase their proficiency and the body of audit evidence
expands, it is probable
that additional significant deficiencies will be identified. Most of the
audits represented in figure 2 were performed as part of financial
statement audits. At some agencies with primarily financial missions, such
as the Department of the Treasury and the Social Security Administration,
these audits covered the bulk of mission- related operations. However, at
agencies whose missions are primarily nonfinancial, such as DOD and the
Department of Justice, the audits may provide a less complete picture of
the agency*s overall security posture because the audit objectives focused
on the financial statements and did not include evaluations of individual
systems supporting nonfinancial operations. However, in response to
congressional interest, beginning in fiscal year 1999, we expanded our
audit focus to cover a wider range of nonfinancial operations* a trend we
expect to continue. Audit coverage for nonfinancial systems has also
increased as agencies and their IGs reviewed and evaluated their
information security programs as required by GISRA.
To fully understand the significance of the weaknesses we identified, it
is necessary to link them to the risks they present to federal operations
and assets. Virtually all federal operations are supported by automated
systems and electronic data, and agencies would find it difficult, if not
impossible, to carry out their missions and account for their resources
without these information assets. Hence, the degree of risk caused by
security weaknesses is extremely high.
The weaknesses identified place a broad array of federal operations and
assets at risk. For example,
resources, such as federal payments and collections, could be lost or
stolen;
computer resources could be used for unauthorized purposes or to launch
attacks on others;
sensitive information, such as taxpayer data, social security records,
medical records, and proprietary business information, could be
inappropriately disclosed, browsed, or copied for purposes of espionage or
other types of crime;
Page 16 GAO- 03- 564T critical operations, such as those supporting
national defense and emergency services, could be disrupted;
data could be modified or destroyed for purposes of fraud or disruption;
and
agency missions could be undermined by embarrassing incidents that
result in diminished confidence in their ability to conduct operations and
fulfill their fiduciary responsibilities.
Concerned with accounts of attacks on commercial systems via the Internet
and reports of significant weaknesses in federal computer systems that
make them vulnerable to attack, on October 30, 2000, Congress enacted
GISRA, which became effective November 29, 2000, for a period of 2 years.
GISRA supplemented information security requirements established in the
Computer Security Act of 1987, the
Paperwork Reduction Act of 1995, and the Clinger- Cohen Act of 1996 and
was consistent with existing information security guidance issued by the
Office of Management and Budget (OMB) 19 and the National Institute of
Standards and Technology (NIST), 20 as well as audit and best practice
guidance issued by GAO. 21 Most importantly, however, GISRA consolidated
these separate
requirements and guidance into an overall framework for managing
information security and established new annual review, independent
evaluation, and reporting requirements to help ensure agency
implementation and both OMB and congressional oversight. GISRA assigned
specific responsibilities to OMB, agency heads and chief information
officers (CIOs), and IGs. OMB was responsible for establishing and
overseeing policies, standards, and guidelines for
19 Primarily OMB Circular A- 130, Appendix III, *Security of Federal
Automated Information Resources,* February 1996. 20 Numerous publications
made available at http:// www. itl. nist. gov/ including National
Institute of Standards and Technology, Generally Accepted Principles and
Practices for Securing Information Technology Systems, NIST Special
Publication 800- 14, September 1996. 21 U. S. General Accounting Office,
Federal Information System Controls Manual, Volume 1* Financial Statement
Audits, GAO/ AIMD- 12.19.6 (Washington, D. C.: January 1999);
Information Security Management: Learning from Leading Organizations, GAO/
AIMD- 98- 68 (Washington, D. C.: May 1998). Congress
Consolidates and Strengthens Federal Information Security Requirements
Page 17 GAO- 03- 564T information security. This included the authority to
approve agency information security programs, but delegated OMB*s
responsibilities regarding national security systems to national security
agencies. OMB
was also required to submit an annual report to the Congress summarizing
results of agencies* evaluations of their information security programs.
GISRA does not specify a date for this report, and OMB released its fiscal
year 2001 report in February 2002. It has not yet released its fiscal year
2002 report.
GISRA required each agency, including national security agencies, to
establish an agencywide risk- based information security program to be
overseen by the agency CIO and ensure that information security is
practiced throughout the life cycle of each agency system. Specifically,
this program was to include
periodic risk assessments that consider internal and external threats to
the integrity, confidentiality, and availability of systems, and to data
supporting critical operations and assets; the development and
implementation of risk- based, cost- effective policies
and procedures to provide security protections for information collected
or maintained by or for the agency;
training on security responsibilities for information security personnel
and on security awareness for agency personnel;
periodic management testing and evaluation of the effectiveness of
policies, procedures, controls, and techniques;
a process for identifying and remediating any significant deficiencies;
procedures for detecting, reporting, and responding to security
incidents;
and an annual program review by agency program officials.
In addition to the responsibilities listed above, GISRA required each
agency to have an annual independent evaluation of its information
security program and practices, including control testing and compliance
assessment. The evaluations of non- national- security systems were to be
performed by the agency IG or an independent evaluator, and the results of
these evaluations were to be reported to OMB. For the evaluation of
national security systems, special provisions included having national
Page 18 GAO- 03- 564T security agencies designate evaluators, restricting
the reporting of evaluation results, and having the IG or an independent
evaluator perform an audit of the independent evaluation. For national
security systems, only
the results of each audit of an evaluation are to be reported to OMB. With
GISRA expiring on November 29, 2002, on December 17, 2002, FISMA was
enacted as title III of the E- Government Act of 2002. This act
permanently authorizes and strengthens the information security program,
evaluation, and reporting requirements established by GISRA. In addition,
among other things, FISMA requires NIST to develop, for systems other than
national security systems, (1) standards to be used by all agencies to
categorize all of their information and information systems based on the
objectives of providing appropriate levels of information security
according to a range of risk levels; (2) guidelines recommending the types
of information and information systems to be included in each category;
and (3) minimum information security requirements for information and
information systems in each category. In addition, FISMA requires each
agency to develop, maintain, and annually update an inventory of major
information systems (including major national security systems) operated
by the agency or under its control. This inventory is also to include an
identification of the interfaces between each system and all other systems
or networks, including those not operated by or under the control of the
agency.
In our March 2002 testimony, we reported that the initial implementation
of GISRA was a significant step in improving federal agencies* information
security programs and addressing their serious, pervasive information
security weaknesses. 22 Agencies also noted benefits of this first- year
implementation, including increased management attention to and
accountability for information security, and the administration undertook
other important actions to address information security, such as
integrating information security into the President*s Management Agenda
Scorecard. However, along with these benefits, agencies* reviews of their
information security programs showed that agencies had not established
information security programs consistent with the legislative requirements
and that significant weaknesses existed. We also noted that although
agency actions were under way to strengthen information security and
22 U. S. General Accounting Office, Information Security: Additional
Actions Needed to Fully Implement Reform Legislation, GAO- 02- 470T
(Washington, D. C.: Mar. 6, 2002). Agencies Show Progress in
Implementing Security Requirements, but Further Improvement Needed
Page 19 GAO- 03- 564T implement these requirements, significant
improvement would require sustained management attention and OMB and
congressional oversight.
Our analysis of second- year or fiscal year 2002 implementation of GISRA
showed progress in several areas, including the types of information being
reported and made available for oversight, governmentwide efforts to
improve information security, and agencies* implementation of information
security requirements. Despite this progress, our analyses of agency and
IG reports showed that the 24 agencies have not yet
established information security programs consistent with legislative
requirements and that corrective action plans did not always include all
identified weaknesses and need independent validation to ensure that
weaknesses are corrected.
For fiscal year 2002 GISRA reporting, OMB provided the agencies with
updated reporting instructions and guidance on preparing and submitting
plans of action and milestones (corrective action plans). 23 Like
instructions for fiscal year 2001, this updated guidance listed specific
topics that the agencies were to address, many of which were referenced
back to corresponding requirements of GISRA. 24 However, in response to
agency requests and recommendations we made to OMB as a result of our
review of fiscal year 2001 GISRA implementation, 25 this guidance also
incorporated several significant changes to help improve the consistency
and quality of information being reported for oversight by OMB and the
Congress. These changes included the following:
Reporting instructions provided new high- level management performance
measures that the agencies and IGs were required to use to report on
agency officials* performance. According to OMB, most agencies did not
23 *Reporting Instructions for the Government Information Security Reform
Act and Updated Guidance on Security Plans of Action and Milestones,*
Memorandum for Heads of Executive Departments and Agencies, Mitchell E.
Daniels, Jr., M- 02- 09, July 2, 2002. 24 OMB required the agency heads to
submit their reports on September 16, 2002, and to include (1) the
executive summary developed by the agency CIO, agency program officials,
and the IG that is based on the results of their work; (2) copies of the
IG*s independent evaluations; and (3) for national security systems,
audits of the independent evaluations. Agencies* corrective action plans
were due to OMB by October 1, 2002, with updates required quarterly
beginning January 1, 2003.
25 U. S. General Accounting Office, Information Security: Additional
Actions Needed to Fully Implement Reform Legislation, GAO- 02- 407
(Washington, D. C.: May 2, 2002). OMB Includes New Reporting Requirements
to
Improve Information Available for Oversight
Page 20 GAO- 03- 564T provide performance measures or actual levels of
performance where asked to do so for fiscal year 2001 reporting, and the
agencies requested
that OMB develop such measures. These required performance measures
include, for example, the number and percentage of systems that have been
assessed for risk, the number of contractor operations or facilities that
were reviewed, and the number of employees with significant security
responsibilities that received specialized training. Instructions
confirmed that agencies were expected to review all systems
annually. OMB explained that GISRA requires senior agency program
officials to review each security program for effectiveness at least
annually, and that the purpose of the security programs discussed in GISRA
is to ensure the protection of the systems and data covered by the
program. Thus, a review of each system is essential to determine the
program*s effectiveness, and only the depth and breadth of such system
reviews are flexible.
Agencies were generally required to use all elements of NIST Special
Publication 800- 26, Security Self- Assessment Guide for Information
Technology Systems, to review their systems. This guide accompanies NIST*s
Security Assessment Framework methodology, which agency officials can use
to determine the current status of their security programs. 26 The guide
itself uses an extensive questionnaire containing specific control
objectives and techniques against which an unclassified system or group of
interconnected systems can be tested and measured. For the fiscal year
2001 reporting period, OMB encouraged agencies to use this guide, but did
not require its use because it was not completed until well into the
reporting period. NIST finalized the guide in November 2001, and for
fiscal year 2002 reporting, OMB required its use unless an agency and its
IG confirmed that any agency- developed methodology captured all
elements of the guide. To automate the completion of the questionnaire,
NIST also developed a tool that can be found at its Computer Security
Resource Center Web site: http:// csrc. nist. gov/ asset/.
OMB requested IGs to verify that agency corrective action plans identify
all known security weaknesses within an agency, including components, and
are used by the IG and the agency, major components, and program officials
within them, as the authoritative agency management mechanism 26 National
Institute of Standards and Technology, Federal Information Technology
Security Assessment Framework, prepared for the Federal CIO Council by the
NIST Computer Security Division Systems and Network Security Group, Nov.
28, 2000.
Page 21 GAO- 03- 564T to prioritize, track, and manage all agency efforts
to close security performance gaps.
OMB authorized agencies to release certain information from their
corrective action plans to assist the Congress in its oversight
responsibilities. Agencies could release this information, as requested,
excluding certain elements, such as estimated funding resources and the
scheduled completion dates for resolving a weakness.
OMB*s report to the Congress on fiscal year 2001 GISRA implementation
provided an overview of OMB and agencies* implementation efforts,
summarized the overall results of OMB*s analyses, and included individual
agency summaries for the 24 of the largest federal departments and
agencies. 27 Overall, OMB reported that although examples of good security
exist in many agencies, and others were working very hard to improve their
performance, many agencies had significant deficiencies in every important
area of security. In particular, the report highlighted six common
security weaknesses. These weaknesses are listed below along with an
update of the activities under way to address them.
1. Lack of senior management attention to information security* Last year,
OMB reported that, to address this issue, it was working through the
President*s Management Council and the Critical Infrastructure Protection
Board to promote sustained attention to security as part of its work on
the President*s Management Agenda and the integration of security into the
Scorecard. OMB also reported that it included security instructions in
budget passback guidance and sent security letters to each agency
highlighting the lack of senior management attention and describing
specific actions OMB is taking to assist the agency. According to OMB
officials, although the President*s Critical Infrastructure Protection
Board was recently dissolved, OMB continues to coordinate security issues
with the President*s Homeland Security Council and the Department of
Homeland Security. These officials also said that they are continuing to
work with the agencies and that security is an integral part of assessing
agencies* performance for the E- Government component of the Scorecard.
27 Office of Management and Budget, FY 2001 Report to Congress on Federal
Government Information Security Reform (February 2002). OMB Initiatives to
Improve
Federal Information Security Show Progress
Page 22 GAO- 03- 564T 2. Inadequate accountability for job and program
performance related to IT security* OMB reported that it was working with
the agencies
and other entities to develop workable measures of job and program
performance to hold federal employees accountable for their security
responsibilities. As discussed previously, OMB instructions to federal
agencies for fiscal year 2002 GISRA reporting included high- level
management performance measures. Related to this initiative, in October
2002, NIST also issued an initial public draft of a security metrics guide
for IT systems to provide guidance on how an organization, through the use
of metrics, can determine the adequacy of in- place security controls,
policies, and procedures. The draft also explains the metric development
and implementation process and how it can also be used to adequately
justify security control investments. 28 3. Limited security training for
general users, IT professionals, and
security professionals* OMB reported that along with federal agencies, it
was working through the Critical Infrastructure Protection Board*s
education committee and the CIO Council*s Workforce Committee to address
this issue. OMB also reported that work was under way to identify and
disseminate security training best practices through NIST*s Federal Agency
Security Practices Web site and that one of the administration*s
electronic government initiatives is to establish and deliver electronic-
training on a number of mandatory topics, including security, for use by
all federal agencies, along with state and local governments. As an
example of progress on this initiative, OMB officials pointed to an online
training initiative, www. golearn. gov. Launched in July 2002 by the
Office of Personnel Management (OPM), this site offers training in an
online environment, including IT security courses, such as security
awareness, fundamentals of Internet security, and managing network
security. Other activities for this area include NIST*s July 2002 issuance
of draft guidance on designing, developing, implementing, and maintaining
an awareness and training program within an agency*s IT security
program. 29 4. Inadequate integration of security into the capital
planning and investment control process* OMB reported that it was
integrating 28 National Institute of Standards and Technology, Security
Metrics Guide for Information Technology Systems, NIST Draft Special
Publication 800- 55 (October 2002). 29 National Institute of Standards and
Technology, Building an Information Technology Security Awareness and
Training Program, NIST Draft Special Publication 800- 50 (July 19, 2002).
Page 23 GAO- 03- 564T security into the capital planning and investment
control process to ensure that adequate security is incorporated directly
into and funded
over the life cycle of all systems and programs before funding is
approved. Specifically, OMB established criteria that agencies must report
security costs for each major and significant IT investment, document in
their business cases that adequate security controls have been
incorporated into the life cycle planning and funding of each IT
investment, and tie their corrective action plans for a system directly to
the business case for that IT investment. Another criterion was that
agency security reports and corrective action plans were presumed to
reflect the agency*s security priorities and, thus, would be a central
tool for OMB in prioritizing funding for systems. OMB officials confirmed
that these activities were continuing and included providing additional
guidance in OMB Circular A- 11 on identifying security costs. In addition,
they said that draft NIST guidelines for federal IT systems would help to
ensure that agencies consider security throughout the system life cycle.
30 Under OMB policy, responsible federal officials are required to make a
security determination (called accreditation) to authorize placing IT
systems into operation. In order for these officials to make sound, risk-
based decisions, a security evaluation (known as certification) of the IT
system is needed. The NIST guidelines are to establish a standard process,
general tasks and specific subtasks to certify and accredit systems and
provide a new approach that uses the standardized process to verify the
correctness and effectiveness of security controls employed in a system.
The guidelines will also employ the use of standardized, minimum security
controls and standardized verification techniques and procedures that NIST
indicates will be provided in future guidance.
5. Poor security for contractor- provided services* OMB reported last year
that under the guidance of the OMB- led security committee established by
Executive Order 13231 (since eliminated), an issue group would develop
recommendations to include addressing how security is handled in
contracts. OMB also reported that it would work with the CIO Council and
the Procurement Executives Council to establish a training program that
ensures appropriate contractor training in security. OMB officials stated
that these activities are continuing and the issue group had made
recommendations to the Federal Acquisition Regulation Council. In
addition, in October 2002,
30 National Institute of Standards and Technology, Guidelines for the
Security Certification and Accreditation (C& A) of Federal Information
Technology Systems, NIST Draft Special Publication 800- 37 (Oct. 28,
2002).
Page 24 GAO- 03- 564T NIST issued a draft guide on security considerations
in federal IT procurements, which includes specifications, clauses, and
tasks for
areas such as IT security training and awareness, personnel security,
physical security, and security features in systems. 31 6. Limited
capability to detect, report, and share information on
vulnerabilities or to detect intrusions, suspected intrusions, or virus
infections* OMB reported that the Federal Computer Incident Response
Center (FedCIRC) reports to it on a quarterly basis on the federal
government*s status on IT security incidents. OMB also reported that under
OMB and Critical Infrastructure Protection Board
guidance, GSA was exploring methods to disseminate patches to all agencies
more effectively. OMB officials pointed to the Patch Authentication and
Dissemination Capability Program, which FedCIRC
introduced in January 2003 as a free service to federal civilian agencies.
32 According to FedCIRC, this service provides a trusted source of
validated patches and notifications on new threats and vulnerabilities
that have potential to disrupt federal government mission critical systems
and networks. It is a Web- enabled service that obtains patches from
vendors, validates that the patch only does what it states that it was
created to correct, and provides agencies notifications based on
established profiles. We also noted that in August 2002, NIST published
procedures for handling security patches that provided principles and
methodologies for establishing an explicit and documented patching and
vulnerability policy and a systematic, accountable, and documented process
for handling patches. 33 In addition to activities identified for these
specific weaknesses, in last
year*s report, OMB reported that it would direct all large agencies to
undertake a Project Matrix review to more clearly identify and prioritize
the security needs for government assets. Project Matrix is a methodology
31 National Institute of Standards and Technology, Security Considerations
in Federal Information Technology Procurements: A Guide for Procurement
Initiators, Contracting Officers, and IT Security Officials, NIST Draft
Special Publication 800- 4A (Oct. 9, 2002).
32 FedCIRC, formerly within the General Services Administration and now
part of the Department of Homeland Security, was established to provide a
central focal point for incident reporting, handling, prevention and
recognition for the federal government. Its
purpose is to ensure that the government has critical services available
in order to withstand or quickly recover from attacks against its
information resources. 33 National Institute of Standards and Technology,
Procedures for Handling Security Patches* Recommendations of the National
Institute of Standards and Technology, NIST Special Publication 800- 40
(August 2002).
Page 25 GAO- 03- 564T developed by the Critical Infrastructure Assurance
Office (CIAO) (recently transferred to the Department of Homeland
Security) that identifies the
critical assets within an agency, prioritizes them, and then identifies
interrelationships with other agencies or the private sector. 34 OMB
reported that once reviews have been completed at each large agency, it
would identify cross- government activities and lines of business for
Project Matrix reviews so that it will have identified both vertically and
horizontally the critical operations and assets of the federal
government*s critical enterprise architecture and their relationship
beyond government. As of July 2002, a CIAO official reported that of 31
agencies targeted for
Project Matrix reviews, 18 had begun their reviews; and of those, 5 had
completed the first step of the methodology to identify their critical
assets, 2 found no candidate assets to undergo a process to identify
critical assets, 5 had begun the second step to identify other federal
government assets, systems, and networks upon which their critical assets
depend to operate, and none had begun the third step to identify all
associated dependencies on private- sector owned and operated critical
infrastructures. 35 According
to a CIAO official in December 2003, the office*s goal was to complete
Project Matrix reviews for 24 of the 31 identified agencies by the end of
fiscal year 2004 and for the remaining 7 in fiscal year 2005. However,
this
official also said that at the request of the Office of Homeland Security,
CIAO was revising and streamlining its Project Matrix methodology to be
less labor intensive for the agencies and reduce the time needed to
identify
critical assets. In our recent discussions with OMB officials, they said
they were requiring Project Matrix reviews for 24 large departments and
agencies and that as part of their GISRA reporting, agencies were required
to report on the status of their efforts to identify critical assets and
their dependencies. However, they acknowledged that OMB did not establish
any deadlines for the completion of Project Matrix reviews. In our
February 2003 report, we also reported that neither the administration nor
34 The Project Matrix methodology defines *critical* as the
responsibilities, assets, nodes, and networks that, if incapacitated or
destroyed, would jeopardize the nation*s survival; have a serious,
deleterious effect on the nation at large; adversely affect large portions
of
the American populace; and require near- term, if not immediate,
remediation (currently defined as within 72 hours). It defines *assets* as
tangible equipment, applications, and facilities that are owned, operated,
or relied upon by the agency, such as information technology systems or
networks, buildings, vehicles (aircraft, ships, or land), satellites, or
even a team of people.
35 U. S. General Accounting Office, Critical Infrastructure Protection:
Challenges for Selected Agencies and Industry Sectors, GAO- 03- 233
(Washington, D. C.: Feb. 28, 2003).
Page 26 GAO- 03- 564T the agencies we reviewed had milestones for the
completion of Project Matrix analyses and recommended that agencies
coordinate with CIAO to
set these milestones. Finally, in February 2002, OMB reported that a
number of efforts were under way to address security weaknesses in
industry software development, and that chief among them were national
policy- level activities of the Critical Infrastructure Protection Board
(since
eliminated). At the technical product- level, OMB reported that the
National Information Assurance Partnership, operated jointly by NIST and
the National Security Agency, was certifying private- sector laboratories
to
which product vendors may submit their software for analysis and
certification, but that this certification process was a lengthy one and
often cannot accommodate the *time- to- market* imperative that the
technology industry faces. According to recent discussions with OMB
officials, the National Information Assurance Partnership efforts are
still under way.
Fiscal year 2002 GISRA reporting by CIOs and independent evaluations by
IGs for the 24 agencies provided an improved baseline for measuring
improvements in federal information security not only because of
performance measures that OMB now requires, but also because of agencies*
increased review coverage and use of consistent methodologies. For
example, 16 agencies reported that they had reviewed the security of
60 percent or more of their systems and programs for their fiscal year
2002 GISRA reporting, with 10 of these reporting that they reviewed from
90 to 100 percent. Further, 13 agencies reported that coverage of agency
systems and programs increased for fiscal year 2002 compared to fiscal
year 2001. However, with 8 agencies reporting that they reviewed less than
half of their systems, improvements are still needed. 36 Regarding their
methodologies, 21 agencies reported that, as required by OMB, they used
NIST*s Security Self- Assessment Guide for Information Technology Systems
or developed their own methodology that addressed all elements of the
guide, and only 3 agencies reported that they did not. By not
following the NIST guide, agencies may not identify all weaknesses. For
example, one agency reported that the methodology it used incorporated
many of the elements of NIST*s self- assessment guide, but the IG reported
36 One agency did not specifically report this information, but its IG
reported that the agency reviewed less than half of its systems. Agency
GISRA Reporting
Shows Progress, but Highlights Continued Weaknesses
Page 27 GAO- 03- 564T that the methodology did not call for the detailed
level of system reviews required by the NIST guide nor did it include the
requirement to test and
evaluate security controls. In performing our analyses, we summarized and
categorized the reported information including data provided for the OMB-
prescribed performance measures. There were several instances where agency
reports either did not address or provide sufficient data for a question
or measure. In addition, IGs* independent evaluations sometimes showed
different results than CIO reporting or identified data inaccuracies.
Further, IG reporting also did not always include comparable data,
particularly for the performance measures. In part, this was because
although OMB instructions said that the IGs should use the performance
measures to assist in evaluating agency officials* performance, the IG was
not required to review the agency*s reported measures. Summaries of our
analyses for key requirements follow below.
GISRA required agencies to perform periodic threat- based risk assessments
for systems and data. Risk assessments are an essential element of risk
management and overall security program management and, as our best
practice work has shown, are an integral part of the management processes
of leading organizations. 37 Risk assessments help ensure that the
greatest risks have been identified and addressed, increase the
understanding of risk, and provide support for needed controls. Our
reviews of federal agencies, however, frequently show deficiencies related
to assessing risk, such as security plans for major systems that are not
developed on the basis of risks. As a result, the agencies had accepted an
unknown level of risk by default rather than consciously deciding what
level of risk was tolerable. 37 GAO/ AIMD- 98- 68. Many Systems Still Do
Not Have Risk Assessments or Upto-
Date Security Plans
Page 28 GAO- 03- 564T As one of its performance measures for this
requirement, OMB required agencies to report the number and percentage of
their systems that have been assessed for risk during fiscal year 2001 and
fiscal year 2002. Our
analyses of reporting for this measure showed some overall progress. For
example, of the 24 agencies we reviewed, 13 reported an increase in the
percentage of systems assessed for fiscal year 2002 compared to fiscal
year 2001. In addition, as illustrated in figure 3 below, for fiscal year
2002, 11 agencies reported that they had assessed risk for 90 to 100
percent of their systems. However, it also shows that further efforts are
needed by other agencies, including the 9 that reported less than 60
percent of their
systems had been assessed for risk.
Figure 3: Percentage of systems with risk assessments during fiscal year
2002
Note: Rounding used to total 100 percent.
GISRA also required the agency head to ensure that the agency*s
information security plan is practiced throughout the life cycle of each
agency system. In its reporting instructions, OMB required agencies to
report whether the agency head had taken specific and direct actions to
oversee that program officials and the CIO are ensuring that security
plans are up to date and practiced throughout the life cycle. They also
had to report the number and percentage of systems that have an up- to-
date security plan. Our analyses showed that although most agencies
reported that they had taken such actions, IG reports disagreed for a
number of agencies, and many systems do not have up- to- date security
plans. Specifically, 21 agencies reported that the agency head had taken
actions to oversee that security plans are up to date and practiced
throughout the life cycle compared to the IGs reporting that only 9
agencies had taken
Page 29 GAO- 03- 564T such actions. One IG reported that the agency*s
security plan guidance predates revisions to NIST and OMB guidance and, as
a result, does not contain key elements, such as the risk assessment
methodology used to
identify threats and vulnerabilities. In addition, another IG reported
that although progress had been made, security plans had not been
completed for 62 percent of the agency*s systems. Regarding the status of
agencies* security plans, as shown in figure 4, half of the 24 agencies
reported that they had up- to- date security plans for 60 percent or more
of their systems
for fiscal year 2002, including 7 that reported these plans for 90 percent
or more.
Figure 4: Percentage of systems with up- to- date security plans during
fiscal year 2002
GISRA required agencies to provide training on security awareness for
agency personnel and on security responsibilities for information security
personnel. Our studies of best practices at leading organizations have
shown that they took steps to ensure that personnel involved in various
aspects of their information security programs had the skills and
knowledge they needed. They also recognized that staff expertise had to be
frequently updated to keep abreast of ongoing changes in threats,
vulnerabilities, software, security techniques, and security monitoring
tools. However, our past information security reviews at individual
agencies have shown that they have not provided adequate computer security
training to their employees, including contractor staff. Security Training
Efforts Show
Mixed Progress
Page 30 GAO- 03- 564T Among the performance measures for these
requirements, OMB required agencies to report the number and percentage of
employees including
contractors that received security training during fiscal years 2001 and
2002 and the number of employees with significant security
responsibilities that received specialized training. For agency employee/
contractor security training, our analyses showed 16 agencies reported
that they provided security training to 60 percent or more of their
employees and contractors for fiscal year 2002, with 9 reporting 90
percent or more. Of the remaining 8 agencies, 4 reported that such
training was provided for less than half of their employees/ contractors,
1 reported that none were provided this training, and 3 provided
insufficient data for this
measure. For specialized training for employees with significant security
responsibilities, some progress was indicated, but additional training is
needed. As indicated in figure 5, our analyses showed 11 agencies reported
that 60 percent or more of their employees with significant security
responsibilities had received specialized training for fiscal year 2002,
with 5 reporting 90 percent or more. Of the remaining 13 agencies, 4
reported less than 30 percent and one reported that none had received such
training.
Page 31 GAO- 03- 564T Figure 5: Percentage of employees with significant
security responsibilities receiving specialized security training during
fiscal year 2002
Under GISRA, the agency head was responsible for ensuring that the
appropriate agency officials, evaluated the effectiveness of the
information security program, including testing controls. The act also
required that the agencywide information security program include periodic
management
testing and evaluation of the effectiveness of information security
policies and procedures. Periodically evaluating the effectiveness of
security policies and controls and acting to address any identified
weaknesses are fundamental activities that allow an organization to manage
its information security risks cost effectively, rather than reacting to
individual problems ad hoc only after a violation has been detected or an
audit finding has been reported. Further, management control testing and
evaluation as part of the program reviews can supplement control testing
and evaluation in IG and GAO audits to help provide a more complete
picture of the agencies* security postures.
As a performance measure for this requirement, OMB required the agencies
to report the number and percentage of systems for which security controls
have been tested and evaluated during fiscal years 2001 and 2002. Our
analyses of the data agencies reported for this measure showed that
although 15 agencies reported an increase in the overall percentage of
systems being tested and evaluated for fiscal year 2002, most agencies are
not testing essentially all of their systems. As shown in figure 6, our
analyses showed that 14 agencies reported that they had Further Security
Control
Testing and Evaluation Needed
Page 32 GAO- 03- 564T tested the controls of less than 60 percent of their
systems for fiscal year 2002. Of the remaining 10 agencies, 4 reported
that they had tested and
evaluated controls for 90 percent or more of their systems.
Figure 6: Percentage of systems with security controls tested during
fiscal year 2002
As another measure, OMB also required agencies to report the number and
percentage of systems that have been authorized for processing following
certification and accreditation. According to NIST*s draft Guidelines for
the Security Certification and Accreditation (C& A) of Federal Information
Technology Systems (Special Publication 800- 37), accreditation is the
authorization of an IT system to process, store, or transmit information,
granted by a management official that provides a form of quality control
and challenges managers and technical staff to find the best fit for
security, given technical constraints, operational
constraints, and mission requirements. Certification is the comprehensive
evaluation of the technical and non- technical security controls of an IT
system to support the accreditation process that establishes the extent to
which a particular design and implementation meets a set of specified
security requirements. Certification provides the necessary information to
a management official to formally declare that an IT system is approved to
operate at an acceptable level of risk. The accreditation decision is
based
on the implementation of an agreed upon set of management, operational,
and technical controls, and by accrediting the system, the management
office accepts the risk associated with it.
Page 33 GAO- 03- 564T Our analysis of agencies* reports showed mixed
progress for this measure. For example, 10 agencies reported increases in
the percentage of systems
authorized for processing following certification and accreditation
compared to fiscal year 2001, but 8 reported decreases and 3 did not
change (3 others did not provide sufficient data). In addition, as shown
in figure 7, 8 agencies reported that for fiscal year 2002, 60 percent or
more of their systems had been authorized for processing following
certification and accreditation with only 3 of these reporting from 90 to
100 percent. And of the remaining 16 agencies reporting less than 60
percent, 3
reported that none of their systems had been authorized.
Figure 7: Percentage of systems during fiscal year 2002 that are
authorized for processing by management after certification and
accreditation In addition to this mixed progress, IG reports identified
instances where
agencies* certification and accreditation efforts were inadequate. For
example, one agency reported that 43 percent of its systems were
authorized for processing following certification and accreditation. IG
reporting agreed, but also noted that over a fourth of the systems
identified as authorized had been operating with an interim authorization
and did not meet all of the security requirements to be granted
accreditation. The IG also stated that, due to the risk posed by systems
operating without certification and full accreditation, the department
should consider identifying this deficiency as a material weakness.
Page 34 GAO- 03- 564T GISRA required agencies to implement procedures for
detecting, reporting, and responding to security incidents. Although even
strong
controls may not block all intrusions and misuse, organizations can reduce
the risks associated with such events if they promptly take steps to
detect intrusions and misuse before significant damage can be done. In
addition, accounting for and analyzing security problems and incidents are
effective
ways for an organization to gain a better understanding of threats to its
information and of the cost of its security- related problems. Such
analyses can also pinpoint vulnerabilities that need to be addressed to
help ensure
that they will not be exploited again. In this regard, problem and
incident reports can provide valuable input for risk assessments, help in
prioritizing security improvement efforts, and be used to illustrate risks
and related trends in reports to senior management. Our information
security reviews also confirm that federal agencies have not adequately
(1) prevented intrusions before they occur, (2) detected intrusions as
they occur, (3) responded to successful intrusions, or (4) reported
intrusions to staff and management. Such weaknesses provide little
assurance that unauthorized attempts to access sensitive information will
be identified and appropriate actions taken in time to prevent or minimize
damage.
OMB included a number of performance measures in agency reporting
instructions that were related to detecting, reporting, and responding to
security incidents. These included the number of agency components with an
incident- handling and response capability, whether the agency and its
major components share incident information with FedCIRC in a timely
manner, and the numbers of incidents reported. OMB also required that
agencies report on how they confirmed that patches have been tested and
installed in a timely manner. Our analyses of agencies* reports showed
that although most agencies reported that they have established incident
response capabilities, implementation of these capabilities is still not
complete. For example, 12 agencies reported that for fiscal year 2002, 90
percent or more of their components had incident handling and response
capabilities and 8 others reported that they provided these capabilities
to components through a central point within the agency. However, although
most agencies report having these capabilities for most components, in at
least two instances, the IGs* evaluations identified instances where
incident response capabilities were not always implemented. For example,
one IG reported that the department established and implemented its
computer security incident- response capability on August 1, 2002, but had
not enforced procedures to ensure that components comply with a consistent
methodology to identify, document, and report computer security incidents.
Another IG reported that the agency had released incident- handling
procedures and established a computer incident Incident- Handling
Capabilities
Established, but Implementation Incomplete
Page 35 GAO- 03- 564T response team, but had not formally assigned members
to the team or effectively communicated procedures to employees.
Our analyses also showed that for fiscal year 2002, 13 agencies reported
they had oversight procedures to verify that patches have been tested and
installed in a timely manner and 10 reported they did not. Of those that
did
not have procedures, several specifically mentioned that they planned to
participate in FedCIRC*s patch management process.
GISRA required that each agencywide information security program ensure
the integrity, confidentiality, and availability of systems and data
supporting the agency*s critical operations and assets. In addition, as
mentioned previously, OMB directed 24 of the largest agencies to undergo a
Project Matrix review to identify and characterize the operations and
assets and these assets* associated infrastructure dependencies and
interdependencies that are most critical to the nation. For example, as
part of its GISRA reporting, OMB required the agencies to report whether
they had undergone a Project Matrix review or used another methodology to
identify their critical assets and their interdependencies and
interrelationships. Our analyses of agencies* reports showed some overall
process in identifying critical assets, but limited progress in
identifying interdependencies. As shown in figure 8, a total of 14
agencies reported they had identified their critical assets and
operations* 10 using Project Matrix and 4 using other methodologies. In
addition, five more agencies reported that they were in some stage of
identifying their critical assets and operations, and three more planned
to do so in fiscal year 2003. Agencies Show Progress in
Identifying Critical Assets, but Most Have Not Identified
Interdependencies
Page 36 GAO- 03- 564T Figure 8: Percentage of agencies that had identified
their critical assets and operations* fiscal year 2002 Our analyses also
showed that three agencies reported they had identified the
interdependencies for their critical assets, and four others reported
that they were in some stage of undertaking this process. Contingency
plans provide specific instructions for restoring critical systems,
including such things as arrangements for alternative processing
facilities in case the usual facilities are significantly damaged or
cannot be
accessed. At many of the agencies we have reviewed, we found incomplete
plans and procedures to ensure that critical operations can continue when
unexpected events occur, such as a temporary power failure, accidental
loss of files, or a major disaster. These plans and procedures were
incomplete because operations and supporting resources had not been fully
analyzed to determine which were most critical and would need to be
restored first. Further, existing plans were not fully tested to identify
their weaknesses. As a result, many agencies have inadequate assurance
that
they can recover operational capability in a timely, orderly manner after
a disruptive attack.
As another of its performance measures, OMB required agencies to report
the number and percentage of systems for which contingency plans have been
tested in the past year. As shown in figure 9, our analyses showed
that for fiscal year 2002, only 2 agencies reported they had tested
contingency plans for 90 percent or more of their systems, while 20 had
Lack of Contingency Plan
Testing Is a Major Weakness
Page 37 GAO- 03- 564T tested contingency plans for less than 60 percent of
their systems. One reported that none had been tested.
Figure 9: Percentage of systems with recently tested contingency plans for
fiscal year 2002
Note: Rounding used to total 100 percent.
GISRA requires agencies to develop and implement risk- based,
costeffective policies and procedures to provide security protection for
information collected or maintained either by the agency or for it by
another agency or contractor. In its fiscal year 2001 GISRA report to the
Congress, OMB identified poor security for contractor- provided services
as a common weakness and for fiscal year 2002 reporting, included
performance measures to help indicate whether the agency program officials
and CIO used appropriate methods, such as audits and inspections, to
ensure that service provided by a contractor are adequately secure and
meet security requirements. Our analyses showed that a number of agencies
reported that they have reviewed a large percentage of services provided
by a contractor, but others have reviewed only a small number.
For operations and assets under the control of agency program officials,
16 agencies reported that for fiscal year 2002 they reviewed 60 percent or
more of contractor operations or facilities, with 7 of these reporting
that they reviewed 90 percent or more; and 4 reported that they reviewed
less than 30 percent. Some Reported Improvement
in Efforts to Ensure Security of Contractor- Provided Services
Page 38 GAO- 03- 564T For operations and assets under the control of the
CIO, 11 agencies reported that for fiscal year 2002 they reviewed 60
percent or more of
contractor operations or facilities, with 7 of these reporting they
reviewed 90 percent or more; 3 reported that they reviewed less than 30
percent; and 5 agencies reported that they had no services provided by a
contractor or another agency.
GISRA requires that each agency examine the adequacy and effectiveness of
information security policies, procedures, and practices in plans and
reports related to annual agency budgets and other statutory performance
reporting requirements. The act also requires each agency to describe the
resources, including budget, staffing, and training, that are necessary to
implement its agencywide information security program. For GISRA
reporting, OMB required agencies to report information on total security
funding included in their fiscal year 2002 budget request, fiscal year
2002 budget enacted, and the President*s fiscal year 2003 budget and to
include (1) a breakdown of security costs by each major operating division
or bureau and (2) CIP costs that apply to the protection of government
operations and assets.
Most agencies (21) reported total security funding for these budgets,
although 13 did not show costs by major operating division or bureau and/
or for CIP. Further, most agencies reported including security costs in
their budget requests and justifications. For example:
For the fiscal year 2003 budget, 16 agencies reported that they had
submitted capital asset plans and justifications to OMB with all requisite
security information, and of the remaining 8 agencies, 5 reported that
less than 30 percent of their capital asset plans and justifications did
not include this information. Last year, 19 agencies reported that they
had not included security requirements and costs on every fiscal year 2002
capital asset plan submitted to OMB.
For fiscal year 2003, 18 agencies reported that security costs were
reported on the Exhibit 53 38 for all agency systems, with 5 reporting
that these costs were not reported for all agency systems.
38 The Agency IT Investments Portfolios as required by OMB Circular A- 11.
Reporting of Security Costs Shows Improvement
Page 39 GAO- 03- 564T GISRA required that agencies develop a process for
ensuring that remedial action is taken to address significant
deficiencies. As a result, OMB required the agency head to work with the
CIO and program officials to
provide a strategy to correct security weaknesses identified through
annual GISRA program reviews and independent evaluations, as well as other
reviews or audits performed throughout the reporting period by the IG or
GAO. Agencies were required to submit a corrective action plan for all
programs and systems where a security weakness had been identified plus
quarterly updates on the plan*s implementation. OMB guidance
required that these plans list the identified weaknesses and for each
identify a point of contact, the resources required to resolve the
weakness, the scheduled completion date, key milestones with completion
dates for the milestones, milestone changes, the source of the weakness
(such as a program review, IG audit, or GAO audit), and the status
(ongoing or completed). Agencies were also required to submit quarterly
updates of these plans that list the total number of weaknesses identified
at the program and system level, as well as the numbers of weaknesses for
which corrective actions were completed on time, ongoing and on schedule,
or delayed. Updates were also to include the number of new weaknesses
discovered subsequent to the last corrective action plan or quarterly
update.
Our analyses of agencies* fiscal year 2002 corrective action plans and
IGs* evaluations of these plans showed that most agencies followed the
OMBprescribed format, but also that several used an existing tracking
system to meet this requirement. In theory, these plans could prove to be
a useful tool for the agencies in correcting their information security
weaknesses.
However, their usefulness could be impaired to the extent that they do not
identify all weaknesses or provide realistic completion estimates. For
example, for the 24 agencies, only 5 IGs reported that their agency*s
corrective action plan addressed all identified significant weaknesses and
9 specifically reported that their agency*s plan did not. Our analyses
also showed that in several instances, corrective action plans did not
indicate the current status of weaknesses identified or include
information
regarding whether actions were on track as originally scheduled. Plan
progress must be appropriately monitored and the actual correction of
weaknesses may require independent validation. Our analyses showed that
three IGs reported that their agencies did not have a centralized tracking
system to monitor the status of corrective actions. Also, one IG
specifically questioned the accuracy of unverified, self- reported
corrective actions reported in the agency*s plan. Corrective Action Plans
Provide Potential Tool for Monitoring Agency Progress
Page 40 GAO- 03- 564T Recent audits and reviews, including annual GISRA
program reviews and independent evaluations, show that although agencies
have made progress
in addressing GAO and IG recommendations to improve the effectiveness of
their information security, further action is needed. In particular,
overall security program management continues to be an area marked by
widespread and fundamental problems. Many agencies have not developed
security plans for major systems based on risk, have not documented
security policies, and have not implemented a program for testing and
evaluating the effectiveness of the controls they rely on. As a result,
they could not ensure that the controls they had implemented were
operating as intended and they could not make informed judgments as to
whether they were spending too little or too much of their resources on
security.
Further information security improvement efforts are also needed at the
governmentwide level, and it is important that these efforts are guided by
a comprehensive strategy and, as development of this strategy continues,
that certain key issues be addressed. These issues and actions currently
under way are as follows.
First, the federal strategy should delineate the roles and
responsibilities of the numerous entities involved in federal information
security and describe how the activities of these organizations
interrelate, who should be held accountable for their success or failure,
and whether these activities will effectively and efficiently support
national goals.
Second, more specific guidance to agencies on the controls that they need
to implement could help ensure adequate protection. Currently, agencies
have wide discretion in deciding which computer security controls to
implement and the level of rigor with which to enforce these controls. In
essence, one set of specific controls will not be appropriate for all
types of systems and data. Nevertheless, our studies of best practices at
leading organizations have shown that more specific guidance is important.
39 In particular, specific mandatory standards for varying risk levels can
clarify expectations for information protection, including audit criteria;
provide a
standard framework for assessing information security risk; help ensure
that shared data are appropriately protected; and reduce demands for
limited resources to independently develop security controls. FISMA
requires NIST to develop standards that provide mandatory minimum
information security requirements.
39 GAO/ AIMD- 98- 68. Further Action Needed to Improve
Federal Information Security
Page 41 GAO- 03- 564T Third, ensuring effective implementation of agency
information security and CIP plans will require active monitoring by the
agencies to determine
whether milestones are being met and testing is being performed to
determine whether policies and controls are operating as intended. With
routine periodic evaluations, such as those required by GISRA and now
FISMA, performance measurements can be more meaningful. In addition, the
annual evaluation, reporting, and monitoring process established through
these provisions is an important mechanism, previously missing, to hold
agencies accountable for implementing effective security and to manage the
problem from a governmentwide perspective.
Fourth, the Congress and the executive branch can use audit results,
including the results of GISRA and FISMA reporting, to monitor agency
performance and take whatever action is deemed advisable to remedy
identified problems. Such oversight is essential for holding agencies
accountable for their performance, as was demonstrated by OMB and
congressional efforts to oversee the Year 2000 computer challenge.
Fifth, agencies must have the technical expertise they need to select,
implement, and maintain controls that protect their information systems.
Similarly, the federal government must maximize the value of its technical
staff by sharing expertise and information. As highlighted during the Year
2000 challenge, the availability of adequate technical and audit expertise
is a continuing concern to agencies.
Sixth, agencies can allocate resources sufficient to support their
information security and infrastructure protection activities. In our
review of first- year GISRA implementation, we reported that many agencies
emphasized the need for adequate funding to implement security
requirements, and that security funding varied widely across the agencies.
Funding for security is already embedded to some extent in agency budgets
for computer system development efforts and routine network and system
management and maintenance. However, additional amounts are likely to be
needed to address specific weaknesses and new tasks. At the same time, OMB
and congressional oversight of future spending on information security
will be important for ensuring that agencies are not using the funds they
receive to continue ad hoc, piecemeal security fixes that are not
supported by a strong agency risk- management process.
Further, we agree with OMB that much can be done to cost- effectively
address common weaknesses, such as limited security training, across
government rather than individually by agency.
Page 42 GAO- 03- 564T Seventh, expanded research is needed in the area of
information systems protection. Although a number of research efforts are
under way, experts
have noted that more is needed to achieve significant advances. In this
regard, the Congress recently passed and the President signed into law the
Cyber Security Research and Development Act to provide $903 million over 5
years for cybersecurity research and education programs. 40 This law
directs the National Science Foundation to create new cybersecurity
research centers, program grants, and fellowships. It also directs NIST to
create new program grants for partnerships between academia and industry.
CIP involves activities that enhance the security of our nation*s cyber
and physical public and private infrastructure that are critical to
national security, national economic security, and/ or national public
health and safety. Federal awareness of the importance of securing our
nation*s
critical infrastructures has continued to evolve since the mid- 1990s.
Over the years, a variety of working groups has been formed, special
reports written, federal policies issued, and organizations created to
address the issues that have been raised. The following sections summarize
key developments in federal CIP policy to provide historical perspective.
In October 1997, the President*s Commission on Critical Infrastructure
Protection issued a report 41 describing the potentially devastating
implications of poor information security for the nation. The report
recommended measures to achieve a higher level of CIP that included
industry cooperation and information sharing, a national organization
structure, a revised program of research and development, a broad program
of awareness and education, and a reconsideration of related laws. It
further stated that a comprehensive effort would need to *include a system
of surveillance, assessment, early warning, and response mechanisms to
mitigate the potential for cyberthreats.* The report also urged the FBI to
continue its efforts to develop warning and threat analysis capabilities,
which would enable it to serve as the preliminary national warning center
for infrastructure attacks and to provide law
40 P. L. 107- 305, November 27, 2002. 41 President*s Commission on
Critical Infrastructure Protection, Critical Foundations: Protecting
America*s Infrastructures (October 1997). CIP Policy Has Continued to
Evolve
Since the Mid- 1990s President*s Commission Studied Critical
Infrastructure Protection
Page 43 GAO- 03- 564T enforcement, intelligence, and other information
needed to ensure the highest quality analysis possible.
In 1998, the President issued Presidential Decision Directive 63 (PDD 63),
which described a strategy for cooperative efforts by government and the
private sector to protect the physical and cyber- based systems essential
to the minimum operations of the economy and the government. PDD 63 called
for a range of actions intended to improve federal agency security
programs, improve the nation*s ability to detect and respond to serious
computer- based and physical attacks, and establish a partnership between
the government and the private sector. The directive called on the federal
government to serve as a model of how infrastructure assurance is best
achieved and designated lead agencies to work with private- sector and
government organizations. Further, it established CIP as a national goal
and stated that, by the close of 2000, the United States was to have
achieved an initial operating capability to protect the nation*s critical
infrastructures from intentional destructive acts and, by 2003, have
developed the ability to protect the nation*s critical infrastructures
from intentional destructive attacks.
To accomplish its goals, PDD 63 established and designated organizations
to provide central coordination and support, including
the Critical Infrastructure Assurance Office (CIAO), an interagency
office housed in the Department of Commerce, which was established to
develop a national plan for CIP on the basis of infrastructure plans
developed by the private sector and federal agencies;
the National Infrastructure Protection Center (NIPC), an organization
within the FBI, which was expanded to address national- level threat
assessment, warning, vulnerability, and law enforcement investigation/
response; and
the National Infrastructure Assurance Council (NIAC), which was
established to enhance the partnership of the public and private sectors
in protecting our critical infrastructures.
To ensure coverage of critical sectors, PDD 63 also identified eight
privatesector infrastructures and five special functions. For each of the
infrastuctures and functions, the directive designated lead federal
agencies, referred to as sector liaisons, to work with their counterparts
in the private sector, referred to as sector coordinators. To facilitate
private Presidential Decision
Directive 63 Established Initial CIP National Strategy
Page 44 GAO- 03- 564T sector participation, PDD 63 also encouraged the
voluntary creation of information sharing and analysis centers (ISACs) to
serve as mechanisms for gathering, analyzing, and appropriately sanitizing
and disseminating
information to and from infrastructure sectors and the federal government
through NIPC. Figure 3 displays a high- level overview of the
organizations with CIP responsibilities, as outlined by PDD 63.
Page 45 GAO- 03- 564T Figure 10: Organizations with CIP Responsibilities,
as Outlined by PDD 63
Source: CIAO. Note: In February 2001, the Critical Infrastructure
Coordination Group was replaced by the Information Infrastructure
Protection and Assurance Group under the Policy Coordinating Committee on
Counter- terrorism and National Preparedness. In October 2001, Executive
Order 13231 replaced the National Infrastructure Assurance Council with
the National Infrastructure Advisory Council, and cyber CIP functions
performed by the national coordinator were assigned to the chair of the
President*s Critical Infrastructure Protection Board. In February 2003,
Executive Order 13231 was amended in its entirely by Executive Order
13286, dissolving the President*s Critical Infrastructure Board and
stating that the National Infrastructure Advisory Council chairpersons are
to be selected from among its members.
Infrastructure Sectors Critical Infrastructure Coordination Group Lead
Agencies for Sector Liaison Lead Agencies for Special Functions
Information and Communication Banking and Finance
Water Supply Aviation, Highway, Mass Transit, Pipelines, Rail, Waterborne
Commerce Emergency Law Enforcement Emergency Fire Services, Continuity of
Government Electric Power, Oil and Gas Production and Storage
Public Health Services Commerce Treasury EPA Transportation Justice/ FBI
FEMA Energy HHS Justice/ FBI
(Law Enforcement Internal Security) CIA (Intelligence)
State (Foreign Affairs)
Defense (National Defense) OSTP (Research and Development) Information
Sharing and
Analysis Center( s) National Infrastructure Protection Center National
Infrastructure Assurance Council
Assistant to the President for National Security Affairs National
Coordinator Principals Committee President Critical Infrastructure
Assurance Office
Page 46 GAO- 03- 564T PDD 63 called for a range of activities intended to
establish a partnership between the public and private sectors to ensure
the security of our
nation*s critical infrastructures. The sector liaison and the sector
coordinator were to work with each other to address problems related to
CIP for their sector. In particular, PDD 63 stated that they were to (1)
develop and implement vulnerability awareness and education programs and
(2) contribute to a sectoral National Infrastructure Assurance Plan by
assessing the vulnerabilities of the sector to cyber or physical
attacks; recommending a plan to eliminate significant vulnerabilities;
proposing a system for identifying and preventing major attacks; and
developing a plan for alerting, containing, and rebuffing an attack in
progress and then, in coordination with FEMA as appropriate, rapidly
reconstituting minimum essential capabilities in the aftermath of an
attack.
PDD 63 also required every federal department and agency to be responsible
for protecting its own critical infrastructures, including both cyber-
based and physical assets. To fulfill this responsibility, PDD 63 called
for agencies* CIOs to be responsible for information assurance, and it
required every agency to appoint a chief infrastructure assurance officer
to be responsible for the protection of all other aspects of an agency*s
critical infrastructure. Further, it required federal agencies to:
develop, implement, and periodically update a plan for protecting its
critical infrastructure;
determine its minimum essential infrastructure that might be a target of
attack;
conduct and periodically update vulnerability assessments of its minimum
essential infrastructure; develop a recommended remedial plan based on
vulnerability assessments
that identifies time lines for implementation, responsibilities, and
funding; and analyze intergovernmental dependencies, and mitigate those
dependencies.
Page 47 GAO- 03- 564T Other PDD 63 requirements for federal agencies are
that they provide vulnerability awareness and education to sensitize
people regarding the
importance of security and to train them in security standards,
particularly regarding cybersystems; that they establish a system for
responding to a significant infrastructure attack while it is under way,
to help isolate and minimize damage; and that they establish a system for
rapidly reconstituting minimum required capabilities for varying levels of
successful infrastructure attacks.
In January 2000, the White House issued its National Plan for Information
Systems Protection. 42 The national plan provided a vision and framework
for the federal government to prevent, detect, respond to, and protect the
nation*s critical cyber- based infrastructure from attack and reduce
existing vulnerabilities by complementing and focusing existing federal
computer
security and information technology requirements. Subsequent versions of
the plan were expected to (1) define the roles of industry and of state
and local governments working in partnership with the federal government
to protect physical and cyber- based infrastructures from deliberate
attack and (2) examine the international aspects of CIP.
In October 2001, the President issued Executive Order (EO) 13228, 43
establishing the Office of Homeland Security within the Executive Office
of the President and the Homeland Security Council. It stated that the
Office of Homeland Security was *to develop and coordinate the
implementation of a comprehensive national strategy to secure the United
States from terrorist threats or attacks.* In addition, EO 13228 stated
that,
among other things, the Office of Homeland Security was to coordinate
efforts to protect critical public and privately owned information systems
within the United States from terrorist attacks. Further, it established
the Homeland Security Council to advise and assist the President with
respect to all aspects of homeland security, to serve as the mechanism for
ensuring coordination of homeland security- related activities of
executive departments and agencies, and to develop and implement homeland
security policies.
42 The White House, Defending America*s Cyberspace: National Plan for
Information Systems Protection: Version 1.0: An Invitation to a Dialogue
(Washington, D. C.: January 2000).
43 *Establishing the Office of Homeland Security and the Homeland Security
Council,* Executive Order 13228, Oct. 8, 2001. National Plan for
Information Systems Protection Provided
Plan for Federal Government Executive Order 13228 Established the Office
of Homeland Security
Page 48 GAO- 03- 564T In October 2001, President Bush signed EO13231,
establishing the President*s Critical Infrastructure Protection Board to
coordinate cyberrelated
federal efforts and programs associated with protecting our nation*s
critical infrastructures. Executive Order 13231 tasked the board with
recommending policies and coordinating programs for protecting CIP-
related information systems. The Special Advisor to the President for
Cyberspace Security chaired the board. The executive order also
established 10 standing committees to support the board*s work on a wide
range of critical information. According to EO 13231, the board*s
responsibilities were to recommend policies and coordinate programs for
protecting information systems for critical infrastructures, including
emergency preparedness communications and the physical assets that support
such systems. The Special Advisor reported to the Assistant to the
President for National Security Affairs and to the Assistant to the
President for Homeland Security and coordinated with the Assistant to the
President for Economic Policy on issues relating to private- sector
systems and economic effects and with the Director of OMB on issues
relating to budgets and the security of federal computer systems.
Executive Order 13231 emphasized the importance of CIP and the ISACs, but
neither order identified additional requirements for agencies to protect
their critical infrastructures or suggested additional activities for the
ISACs.
In July 2002, the President issued the National Strategy for Homeland
Security, with strategic objectives to (1) prevent terrorist attacks
within the United States, (2) reduce America*s vulnerability to terrorism,
and (3) minimize the damage and recovery from attacks that do occur. To
ensure coverage of critical infrastructure sectors, this strategy
identified 13 industry sectors, expanded from the 8 originally identified
in PDD 63, as
essential to our national security, national economic security, and/ or
national public health and safety. Lead federal agencies were identified
and directed to work with their counterparts in the private sector to
assess sector vulnerabilities and to develop plans to eliminate
vulnerabilities. The sectors and their lead agencies are listed in table
2. Executive Order 13231
Established the CIP Board National Strategy for Homeland Security Included
CIP Components
Page 49 GAO- 03- 564T Table 2: Critical Infrastructure Lead Agencies and
Sectors Lead agency Sectors
Homeland Security
Information and telecommunications
Transportation (aviation; rail; mass transit; waterborne commerce;
pipelines; and highways, including trucking and intelligent transportation
systems)
Postal and shipping Emergency services
Continuity of government Treasury Banking and finance
Health and Human Services
Public health (including prevention, surveillance, laboratory services,
and personal health services)
Food (all except for meat and poultry) Energy Energy (electrical
power, oil and gas production and storage) Environmental Protection Agency
Water
Chemical industry and Hazardous materials Agriculture Agriculture
Food (meat and poultry) Defense Defense industrial base Source:
National Strategy for Homeland Security and National Strategy to Secure
Cyberspace
The Homeland Security Act of 2002 (signed by the President on November 25,
2002) established the Department of Homeland Security (DHS). Regarding
CIP, the new department is responsible for, among other things, (1)
developing a comprehensive national plan for securing the key resources
and critical infrastructure of the United States; (2) recommending
measures to protect the key resources and critical infrastructure of the
United States in coordination with other federal agencies and in
cooperation with state and local government agencies and authorities, the
private sector, and other entities; and (3) disseminating, as appropriate,
information analyzed by the department both within the department and to
other federal agencies, state and local government agencies, and private-
sector entities to assist in the deterrence, prevention, preemption of, or
response to terrorist attacks. To help accomplish these functions, the act
created the Information Analysis and Infrastructure Protection Directorate
within the new department and transferred to it the functions, personnel,
assets, and liabilities of several existing organizations with CIP
responsibilities, including NIPC (other than the
Computer Investigations and Operations Section) and the CIAO. The National
Strategy for Homeland Security called for the Office of Homeland Security
and the President*s Critical Infrastructure Protection Board to complete
cyber and physical infrastructure protection plans, which would serve as
the baseline for later developing the comprehensive national
infrastructure protection plan. Such a plan was subsequently The Homeland
Security
Act Created the Department of Homeland Security
Page 50 GAO- 03- 564T required by the Homeland Security Act of 2002. On
February 14, 2003, the President released the National Strategy to Secure
Cyberspace and the
complementary National Strategy for the Physical Protection of Critical
Infrastructures and Key Assets. 44 These two strategies identify
priorities, actions, and responsibilities for the federal government,
including lead agencies and DHS, as well as for state and local
governments and the
private sector. The National Strategy to Secure Cyberspace is intended to
provide an initial framework for both organizing and prioritizing efforts
to protect our nation*s cyberspace. It is also to provide direction to
federal departments and agencies that have roles in cyberspace security
and to identify steps that state and local governments, private companies
and organizations, and individual Americans can take to improve our
collective cybersecurity. The strategy reiterates the critical
infrastructure sectors and the related lead federal agencies as identified
in The National Strategy for Homeland Security. In addition, the strategy
identifies DHS as the central coordinator for cyberspace efforts. As such,
DHS is responsible for coordinating and working with other federal
entities involved in cybersecurity. This strategy is organized according
to five national priorities, with major actions and initiatives identified
for each:
1. A National Cyberspace Security Response System* Coordinated by DHS,
this system is described as a public/ private architecture for analyzing
and warning, managing incidents of national significance, promoting
continuity in government systems and private- sector infrastructures, and
increasing information sharing across and between organizations to improve
cyberspace security. The system is
to include governmental entities and nongovernmental entities, such as
private- sector ISACs. Major actions and initiatives identified for
cyberspace security response include providing for the development of
tactical and strategic analysis of cyber attacks and vulnerability
assessments; expanding the Cyber Warning and Information Network to
support the role of DHS in coordinating crisis management for cyberspace
security; coordinating processes for voluntary public/ private
participation in the development of national public/ private continuity
and contingency plans; exercising
44 The White House, The National Strategy to Secure Cyberspace
(Washington, D. C.: February 2003); and The National Strategy for the
Physical Protection of Critical Infrastructures and Key Assets
(Washington, D. C.: February 2003). The National Strategy to
Secure Cyberspace Provided Initial Framework for Cyber CIP
Page 51 GAO- 03- 564T cybersecurity continuity plans for federal systems;
and improving and enhancing public/ private information sharing involving
cyber attacks,
threats, and vulnerabilities. 2. A National Cyberspace Security Threat and
Vulnerability
Reduction Program* This priority focuses on reducing threats and deterring
malicious actors through effective programs to identify and punish them;
identifying and remediating those existing vulnerabilities that, if
exploited, could create the most damage to critical systems; and
developing new systems with less vulnerability and assessing emerging
technologies for vulnerabilities. Other major actions and initiatives
include creating a process for national vulnerability assessments to
better understand the potential consequences of threats and
vulnerabilities, securing the mechanisms of the Internet by improving
protocols and routing, fostering the use of trusted digital control and
supervisory control and data acquisition systems, understanding
infrastructure interdependencies and improving the
physical security of cybersystems and telecommunications, and prioritizing
federal cybersecurity research and development agendas.
3. A National Cyberspace Security Awareness and Training Program* This
priority emphasizes promoting a comprehensive national awareness program
to empower all Americans* businesses, the general workforce, and the
general population* to secure their own parts of cyberspace. Other major
actions and initiatives include fostering adequate training and education
programs to support the nation*s cybersecurity needs; increasing the
efficiency of existing federal cybersecurity training programs; and
promoting private- sector support for well- coordinated, widely recognized
professional cybersecurity certification.
4. Securing Governments* Cyberspace* To help protect, improve, and
maintain governments* cybersecurity, major actions and initiatives for
this priority include continuously assessing threats and vulnerabilities
to federal cyber systems; authenticating and maintaining authorized users
of federal cyber systems; securing federal wireless local area networks;
improving security in government outsourcing and procurement; and
encouraging state and local governments to consider establishing
information technology security programs and participating in ISACs with
similar governments.
5. National Security and International Cyberspace Security Cooperation*
This priority identifies major actions and initiatives to strengthen U. S.
national security and international cooperation. These
Page 52 GAO- 03- 564T include strengthening cyber- related
counterintelligence efforts, improving capabilities for attack attribution
and response, improving
coordination for responding to cyber attacks within the U. S. national
security community, working with industry and through international
organizations to facilitate dialogue and partnerships among international
public and private sectors focused on protecting information
infrastructures, and fostering the establishment of national and
international watch- and- warning networks to detect and prevent cyber
attacks as they emerge.
The National Strategy for the Physical Protection of Critical
Infrastructures and Key Assets provides a statement of national policy to
remain committed to protecting critical infrastructures and key assets
from terrorist attacks. Although the strategy does not explicitly mention
PDD 63, it builds on the directive with its sector- based approach that
includes the 13 sectors defined in the National Strategy for Homeland
Security, identifies federal departments and agencies as sector liaisons,
and calls for expanding the capabilities of ISACs. The strategy is based
on eight guiding principles, including establishing responsibility and
accountability, encouraging and facilitating partnering among all levels
of government and between government and industry, and encouraging market
solutions wherever possible and government intervention when needed. The
strategy also establishes three strategic objectives. The first is to
identify and assure the protection of the most critical assets, systems,
and functions, in terms of national- level public health and safety,
governance, and economic and national security and public confidence. This
would include establishing a uniform methodology for determining
national- level criticality. The second strategic objective is to assure
the protection of infrastructures and assets facing specific, imminent
threats; and the third is to pursue collaborative measures and initiatives
to assure
the protection of other potential targets that may become attractive over
time. Under this strategy, DHS will provide overall cross- sector
coordination and serve as the primary liaison and facilitator for
cooperation among federal agencies, state and local governments, and the
private sector. The strategy states that the private sector generally
remains the first line of defense for its own facilities and should
reassess and adjust their planning, assurance, and investment programs to
better accommodate the increased risk presented by deliberate acts of
violence. In addition, the Office of Homeland Security will continue to
act as the President*s principal policy adviser staff and coordinating
body for major interagency policy issues related to homeland security. The
National Strategy for
the Physical Protection of Critical Infrastructures and Key Assets
Provided National Policy for Physical CIP
Page 53 GAO- 03- 564T On February 28, 2003, Executive Order (EO) 13231 was
amended in its entirety by Executive Order 13286. 45 Although EO 13286
maintained the
same national policy statement regarding the protection against disruption
of information systems for critical infrastructures, it dissolved the
President*s Critical Infrastructure Protection Board that was to
coordinate cyber- related federal efforts and programs associated with
protecting our nation*s critical infrastructures, and the board*s chair*
the Special Advisor to the President for Cyberspace Security* and related
staff, along with the 10 standing committees established to support the
board*s work on a wide range of critical information infrastructure
efforts. According to EO 13286, the NIAC is to continue to provide the
President with advice on the security of information systems for critical
infrastructures supporting
other sectors of the economy. However, NIAC will provide its advice
through the Secretary of Homeland Security. Regarding the functions of the
standing committees, an OMB official stated that OMB will continue to
oversee the federal information security committee functions. Further,
recent media reports state that efforts are underway to ensure the
transition of certain other functions to DHS.
On March 1, 2003, DHS assumed certain essential information and analysis
and infrastructure protection functions and organizations, including NIPC
(other than the Computer Investigation and Operations Section) and the
CIAO. Currently, according a Department of Homeland Security official, the
department is continuing to carry out the activities previously performed
by NIPC and the other transferred functions and organizations. Further,
the official stated that the department is enhancing those activities as
they are integrated within the new department and are developing a
business plan. The DHS official stated that the department is continuing
previously established efforts to maintain and build relationships with
other federal entities, including the FBI and other NIPC
partners, and with the private sector. In addition, the department plans
to provide staff to work at the proposed Terrorist Threat Integration
Center. Although NIPC experienced the loss of certain senior leadership
prior to transition to the new department and have identified some
staffing needs, the DHS official stated that the department is able to
provide the functions previously performed by NIPC.
45 The White House, Executive Order 13286* Amendment of Executive Orders,
and Other Actions, in Connection With the Transfer of Certain Functions to
the Secretary of Homeland Security (Washington, D. C.: Feb. 28, 2003).
Executive Order 13286
Reflected Establishment of DHS
Other Developments
Page 54 GAO- 03- 564T Although the actions taken to date are major steps
to more effectively protect our nation*s critical infrastructures, we have
made numerous
recommendations over the last several years concerning CIP challenges that
still need to be addressed. For each of these challenges, improvements
have been made and continuing efforts are in progress. However, even
greater efforts are needed to address them. These challenges include
developing a comprehensive and coordinated national CIP plan, improving
information sharing on threats and vulnerabilities,
improving analysis and warning capabilities, and ensuring appropriate
incentives to encourage entities outside of the federal government to
increase their CIP efforts. It is also important that CIP efforts be
appropriately integrated with DHS.
An underlying issue in the implementation of CIP is that no national plan
yet exists that clearly delineates the roles and responsibilities of
federal and nonfederal CIP entities, defines interim objectives and
milestones, sets timeframes for achieving objectives, and establishes
performance measures. Such a clearly defined plan is essential for
defining the relationships among all CIP organizations to ensure that the
approach is comprehensive and well coordinated. Since 1998, we have
reported on the need for such a plan and made numerous related
recommendations.
In September 1998, we reported that developing a governmentwide strategy
that clearly defined and coordinated the roles of federal entities was
important to ensure governmentwide cooperation and support for PDD 63. 46
At that time, we recommended that OMB and the Assistant to the President
for National Security Affairs ensure such coordination.
In January 2000, the President issued Defending America*s Cyberspace:
National Plan for Information Systems Protection: Version 1.0: An
Invitation to a Dialogue as a first major element of a more comprehensive
effort to protect the nation*s information systems and critical assets
from future attacks. The plan proposed achieving the twin goals of making
the U. S. government a model of information security and developing a
public/ private partnership to defend our national infrastructures.
46 U. S. General Accounting Office, Information Security: Serious
Weaknesses Place Critical Federal Operations and Assets at Risk, GAO/
AIMD- 98- 92 (Washington, D. C.: Sept. 23, 1998). The Nation Faces
Ongoing CIP Challenges
A Comprehensive and Coordinated National CIP Plan Needs to Be Developed
Page 55 GAO- 03- 564T However, this plan focused largely on federal cyber
CIP efforts, saying little about the private- sector role.
In September 2001, we reported that agency questions had surfaced
regarding specific roles and responsibilities of entities involved in
cyber CIP and the timeframes within which CIP objectives were to be met,
as well as guidelines for measuring progress. 47 Accordingly, we made
several recommendations to supplement those we had made in the past.
Specifically, we recommended that the Assistant to the President for
National Security Affairs ensure that the federal government*s strategy to
address computer- based threats define specific roles and
responsibilities of organizations involved in CIP and
related information security activities; interim objectives and
milestones for achieving CIP goals and a specific action plan for
achieving these objectives, including implementing
vulnerability assessments and related remedial plans; and performance
measures for which entities can be held accountable.
In July 2002 we issued a report identifying at least 50 organizations that
were involved in national or multinational cyber CIP efforts, including 5
advisory committees, 6 Executive Office of the President organizations, 38
executive branch organizations associated with departments, agencies, or
intelligence organizations, and 3 other organizations. 48 Although our
review did not cover organizations with national physical CIP
responsibilities, the large number of organizations that we did identify
as involved in CIP efforts presents a need to clarify how these entities
coordinate their activities with each other. Our report also stated that
PDD 63 did not specifically address other possible critical sectors and
their respective federal agency counterparts. Accordingly, we recommended
that the federal government*s strategy also
include all relevant sectors and define the key federal agencies* roles
and responsibilities associated with each of these sectors, and
47 U. S. General Accounting Office, Combating Terrorism: Selected
Challenges and Related Recommendations, GAO- 01- 822 (Washington, D. C.:
Sept. 20, 2001). 48 U. S. General Accounting Office, Critical
Infrastructure Protection: Federal Efforts Require a More Coordinated and
Comprehensive Approach for Protecting Information Systems, GAO- 02- 474
(Washington, D. C.: July 15, 2002).
Page 56 GAO- 03- 564T define the relationships among the key CIP
organizations. In July 2002, the National Strategy for Homeland Security
called for
interim cyber and physical infrastructure protection plans that DHS would
use to build a comprehensive national infrastructure plan. According to
the National Strategy for Homeland Security, the national plan is to
provide a methodology for identifying and prioritizing critical assets,
systems, and functions, and for sharing protection responsibility with
state and local government and the private sector. The plan is to
establish standards and benchmarks for infrastructure protection and
provide a means to measure performance. The strategy also states that DHS
is to unify the currently divided responsibilities for cyber and physical
security. In November 2002, as mentioned previously, the Homeland Security
Act of
2002 created DHS and, among other things, required it to develop a
comprehensive national plan.
In February 2003, the President issued the interim strategies* The
National Strategy to Secure Cyberspace and The National Strategy for the
Physical Protection of Critical Infrastructures and Key Assets (hereafter
referred to in this testimony as the cyberspace security strategy
and the physical protection strategy). Both define strategic objectives
for protecting our nation*s critical assets. These strategies identify
priorities, actions, and responsibilities for the federal government,
including federal lead departments and agencies and DHS, as well as for
state and local governments and the private sector. The two do not (1)
clearly indicate
how the physical and cyber efforts will be coordinated; (2) define the
roles, responsibilities, and relationships among the key CIP
organizations, including state and local governments and the private
sector; (3) indicate time frames or milestones for their overall
implementation or for accomplishing specific actions or initiatives; or
(4) establish performance measures for which entities can be held
responsible. Until a comprehensive and coordinated plan is completed that
unifies the responsibilities for cyber and physical infrastructures;
identifies roles, responsibilities, and relationships for all CIP efforts;
establish time frames or milestones for implementation; and establishes
performance measures, our nation risks not having a consistent and
appropriate framework to deal with growing threats to its critical
infrastructure.
Page 57 GAO- 03- 564T Information sharing is a key element in developing
comprehensive and practical approaches to defending against cyber attacks,
which could
threaten the national welfare. Information on threats, vulnerabilities,
and incidents experienced by others can help identify trends, better
understand the risks faced, and determine what preventive measures should
be implemented. However, as we have reported in recent years, establishing
the trusted relationships and information- sharing protocols necessary to
support such coordination can be difficult. In addition, the private
sector has expressed concerns about sharing information with the
government and the difficulty of obtaining security clearances.
In October 2001, we reported on information sharing practices that could
benefit CIP. 49 These practices include
establishing trust relationships with a wide variety of federal and
nonfederal entities that may be in a position to provide potentially
useful information and advice on vulnerabilities and incidents;
developing standards and agreements on how shared information will be
used and protected;
establishing effective and appropriately secure communications
mechanisms; and
taking steps to ensure that sensitive information is not inappropriately
disseminated, which may require statutory changes.
A number of activities have been undertaken to build relationships between
the federal government and the private sector, such as InfraGard, the
Partnership for Critical Infrastructure Security, efforts by the CIAO, and
efforts by lead agencies to establish ISACs. For example, the InfraGard
Program, which provides the FBI and NIPC with a means of securely sharing
information with individual companies, has expanded substantially. By
early January 2001, 518 entities were InfraGard
members* up from 277 members in October 2000. Members include
representatives from private industry, other government agencies, state
and local law enforcement, and the academic community. As of February
2003, InfraGard members totaled over 6,700.
49 U. S. General Accounting Office, Information Sharing: Practices That
Can Benefit Critical Infrastructure Protection, GAO- 02- 24 (Washington,
D. C.: Oct. 15, 2001). Better Information Sharing
on Threats and Vulnerabilities Must Be Implemented
Page 58 GAO- 03- 564T As stated above, PDD 63 encouraged the voluntary
creation of ISACs to serve as the mechanism for gathering, analyzing, and
appropriately
sanitizing and disseminating information between the private sector and
the federal government through NIPC. ISACs are critical since
privatesector entities control over 80 percent of our nation*s critical
infrastructures. Their activities could improve the security posture of
the
individual sectors, as well as provide an improved level of communication
within and across sectors and all levels of government.
While PDD 63 encouraged the creation of ISACs, it left the actual design
and functions of the ISACs, along with their relationship with NIPC, to be
determined by the private sector in consultation with the federal
government. PDD 63 did provide suggested activities which the ISACs could
undertake, including:
establishing baseline statistics and patterns on the various
infrastructures; serving as a clearinghouse for information within and
among the various
sectors; providing a library for historical data for use by the private
sector and
government; and reporting private- sector incidents to NIPC.
In April 2001, we reported that NIPC and other government entities had not
developed fully productive information- sharing relationships but that
NIPC had undertaken a range of initiatives to foster information sharing
relationships with ISACs, as well as with government and international
entities. We recommended that NIPC formalize relationships with ISACs and
develop a plan to foster a two- way exchange of information between them.
In response to our recommendations, NIPC officials told us in July 2002
that an ISAC development and support unit had been created, whose mission
was to enhance private- sector cooperation and trust so that it would
result in a two- way sharing of information. DHS now reports that there
are currently 16 ISACs, including ISACs established for sectors not
identified as critical infrastructure sectors. Table 3 lists the current
ISACs identified by DHS and the lead agencies. DHS officials stated that
they have formal agreements with most of the current ISACs.
Page 59 GAO- 03- 564T Table 3: Lead Agencies and ISAC Status by CIP Sector
*The lead agencies previously designated by PDD 63 were (from top to
bottom) the Department of Commerce, Department of Transportation,
Department of Justice/ Federal Bureau of Investigation, and the Federal
Emergency Management Agency.
** PDD 63 identified as critical sectors (1) emergency law enforcement and
(2) emergency fire services and continuity of government. In the new
National Strategy for Homeland Security, emergency law enforcement and
emergency fire services are both included in an emergency services sector.
Also, continuity of government, along with continuity of operations, is
listed as a subcomponent under the government sector.
Sectors Designated lead agency ISAC established Sectors Identified by PDD
63 Information and telecommunications Homeland Security* Information
technology
Page 60 GAO- 03- 564T In spite of progress made in establishing ISACs,
additional efforts are needed. All sectors do not have a fully established
ISAC, and of those
sectors that do, there is mixed participation. The amount of information
being shared between the federal government and private- sector
organizations also varies. Specifically, the five ISACs we recently
reviewed 50 showed different levels of progress in implementing the PDD 63
suggested activities. Specifically, four of the five reported that efforts
to
establish baseline statistics were still in progress. Also, while all five
reported that they serve as the clearinghouse for their own sectors, only
three of the five reported that they are also coordinating with other
sectors. Only one of the five ISACs reported that it provides a library of
incidents and historical data that is available to both the private sector
and the federal government, and although three additional ISACs do
maintain a library, it is available only to the private sector. The one
remaining ISAC reported that they had yet to develop a library but have
plans to do so. Finally, four of the five stated that they report
incidents to NIPC on a regular basis.
Some in the private sector have expressed concerns about voluntarily
sharing information with the government. Specifically, concerns have been
raised that industry could potentially face antitrust violations for
sharing
information with other industry partners, have their information subject
to the Freedom of Information Act (FOIA), or face potential liability
concerns for information shared in good faith. For example, neither the
information technology nor the energy or the water ISACs share their
libraries with the federal government because of concerns that information
could be released under FOIA. And, officials of the energy ISAC stated
that they have not reported incidents to NIPC because of FOIA and
antitrust concerns.
Other obstacles to information sharing, previously mentioned in
congressional testimony, include difficulty obtaining security clearances
for ISAC personnel and the reluctance to disclose corporate information.
In July 2002 congressional testimony, the Director of Information
Technology for the North American Electric Reliability Council stated that
the owners of critical infrastructures need access to more specific threat
50 U. S. General Accounting Office, Critical Infrastructure Protection:
Challenges for Selected Agencies and Industry Sectors, GAO- 03- 233
(Washington, D. C.: Feb. 28, 2003).
Page 61 GAO- 03- 564T information and analysis from the public sector and
that this may require either more security clearances or declassifying
information. 51 There will be continuing debate as to whether adequate
protection is being
provided to the private sector as these entities are encouraged to
disclose and exchange information on both physical and cyber security
problems and solutions that are essential to protecting our nation*s
critical infrastructures. The National Strategy for Homeland Security,
which outlines 12 major legislative initiatives, includes *enabling
critical infrastructure information sharing.* It states that the nation
must meet this need by narrowly limiting public disclosure of information
relevant to protecting our physical and cyber critical infrastructures in
order to facilitate its voluntary submission. It further states that the
Attorney General will convene a panel to propose any legal changes
necessary to enable sharing of essential homeland security related
information between the federal government and the private sector.
Actions have already been taken by the Congress and the administration to
strengthen information sharing. For example, the USA PATRIOT Act promotes
information sharing among federal agencies, and numerous terrorism task
forces have been established to coordinate investigations and improve
communications among federal and local law enforcement. 52 Moreover, the
Homeland Security Act of 2002 includes provisions that
restrict federal, state, and local government use and disclosure of
critical infrastructure information that has been voluntarily submitted to
the DHS. These restrictions include exemption from disclosure under FOIA,
a general limitation on use to CIP purposes, and limitations on use in
civil actions and by state or local governments. The act also provides
penalties
for any federal employee who improperly discloses any protected critical
infrastructure information. At this time, it is too early to tell what
impact the new law will have on the willingness of the private sector to
share critical infrastructure information.
51 Testimony of Lynn P. Constantini, Director, Information Technology,
North American Electric Reliability Council, before the Subcommittee on
Oversight and Investigations of the Committee on Energy and Commerce, U.
S. House of Representatives, July 9, 2002.
52 The Uniting and Strengthening America by Providing Appropriate Tools
Required to Intercept and Obstruct Terrorism (USA PATRIOT Act), Public Law
No. 107- 56, October 26, 2001.
Page 62 GAO- 03- 564T Information sharing within the government also
remains a challenge. In April 2001, we reported that NIPC and other
government entities had not developed fully productive information sharing
and cooperative
relationships. 53 For example, federal agencies had not routinely reported
incident information to NIPC, at least in part because guidance provided
by the federal Chief Information Officers Council, which is chaired by the
Office of Management and Budget, directs agencies to report such
information to the General Services Administration*s FedCIRC. Further,
NIPC and DOD officials agreed that their information- sharing procedures
needed improvement, noting that protocols for reciprocal exchanges of
information had not been established. In addition, the expertise of the U.
S. Secret Service regarding computer crime had not been integrated into
NIPC efforts. The NIPC director stated in July 2002 that the relationship
between NIPC and other government entities had significantly improved
since our review, and the quarterly meetings with senior government
leaders were instrumental in improving information sharing. In addition,
in testimony subsequent to our work, officials from the FedCIRC and the U.
S.
Secret Service discussed the collaborative and cooperative relationships
that had since been formed between their agencies and NIPC.
The private sector has also expressed its concerns about the value of
information being provided by the government. For example, in July 2002
the President for the Partnership for Critical Infrastructure Security
stated in congressional testimony that information sharing between the
government and private sector needs work, specifically, in the quality and
timeliness of cyber security information coming from the government. 54
The cyberspace security strategy reiterates that the federal government
encourages the private sector to continue to establish ISACs and to
enhance the analytical capabilities of existing ISACs. It states that
ISACs will play an increasingly important role in the national cyberspace
security response system and the overall missions of homeland security. In
addition, the physical protection strategy states that the overall
management of information sharing activities among government agencies
53 U. S. General Accounting Office, Critical Infrastructure Protection:
Significant Challenges in Developing National Capabilities, GAO- 01- 323
(Washington, D. C.: Apr. 24, 2001). 54 Testimony of Kenneth C. Watson,
President, Partnership for Critical Infrastructure Security, before the
Subcommittee on Oversight and Investigation of the Energy and Commerce
Committee, U. S. House of Representatives, July 9, 2002.
Page 63 GAO- 03- 564T and between public and private sectors has lacked
proper coordination and facilitation. The physical protection strategy
also establishes specific
initiatives for creating more effective and efficient information sharing,
including defining protection- related information sharing requirements
and promoting the development and operation of critical sector ISACs, and
implementing the statutory authorities and powers of the Homeland Security
Act of 2002.
Another key CIP challenge is to develop more robust analysis and warning
capabilities to identify threats and provide timely warnings, including an
effective methodology for strategic analysis and a framework for
collecting needed threat and vulnerability information. Such capabilities
need to address both cyber and physical threats.
NIPC was established in PDD 63 as *a national focal point* for gathering
information on threats and facilitating the federal government*s response
to computer- based incidents. Specifically, the directive assigned NIPC
the responsibility for providing comprehensive analyses on threats,
vulnerabilities, and attacks; issuing timely warnings on threats and
attacks; facilitating and coordinating the government*s response to
computerbased incidents; providing law enforcement investigation and
response, monitoring reconstitution of minimum required capabilities after
an infrastructure attack; and promoting outreach and information sharing.
This responsibility requires obtaining and analyzing intelligence, law
enforcement, and other information to identify patterns that may signal
that an attack is under way or imminent. Similar activities are also
called for in DHS*s Information Analysis and Infrastructure Protection
Directorate, which has absorbed NIPC.
In April 2001, we reported on NIPC*s progress in developing national
capabilities for analyzing threat and vulnerability data, issuing
warnings, and responding to attacks, among other issues. 55 Overall, we
found that while progress in developing these capabilities was mixed, NIPC
had initiated a variety of CIP efforts that had laid a foundation for
future governmentwide efforts. In addition, NIPC had provided valuable
support and coordination related to investigating and otherwise responding
to
55 U. S. General Accounting Office, Critical Infrastructure Protection:
Significant Challenges in Developing National Capabilities, GAO- 01- 323
(Washington, D. C.: Apr. 25, 2001). Analysis and Warning Capabilities Need
to Be
Improved
Page 64 GAO- 03- 564T attacks on computers. However, at the close of our
review, the analytical capabilities that PDD 63 asserted were needed to
protect the nation*s
critical infrastructures had not yet been achieved, and NIPC had developed
only limited warning capabilities. Developing such capabilities is a
formidable task that experts say will take an intense interagency effort.
At the time of our review, NIPC had issued a variety of analytical
products, most of which have been tactical analyses pertaining to
individual incidents. In addition, it had issued a variety of
publications, most of which were compilations of information previously
reported by others with some NIPC analysis. We reported that the use of
strategic analysis to determine the potential broader implications of
individual incidents had been limited. Such analysis looks beyond one
specific incident to consider a broader set of incidents or implications
that may indicate a potential threat of national importance. Identifying
such threats assists in proactively managing risk, including evaluating
the risks associated with possible future incidents and effectively
mitigating the impact of such
incidents. We also reported that three factors hindered NIPC*s ability to
develop strategic analytical capabilities: 56 First, there was no
generally accepted methodology for analyzing strategic
cyber- based threats. For example, there was no standard terminology, no
standard set of factors to consider, and no established thresholds for
determining the sophistication of attack techniques. According to
officials in the intelligence and national security community, developing
such a methodology would require an intense interagency effort and
dedication of resources.
Second, NIPC had sustained prolonged leadership vacancies and did not
have adequate staff expertise, in part because other federal agencies had
not provided the originally anticipated number of detailees. For example,
at the close of our review in February 2001, the position of Chief of the
Analysis and Warning Section, which was to be filled by the Central
Intelligence Agency, had been vacant for about half of NIPC*s 3- year
existence. In addition, NIPC had been operating with only 13 of the 24
analysts that NIPC officials estimated were needed to develop analytical
capabilities. 56 GAO- 01- 323.
Page 65 GAO- 03- 564T Third, NIPC did not have industry- specific data
on factors such as critical system components, known vulnerabilities, and
interdependencies. Under PDD 63, such information is to be developed for
each of eight industry
segments by industry representatives and the designated federal lead
agencies. However, at the close of our work, only three industry
assessments had been partially completed, and none had been provided to
NIPC. In September 2001, we reported that although outreach efforts had
raised awareness and improved information sharing, substantive,
comprehensive analysis of infrastructure sector interdependencies and
vulnerabilities had been limited.
To provide a warning capability, NIPC had established a Watch and Warning
Unit that monitors the Internet and other media 24 hours a day to identify
reports of computer- based attacks. While some warnings were issued in
time to avert damage, most of the warnings, especially those related to
viruses, pertained to attacks under way. We reported that NIPC*s ability
to issue warnings promptly was impeded because of (1) a lack of a
comprehensive governmentwide or nationwide framework for promptly
obtaining and analyzing information on imminent attacks; (2) a shortage of
skilled staff; (3) the need to ensure that NIPC does not raise undue alarm
for insignificant incidents; and (4) the need to ensure that sensitive
information is protected, especially when such information pertains to law
enforcement investigations under way.
In addition, NIPC*s own plans for further developing its analysis and
warning capabilities were fragmented and incomplete. The relationships
between the Center, the FBI, and the National Coordinator for Security,
Infrastructure Protection, and Counter- Terrorism at the National Security
Council were unclear regarding who had direct authority for setting NIPC
priorities and procedures and providing NIPC oversight. As a result, no
specific priorities, milestones, or program performance measures existed
to guide NIPC*s actions or provide a basis for evaluating its progress.
In our report, we recognized that the administration was reviewing the
government*s infrastructure protection strategy and recommended that, as
the administration proceeds, the Assistant to the President for National
Security Affairs, in coordination with pertinent executive agencies,
establish a capability for strategically analyzing computer- based
threats, including developing related methodology, acquiring staff
expertise, and obtaining infrastructure data;
Page 66 GAO- 03- 564T require the development of a comprehensive data
collection and analysis framework and ensure that national watch and
warning operations for
computer- based attacks are supported by sufficient staff and resources;
and
clearly define the role of NIPC in relation to other government and
privatesector entities.
In July 2002, NIPC*s director stated that, in response to our report*s
recommendations, NIPC had developed a plan with goals and objectives to
improve its analysis and warning capabilities and had made considerable
progress in this area. The plan establishes and describes performance
measures both for its analysis and warning section and for other issues
relating to staffing, training, investigations, outreach, and warning. In
addition, the plan describes the resources needed to reach the specific
goals and objectives for the analysis and warning section. The director
also stated that the analysis and warning section had created two
additional teams to bolster its analytical capabilities: (1) the critical
infrastructure assessment team to focus efforts on learning about
particular infrastructures and coordinating with respective infrastructure
efforts and (2) the collection operations intelligence liaison team to
coordinate with various entities within the intelligence community. The
director added that NIPC (1) started holding a quarterly meeting with
senior government leaders of entities that it regularly works with to
better coordinate its analysis and warning capabilities; (2) had developed
close working relationships with other CIP entities involved in analysis
and warning activities, such as FedCIRC, DOD*s Joint Task Force for
Computer Network Operations, Carnegie Mellon*s CERT Coordination Center,
and the intelligence and anti- virus communities; and (3) had developed
and implemented procedures to more quickly share relevant CIP information,
while separately continuing any related law enforcement investigation.
The director also stated in July 2002 that NIPC had received sustained
leadership commitment from key entities, such as the CIA and the National
Security Agency, and that it continued to increase its staff primarily
through reservists and contractors. However, the director acknowledged
that our recommendations were not fully implemented and that despite the
accomplishments to date, much more had to be done to create the robust
analysis and warning capabilities needed to adequately address
cyberthreats.
Page 67 GAO- 03- 564T Another challenge confronting the analysis and
warning capabilities of our nation is that, historically, our national CIP
attention and efforts have been focused on cyber threats. In April 2001,
we reported that while PDD 63
covers both physical and computer- based threats, federal efforts to meet
the directive*s requirements have pertained primarily to computer- based
threats, since this was an area that the leaders of the administration*s
CIP strategy view as needing attention. In July 2002, NIPC reported that
the potential for concurrent cyber and physical attacks, referred to as
*swarming attacks,* is an emerging threat to the U. S. critical
infrastructure. In July 2002, the director of NIPC told us that NIPC had
begun to develop some capabilities for identifying physical CIP threats.
For example, NIPC had developed thresholds with several ISACs for
reporting physical incidents and, since January 2002, has issued several
information bulletins concerning physical CIP threats. However, NIPC*s
director acknowledged that fully developing this capability will be a
significant challenge. The physical protection strategy states that DHS
will maintain a comprehensive, up to date assessment of vulnerabilities
across sectors and improve processes for domestic threat data collection,
analysis, and dissemination to state and local government and private
industry.
Another critical issue in developing effective analysis and warning
capabilities is to ensure that appropriate intelligence and other threat
information, both cyber and physical, is received from the intelligence
and law enforcement communities. For example, there has been considerable
public debate regarding the quality and timeliness of intelligence data
shared between and among relevant intelligence, law enforcement, and
other agencies. Also, as the transfer of NIPC to DHS organizationally
separated NIPC from the FBI*s law enforcement activities, including the
Counterterrorism Division and NIPC field agents, it will be critical to
establish mechanisms for continued communication to occur. Further, it
will be important that the relationships between the law enforcement and
intelligence communities and the new DHS are effective and that
appropriate information is exchanged on a timely basis.
In January 2003, the President announced the creation of a multi- agency
Terrorist Threat Integration Center (TTIC) to merge and analyze
terroristrelated information collected domestically and abroad in order to
form the most comprehensive possible threat picture. The center will be
formed from elements of the Department of Homeland Security, the FBI*s
Page 68 GAO- 03- 564T Counterterrorism Division, the Director of Central
Intelligence*s Counterterrorist Center, and the Department of Defense. 57
Specifically, the
President stated that it would: optimize the use of terrorist threat-
related information, expertise, and
capabilities to conduct threat analysis and inform collection strategies;
create a structure that ensures information sharing across agency lines
in
a way consistent with our national values of privacy and civil liberties;
integrate terrorist- related information collected domestically and
abroad in order to form the most comprehensive possible threat picture;
and
be responsible and accountable for providing terrorist threat
assessments for our national leadership.
The TTIC is scheduled to begin operations within the CIA*s facilities on
May 1, 2003, but will eventually move to a new, independent facility. The
center is to receive $50 million in fiscal year 2004. The TTIC will fuse
international threat- related information from the CIA with domestic
threatrelated information collected by the FBI*s Joint Terrorism Task
Forces and analyzed by a separate FBI information- analysis center.
In addition, according to NIPC*s director, as of July 2002, a significant
challenge in developing a robust analysis and warning function is the
development of the technology and human capital capacities to collect and
analyze substantial amounts of information. Similarly, the Director of the
FBI testified in June 2002 that implementing a more proactive approach to
preventing terrorist acts and denying terrorist groups the ability to
operate and raise funds require a centralized and robust analytical
capacity that
did not exist in the FBI*s Counterterrorism Division. 58 He also stated
that processing and exploiting information gathered domestically and
abroad during the course of investigations requires an enhanced analytical
and data mining capacity that was not then available. Furthermore, NIPC*s
director stated that multiagency staffing, similar to NIPC, is a critical
57 The White House, Fact Sheet: Strengthening Intelligence to Better
Protect America (Washington, D. C.: Jan. 28, 2003). 58 Testimony of Robert
S. Mueller, III, Director Federal Bureau of Investigation, before the
Subcommittee for the Departments of Commerce, Justice, and State, the
Judiciary, and Related Agencies, Committee on Appropriations, U. S. House
of Representatives, June 21, 2002.
Page 69 GAO- 03- 564T success factor in establishing an effective analysis
and warning function and that appropriate funding for such staff is
important.
The National Strategy for Homeland Security identified intelligence and
warning as one of six critical mission areas and called for major
initiatives to improve our nation*s analysis and warning capabilities. The
strategy also stated that no government entity was then responsible for
analyzing terrorist threats to the homeland, mapping these threats to our
vulnerabilities, and taking protective action. The Homeland Security Act
gives such responsibility to the new DHS. Further, the Act gives DHS broad
statutory authority to access intelligence information, as well as other
information, relevant to the terrorist threat and to turn this information
into useful warnings. For example, according to a White House fact sheet,
DHS*s Information Analysis and Infrastructure Protection Directorate is to
receive and analyze terrorism- related information from the TTIC. 59 An
important aspect of improving our nation*s analysis and warning
capabilities is having comprehensive vulnerability assessments. The
President*s National Strategy for Homeland Security also stated that
comprehensive vulnerability assessments of all of our nation*s critical
infrastructures are important from a planning perspective in that they
enable authorities to evaluate the potential effects of an attack on a
given sector and then invest accordingly to protect it. The strategy
stated that the U. S. government does not perform vulnerability
assessments of the nation*s entire critical infrastructure. The Homeland
Security Act of 2002 stated DHS*s Under Secretary for Information Analysis
and Infrastructure Protection is to carry out comprehensive assessments of
the vulnerabilities of key resources and critical infrastructures of the
United States.
The President*s fiscal year 2004 budget request for the new DHS includes
$829 million for information analysis and infrastructure protection, a
significant increase from the estimated $177 million for fiscal year 2003.
In particular, the requested funding for protection includes about $500
million to identify key critical infrastructure vulnerabilities and
support the necessary steps to ensure that security is improved at these
sites.
59 The White House, Fact Sheet: Strengthening Intelligence to Better
Protect America (Washington, D. C.: Jan. 28, 2003). Additional Incentives
Are
Needed to Encourage Increased Nonfederal Efforts
Page 70 GAO- 03- 564T Although it also includes almost $300 million for
warning advisories, threat assessments, a communications system, and
outreach efforts to state and
local governments and the private sector, additional incentives may still
be needed to encourage nonfederal entities to increase their CIP efforts.
PDD 63 also stated that sector liaisons should identify and assess
economic incentives to encourage the desired sector behavior in CIP.
Further, to facilitate private- sector participation, it encouraged the
voluntary creation of information sharing and analysis centers (ISACs)
that could serve as mechanisms for gathering, analyzing, and appropriately
sanitizing and disseminating information to and from infrastructure
sectors and the federal government through NIPC. Consistent with the
original intent of PDD 63, the National Strategy for Homeland Security
states that, in many cases, sufficient incentives exist in the private
market
for addressing the problems of CIP. However, the strategy also discusses
the need to use policy tools to protect the health, safety, or well- being
of the American people. It mentions federal grants programs to assist
state and local efforts, legislation to create incentives for the private
sector, and, in some cases, regulation. The physical security strategy
reiterates that additional regulatory directives and mandates should only
be necessary in instances where the market forces are insufficient to
prompt the necessary
investments to protect critical infrastructures and key assets. The
cyberspace security strategy also states that the market is to provide the
major impetus to improve cyber security and that regulation will not
become a primary means of securing cyberspace. Last year, the Comptroller
General testified on the need for strong
partnerships with those outside the federal government and that the new
department would need to design and manage tools of public policy to
engage and work constructively with third parties. 60 We have previously
testified on the choice and design of public policy tools that are
available to governments. 61 These public policy tools include grants,
regulations, tax incentives, and regional coordination and partnerships to
motivate and
mandate other levels of government or the private sector to address 60 U.
S. General Accounting Office, Homeland Security: Proposal for Cabinet
Agency Has Merit, But Implementation Will Be Pivotal to Success, GAO- 02-
886T (Washington, D. C.: June 25, 2002). 61 U. S. General Accounting
Office, Combating Terrorism: Enhancing Partnerships
Through a National Preparedness Strategy, GAO- 02- 549T (Washington, D.
C.: Mar. 28, 2002).
Page 71 GAO- 03- 564T security concerns. Some of these tools are already
being used. For example, as the lead agency for the water sector, the EPA
reported
providing approximately 449 grants totaling $51 million to assist large
drinking water utilities in developing vulnerability assessments,
emergency response/ operating plans, security enhancement plans and
designs, or a combination of these efforts.
In a different approach, the American Chemistry Council, the ISAC for the
chemical sector, requires as a condition for membership that its members
perform enhanced security activities, including vulnerability assessments.
However, because a significant percentage of companies that operate major
hazardous chemical facilities do not perform these voluntary security
activities, the physical security strategy recognized that mandatory
measures may be required. The strategy stated that EPA, in consultation
with DHS and other federal, state, and local agencies, will review current
laws and regulations pertaining to the sale and distribution of highly
toxic substances to determine whether additional measures are necessary.
Moreover, the strategy also stated that DHS, in concert with EPA, will
work with Congress to enact legislation requiring certain facilities,
particularly those that maintain large quantities of hazardous chemicals
in close proximity to large populations, to enhance site security. Without
appropriate consideration of public policy tools, private sector
participation in sector- related CIP efforts may not reach its full
potential. For example, we reported in January 2003 on the efforts of the
financial services sector to address cyber threats, including industry
efforts to share information and to better foster and facilitate
sectorwide efforts. We also reported on the efforts of federal entities
and regulators to partner with the financial services industry to protect
critical infrastructures and to address information security. We found
that although federal entities had a number of efforts ongoing, Treasury,
in its role as sector liaison, had not undertaken a comprehensive
assessment of the potential public policy tools to encourage the financial
services sector in implementing CIPrelated efforts. Because of the
importance of considering public policy tools to encourage private sector
participation, we recommended that
Treasury assess the need for public policy tools to assist the industry in
meeting the sector*s goals. In addition, in February 2003, we reported on
the mixed progress five ISACs had made in accomplishing the activities
suggested by PDD 63. We recommended that the responsible lead agencies
assess of the need for public policy tools to encourage increased
privatesector CIP activities and greater sharing of intelligence and
incident information between the sectors and the federal government.
Page 72 GAO- 03- 564T In summary, through audit and evaluation results and
the management review and reporting requirements implemented through GISRA
and now
FISMA, agencies have increased management attention to information
security and begun to show progress in correcting identified weaknesses.
In addition, continued guidance and OMB and congressional oversight have
emphasized the ongoing commitment to improving the federal government*s
information security. Such efforts must be sustained to help ensure that
federal agencies are responding to and providing appropriate protections
against the growing threat to the systems that support their missions and
provide vital services to the American people. Further, we believe that a
comprehensive strategy addressing certain key issues would help to guide
these efforts and ensure that they are coordinated and consistently
implemented governmentwide.
Over the last several years, we have also identified various challenges to
the implementation of CIP that need to be addressed. Although improvements
have been made and continuing efforts are in progress,
greater efforts are still needed to effectively address them. These
challenges include developing a comprehensive and coordinated national
plan, improving information sharing on threats and vulnerabilities between
the private sector and the federal government as well as within the
government itself, improving analysis and warning capabilities, and
encouraging entities outside the federal government to increase CIP
efforts. It is also important to emphasize that much of the success of
ensuring the security of our nation*s critical infrastructure will depend
on appropriately integrating all CIP efforts with the implementation of
the
new DHS. Mr. Chairman, this concludes my written testimony. I would be
pleased to answer any questions that you or other members of the
Subcommittee may have at this time. If you should have any questions about
this testimony, please contact me at (202) 512- 3317. I can also be
reached by E- mail at daceyr@ gao. gov.
(310189)
*** End of document. ***