Critical Infrastructure Protection: Improving Information Sharing
with Infrastructure Sectors (09-JUL-04, GAO-04-780).
Critical infrastructure protection (CIP) activities called for in
federal policy and law are intended to enhance the security of
the public and private infrastructures that are essential to our
nation's security, economic security, and public health and
safety. Effective information-sharing partnerships between
industry sectors and government can contribute to CIP efforts.
Federal policy has encouraged the voluntary creation of
information sharing and analysis centers (ISAC) to facilitate
infrastructure sector participation in CIP information sharing
efforts. GAO was asked to identify actions that the Department of
Homeland Security (DHS) could take to improve the effectiveness
of CIP information-sharing efforts.
-------------------------Indexing Terms-------------------------
REPORTNUM: GAO-04-780
ACCNO: A10851
TITLE: Critical Infrastructure Protection: Improving Information
Sharing with Infrastructure Sectors
DATE: 07/09/2004
SUBJECT: Counterterrorism
Facility security
Government information dissemination
Information centers
Information disclosure
Information resources management
National policies
National preparedness
Planning
Private sector
Private sector practices
Reporting requirements
Computer security
Physical security
Intergovernmental relations
Critical infrastructure
Policies and procedures
Public/private partnerships
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO Product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
******************************************************************
GAO-04-780
United States General Accounting Office
July 2004
CRITICAL INFRASTRUCTURE PROTECTION
Improving Information Sharing with Infrastructure Sectors
a
GAO-04-780
Highlights of GAO-04-780, a report to congressional requesters
Critical infrastructure protection (CIP) activities called for in federal
policy and law are intended to enhance the security of the public and
private infrastructures that are essential to our nation's security,
economic security, and public health and safety. Effective
information-sharing partnerships between industry sectors and government
can contribute to CIP efforts.
Federal policy has encouraged the voluntary creation of information
sharing and analysis centers (ISAC) to facilitate infrastructure sector
participation in CIP information sharing efforts. GAO was asked to
identify actions that the Department of Homeland Security (DHS) could take
to improve the effectiveness of CIP informationsharing efforts.
GAO recommends that the Secretary of Homeland Security direct officials
within DHS to (1) proceed with the development of an information-sharing
plan that describes the roles and responsibilities of DHS, the ISACs, and
other entities and (2) establish appropriate department policies and
procedures for interactions with other CIP entities and for coordination
and information sharing among DHS components. DHS commented on a draft of
this report and generally agreed with our findings and recommendations.
July 2004
CRITICAL INFRASTRUCTURE PROTECTION
Improving Information Sharing with Infrastructure Sectors
Federal awareness of the importance of securing the nation's critical
infrastructures-and the federal government's strategy to encourage
cooperative efforts among state and local governments and the private
sector to protect these infrastructures-have been evolving since the
mid1990s. Federal policy continues to emphasize the importance of the
ISACs and their information-sharing functions. In addition, federal policy
established specific responsibilities for DHS and other federal agencies
involved with the CIP sectors. The ISACs have identified challenges
requiring further federal action, including building trusted
relationships; developing processes to facilitate information sharing;
overcoming barriers to information sharing; clarifying the roles and
responsibilities of the various government and private-sector entities
that are involved in protecting critical infrastructures; and funding ISAC
operations and activities.
Although DHS has taken a number of actions to implement the public/private
partnership called for by federal CIP policy, it has not yet developed a
plan that describes how it will carry out its information-sharing
responsibilities and relationships. Such a plan could encourage improved
information sharing among the ISACs, other CIP entities, and the
department by clarifying the roles and responsibilities of all the
entities involved and clearly articulating actions to address the
challenges that remain. DHS officials indicated that they intend to
develop an information-sharing plan, but no specific time frame for
completing the plan has been established.
The department also lacks policies and procedures to ensure effective
coordination and sharing of ISAC-provided information among the
appropriate components within the department. Developing policies and
procedures would help ensure that information is effectively and
efficiently shared among its components and with other government and
private-sector CIP entities.
www.gao.gov/cgi-bin/getrpt?GAO-04-780.
To view the full product, including the scope and methodology, click on
the link above. For more information, contact Robert F. Dacey at
202-512-3317 or [email protected].
Contents
Letter 1
Results in Brief 2
Background 3
Further DHS Actions Could Enhance Information Sharing 10
Conclusions 12
Recommendations for Executive Action 13
Agency Comments 13
Appendixes Appendix I: Appendix II: Appendix III:
Appendix IV: Appendix V: GAO's April 21, 2004, Testimony
Comments from the Department of Homeland Security
Comments from the Department of Health and Human Services
Comments from the Department of the Treasury
GAO Contact and Staff Acknowledgments
GAO Contact
Staff Acknowledgments
15 58
61
62
63 63 63
Tables Table 1: Critical Infrastructure Sectors Identified by Federal
Policy 5 Table 2: ISACs by Sector 7
Page i GAO-04-780 Critical Infrastructure ISACs
Abbreviations
CIP critical infrastructure protection
DHS Department of Homeland Security
HHS Department of Health and Human Services
HSPD Homeland Security Presidential Directive
IAIP Information Analysis and Infrastructure Protection
ISAC information sharing and analysis center
TSA Transportation Security Administration
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.
Page ii GAO-04-780 Critical Infrastructure ISACs
A
United States General Accounting Office Washington, D.C. 20548
July 9, 2004
The Honorable Mac Thornberry
Chairman, Subcommittee on Cybersecurity, Science, and Research and
Development Select Committee on Homeland Security House of Representatives
The Honorable Zoe Lofgren
Ranking Member
Subcommittee on Cybersecurity, Science, and Research and Development
Select Committee on Homeland Security House of Representatives
The Honorable Dave Camp Chairman, Subcommittee on Infrastructure and
Border Security Select Committee on Homeland Security House of
Representatives
The Honorable Loretta Sanchez Ranking Member Subcommittee on
Infrastructure and Border Security Select Committee on Homeland Security
House of Representatives
Federal policy and law, including the Homeland Security Act of 2002,1 call
for critical infrastructure protection (CIP) activities intended to
enhance
the security of the cyber and physical, public, and private
infrastructures
that are essential to national security, national economic security, or
national public health and safety. Federal policy, evolving since the
mid-1990s, has encouraged the voluntary creation of information sharing
and analysis centers (ISAC) to facilitate the private sector's
participation in
CIP by serving as mechanisms for gathering and analyzing information and
sharing it among the infrastructure sectors and between the private sector
and government. In addition, federal policy established specific
responsibilities for the Department of Homeland Security (DHS) and other
federal agencies involved with the CIP infrastructure sectors, including
designation of sector-specific federal agencies for each sector to
1Homeland Security Act of 2002, P.L. 107-296 (Nov. 25, 2002).
Page 1 GAO-04-780 Critical Infrastructure ISACs
coordinate CIP activities and sector coordinators from the sectors to work
with the sector-specific agencies.
In April, we testified before your subcommittees on the status of
private-sector ISACs and their efforts to help protect our nation's
critical infrastructures2 (see app.1). In brief, we reported that
o the current ISACs were established and developed based on the unique
characteristics and needs of their individual sectors;
o DHS and the sector-specific agencies have undertaken a number of
efforts to address the public/private partnership called for by federal
policy on critical infrastructure protection and to continue to develop
their relationships with the ISACs and with each other; and
o a number of challenges to the ISACs' successful establishment,
operation, and partnership with DHS and other federal agencies remain,
some of which were described by the ISAC Council3 through a series of
white papers.
Subsequent to the April 2004 testimony, your staff requested that we
identify actions DHS could take to improve the effectiveness of CIP
information sharing efforts. To address this objective, we considered
evidence gathered to support our April 2004 testimony, including analysis
of information obtained from officials from ISAC organizations, the ISAC
Council, and sector-specific agencies. We performed our work from November
2003 to May 2004, in accordance with generally accepted government
auditing standards.
Results in Brief DHS can take two key actions to improve the effectiveness
of its information-sharing efforts with the ISACs and others. First, a
number of challenges have been identified by the ISAC community that could
be
2U.S. General Accounting Office, Critical Infrastructure Protection:
Establishing Effective Information Sharing with Infrastructure Sectors,
GAO-04-699T (Washington, D.C.: Apr. 21, 2004).
3Eleven ISACs created an ISAC Council to improve the ISACs' efficiency and
effectiveness. It works on various operational, process, and other common
issues to effectively analyze and disseminate information and, where
possible, to leverage the work of the entire ISAC community.
Page 2 GAO-04-780 Critical Infrastructure ISACs
addressed with the development of an information-sharing plan that, among
other things, defines the roles and responsibilities of the various
stakeholders and establishes criteria for providing the appropriate
incentives to address the challenges. In addition, DHS's ability to
gather, analyze, and disseminate information could be improved by
developing information sharing-related policies and procedures for its
components. We are making recommendations to DHS to proceed with the
development of an information sharing plan and to establish appropriate
policies and procedures for interacting with ISACs, sector coordinators,
and sector-specific agencies, and for coordination and information sharing
within DHS components.
DHS and the Departments of Health and Human Services (HHS) and the
Treasury provided written comments on a draft of this report (see app. II,
III, and IV, respectively). In its comments, a representative from DHS's
Office of the Chief Financial Officer stated that the department generally
agreed with our findings and the recommendations. We also received
technical comments from the Environmental Protection Agency, which have
been incorporated into this report, as appropriate. The Departments of
Agriculture and Energy reviewed a draft of this report and responded by
stating that they had no comments.
Background Information sharing is an integral part of the federal
government's CIP efforts. As discussed in our April testimony, a number of
ISACs have been established to meet the information-sharing needs of their
respective sectors, and the federal government has undertaken steps to
improve CIP information sharing. Yet sector representatives have
identified a number of challenges to effective information sharing.
Federal CIP Policy Federal law and policy emphasize the importance of
information sharing to Emphasizes Information the successful protection of
our nation's critical infrastructures. The Sharing Homeland Security Act
of 2002 established DHS and made the department's
Information Analysis and Infrastructure Protection (IAIP) Directorate
Page 3 GAO-04-780 Critical Infrastructure ISACs
responsible for CIP functions with a lead role for information sharing
within DHS and the federal government.4 IAIP's responsibilities include
o accessing, receiving, and analyzing law enforcement information,
intelligence information, and other threat and incident information from
respective agencies of federal, state, and local governments and the
private sector;
o combining and analyzing such information to identify and assess the
nature and scope of terrorist threats; and
o disseminating, as appropriate, information analyzed by DHS, within the
department, to other federal agencies, state and local government
agencies, and private-sector entities.
As also required by the Homeland Security Act, IAIP is responsible for (1)
developing a comprehensive national plan for securing the key resources
and critical infrastructure of the United States and (2) recommending
measures to protect the key resources and critical infrastructure of the
United States in coordination with other federal agencies and in
cooperation with state and local government agencies and authorities, the
private sector, and other entities.
Current CIP policy, described in Homeland Security Presidential Directive
7 (HSPD-7), defines responsibilities for DHS, sector-specific agencies,
and other departments and agencies. It instructs federal departments and
agencies to identify, prioritize, and coordinate the protection of
critical infrastructure to prevent, deter, and mitigate the effects of
attacks. The Secretary of Homeland Security is assigned several
responsibilities, including establishing uniform policies, approaches,
guidelines, and methodologies for integrating federal infrastructure
protection and risk management activities within and across sectors. To
ensure the coverage of critical sectors, HSPD-7 designated sector specific
agencies for the critical infrastructure sectors identified. These
agencies are responsible for infrastructure protection activities in their
assigned sectors, which include coordinating and collaborating with
relevant federal agencies, state and
4The Homeland Security Act of 2002 designated five undersecretaries, among
other entities, with responsibility over directorates for management,
science and technology, information analysis and infrastructure
protection, border and transportation security, and emergency preparedness
and response.
Page 4 GAO-04-780 Critical Infrastructure ISACs
local governments, and the private sector to carry out their
responsibilities and facilitating the sharing of information about
physical and cyber threats, vulnerabilities, incidents, potential
protective measures, and best practices. Further, the sector-specific
agencies are to continue to encourage the development of
information-sharing and analysis mechanisms and to support
sector-coordinating mechanisms. Table 1 identifies the infrastructure
sectors specified in federal policy and the related sector-specific
agencies.
Table 1: Critical Infrastructure Sectors Identified by Federal Policy
Sector Description Sector-specific agency
Provides for the fundamental need
for food. The infrastructure Department of Agriculture
Agriculture includes and
supply chains for feed and crop Department of Health and
production.
Human Services
Banking and finance Provides the financial infrastructure of the nation.
This sector consists of Department of the Treasury commercial banks,
insurance companies, mutual funds, government-sponsored enterprises,
pension funds, and other financial institutions that carry out
transactions including clearing and settlement.
Chemicals and Transforms natural raw materials into commonly used products
benefiting Department of Homeland
hazardous materials society's health, safety, and productivity. The
chemical industry represents Security a $450 billion enterprise and
produces more than 70,000 products that are essential to automobiles,
pharmaceuticals, food supply, electronics, water treatment, health,
construction, and other necessities.
Defense industrial base Supplies the military with the means to protect
the nation by producing Department of Defense weapons, aircraft, and ships
and providing essential services, including information technology and
supply and maintenance.
Emergency services Saves lives and property from accidents and disaster.
This sector includes Department of Homeland fire, rescue, emergency
medical services, and law enforcement Security organizations.
Energy Provides the electric power used by all sectors, including critical
Department of Energy infrastructures, and the refining, storage, and
distribution of oil and gas. The sector is divided into electricity and
oil and natural gas.
Food Carries out the postharvesting of the food supply, including
processing and Department of Agriculture and retail sales. Department of
Health and Human Services
Government Ensures national security and freedom and administers key
public Department of Homeland functions. Security
Information technology Provides communications and processes to meet the
needs of businesses Department of Homeland and telecommunications and
government. Security
Postal and shipping Delivers private and commercial letters, packages, and
bulk assets. The Department of Homeland U.S. Postal Service and other
carriers provide the services of this sector. Security
Page 5 GAO-04-780 Critical Infrastructure ISACs
(Continued From Previous Page)
Sector Description Sector-specific agency
Public health and Mitigates the risk of disasters and attacks and also
provides recovery Department of Health and
healthcare assistance if an attack occurs. The sector consists of health
departments, Human Services clinics, and hospitals.
Transportation Enables movement of people and assets that are vital to our
economy, Department of Homeland mobility, and security with the use of
aviation, ships, rail, pipelines, Security highways, trucks, buses, and
mass transit.
Drinking water and water Provides drinking water and wastewater treatment
through approximately Environmental Protection treatment systems 170,000
public water systems. These systems depend on reservoirs, dams, Agency
wells, treatment facilities, pumping stations, and transmission lines.
Source: GAO analysis of the President's National Strategy documents and
HSPD-7.
Private Sector ISACs Established
As more fully discussed in our April testimony, ISACs were voluntarily
created to provide an information sharing and analysis capability to
support their members' efforts to mitigate risk and effectively respond to
adverse events, including cyber, physical, and natural events. ISACs have
been established within most of the critical infrastructure sectors
identified in federal policy, including those for banking and finance,
chemicals and hazardous materials, drinking water and water treatment
systems, emergency services, energy, food, government, information
technology and telecommunications, and transportation. ISACs have also
been established for other industry sectors, including real estate and
research and education networking. Further, the agriculture and healthcare
infrastructure sectors are continuing their efforts to establish
information sharing mechanisms. Table 2 identifies the sectors with ISACs.
Page 6 GAO-04-780 Critical Infrastructure ISACs
Table 2: ISACs by Sector
Sector ISAC Established
Banking and Finance Financial Services October 1999
Chemicals and Hazardous Chemical April 2002
Materials
Emergency Services Emergency Fire October 2000
Energy Electric October 2000
Energy November 2001
Food Food February 2002
Government Multi-State January 2003
Information Technology and Telecommunications
IT December 2000
Telecom January 2000 Research and Education
February 2003 Networking
Transportation Public Transit January 2003
Surface Transportation May 2002
Highway March 2003
Drinking Water and Water Water December 2002
Treatment
Systems
Other Real Estate April 2003
Source: GAO.
Although their overall missions are similar, the current ISACs were
established and developed based on the unique characteristics and needs of
their individual sectors. They operate under different management and
operational structures and, among other things, have different business
models and funding mechanisms. For example, most are managed or operated
as private entities, and some, such as the Water and Chemical ISACs, are
part of associations that represent their sectors. Others have partnered
with government agencies, such as the Telecommunications ISAC, which is a
government/industry operational and collaborative body sponsored by DHS's
National Communications Systems/National Coordinating Center for
Telecommunications. Different funding mechanisms used by the ISACs include
fee-for-service, association sponsorship, grants, contracts, and/or
voluntary or in-kind operations by ISAC participants. ISACs that use
fee-for-service funding include the Financial Services, Information
Technology, and Water ISACs, which offer tiered memberships with fees
based on the level of service provided.
Page 7 GAO-04-780 Critical Infrastructure ISACs
Federal Actions Taken to Address Information Sharing Challenges
Sector-specific agencies are to collaborate with the private sector and
continue to encourage the development of information-sharing and analysis
mechanisms. In addition, sector-specific agencies are to facilitate the
sharing of information about physical and cyber threats, vulnerabilities,
incidents, potential protective measures, and best practices. Some
sector-specific agencies have taken steps to help the ISACs to increase
their memberships and breadth of impact within their respective sectors
and to improve their analytical and communications capabilities. As we
discussed more specifically in our April testimony, sector-specific
agencies, among other things, have
o Provided funds to enhance ISAC capabilities and expand membership. For
example, the Environmental Protection Agency is the sector-specific agency
for the water sector. It reported that for fiscal year 2004, it had issued
in March 2004 a $2 million grant to the Water ISAC to enhance its
capabilities-to fund 24x7 operations and to increase and support ISAC
membership. In addition, the Department of the Treasury entered into a $2
million contract with the Financial Services ISAC for developing the "next
generation" Financial Services ISAC by enhancing the ISAC's capabilities
and develop performance metrics.
o Sponsored outreach briefings to address why the private sector needs to
partner with the federal government. For example, the Federal Deposit
Insurance Corporation, Financial and Banking Information Infrastructure
Committee, and the Financial Services Sector Coordinating Council are
sponsoring regional outreach briefings that address why the private sector
needs to partner with the federal government to improve its security. 5 In
addition, in December 2003, DHS hosted a 2-day CIP retreat with ISAC
representatives, sector coordinators, and high-level DHS and White House
Homeland Security Council officials. Participants discussed the needs,
roles, and responsibilities of public-and private-sector entities related
to information sharing and analysis, incident coordination and response
5The Financial and Banking Information Infrastructure Committee
coordinates federal and state financial regulatory efforts to improve the
reliability and security of U.S. financial systems. The Financial Services
Sector Coordinating Council's mission is to foster and facilitate the
coordination of financial services sector-wide voluntary activities and
initiatives designed to improve critical infrastructure protection and
homeland security.
Page 8 GAO-04-780 Critical Infrastructure ISACs
activities, critical infrastructure information requests, and level of DHS
funding.
o Assisted infrastructure sectors in organizing sector-wide activities
and establishing ISACs. For example, last summer, DHS, the Department of
Agriculture, and HHS' Food and Drug Administration initiated efforts to
organize the agriculture and food critical infrastructure sectors to raise
awareness, coordinate, and improve security efforts. In addition to the
efforts listed above, DHS officials stated that they are providing funding
for tabletop exercises, including for the Financial Services,
Telecommunications, and Electricity Sector ISACs.
Challenges to Effective Information Sharing Remain
The ISACs and the series of ISAC Council white papers confirmed that a
number of challenges remain to the successful establishment and operation
of ISACs and their partnership with DHS and the other sector-specific
agencies. The ISACs and the ISAC Council identified challenges that would
require federal action. Some of the more significant challenges identified
were the following:
o Government agencies and the ISACs need to build trusted relationships
between them to facilitate information sharing. In some cases,
establishing such relationships may be difficult because sector-specific
agencies may also have a regulatory role.
o The federal government and the private sector should share information
on incidents, threats, and vulnerabilities. Most ISACs reported that they
believed they were providing appropriate information to the government
but, while noting improvements, they still had concerns with the
information being provided to them by DHS and/or their sector-specific
agencies. These concerns included the limited quantity of information and
the need for more specific, timely, and actionable information. In its
recent white papers, the ISAC Council also has identified a number of
potential barriers to information sharing between the private sector and
the government. These included the sensitivity of the information (such as
law enforcement information), legal limits on disclosure (such as Privacy
Act limitations on disclosure of personally identifiable information), and
contractual and business limits on how and when information is disclosed
(e.g., the Financial Services ISAC does not allow any governmental or law
enforcement access to its database). The Council also emphasized that
perhaps the greatest
Page 9 GAO-04-780 Critical Infrastructure ISACs
barriers to information sharing stem from practical and business
considerations in that, although important, the benefits of sharing
information are often difficult to discern, while the risks and costs of
sharing are direct and foreseeable.
o The roles of the various government and private-sector entities
involved in protecting critical infrastructures must continue to be
identified and defined. In particular, officials for several ISACs wanted
a better definition of DHS's role with respect to them. The ISAC Council
also identified the need for DHS to establish the goals of its
directorates and the relationships of these directorates with the private
sector. The Council also wants clarification of the roles of other federal
agencies, state agencies, and other entities-such as the National
Infrastructure Advisory Council.
o Government funding is needed. Ten of the ISACs we contacted emphasized
the importance of government funding for purposes including creating the
ISAC, supporting operations, increasing membership, developing metrics,
and providing for additional capabilities.
o Private-sector analytical efforts should not be overlooked and must be
integrated into the federal processes for a more complete understanding.
The private sector understands its processes, assets, and operations best
and can be relied upon to provide the required private-sector subject
matter expertise.
Further DHS Actions Could Enhance Information Sharing
DHS has taken a number of actions to implement the public/private
partnership called for by federal CIP policy. However, DHS has not yet
developed a plan for how it will carry out its information sharing
responsibilities, including efforts to address the challenges identified
by the ISACs and the ISAC Council. In addition, DHS has not developed
internal policies and procedures to help ensure effective information
sharing by the many entities within the department that collect and
analyze information that may impact the security of our nation's critical
infrastructure. It is essential for DHS to develop this plan, along with
internal policies and procedures, to establish effective
information-sharing relationships both within DHS and with other federal
agencies and infrastructure sectors.
Page 10 GAO-04-780 Critical Infrastructure ISACs
DHS Has Not Developed an Overall Information Sharing Plan
Although DHS has taken a number of actions to develop relationships with
the private sector and enhance information sharing capabilities, it has
not developed a plan that describes how it will carry out its
information-sharing responsibilities and/or how it will address the many
identified challenges that exist in building a public/private
information-sharing partnership. Development of a plan could improve
information sharing by clarifying roles and responsibilities and clearly
articulating actions to address the challenges that remain, including
consideration of appropriate incentives for nonfederal entities to
increase information sharing with the federal government, increase sector
participation, and/or perform other specific tasks to protect the critical
infrastructure.
In addition, soliciting input and feedback from the ISACs, sector
coordinators, and sector-specific agencies in developing the plan could
help DHS to ensure that the challenges identified by the ISACs and the
ISAC Council are appropriately considered.
According to DHS officials, the department intends to develop a plan
(referred to as a "roadmap") that documents the current
information-sharing relationships among DHS, the sectors and their ISACs,
and other agencies; goals for improving that information-sharing
relationship; and methods for measuring the progress in the improvement.
According to one official, the plan will define the roles and
responsibilities of DHS, the ISACs, and other entities, including a
potential overlap of ISAC-related responsibilities between IAIP and the
Transportation Security Administration (TSA). Further, the official
indicated that, in developing such a plan, DHS would consider issues
raised by the ISACs and the ISAC Council. This official indicated that a
specific time frame for completing the plan had not yet been established
but that DHS intends to develop a time frame this summer.
DHS Lacks Policies and Procedures to Guide Its Information-Sharing Efforts
DHS has established functions within the department to support the ISACs
and other CIP efforts. IAIP, as the DHS component directly responsible for
CIP activities, carries out many of these functions. The Infrastructure
Coordination Division within IAIP plays a key role in coordinating with
the ISACs concerning information sharing. Nonetheless, ISACs may interact
with multiple components of the department. For example, the ISACs may
discuss cyber issues with the National Cyber Security Division and/or with
the Homeland Security Operations Center when reporting incidents.
Page 11 GAO-04-780 Critical Infrastructure ISACs
Further, according to DHS officials, TSA, within the department's Border
and Transportation Security Directorate, is working with organizations in
the private sector to establish information-sharing relationships. For
example, Surface Transportation ISAC analysts stated that they have a good
working relationship with TSA, and TSA's Operations Center has office
space designated for them.
In addition, the Infrastructure Coordination Division is in the process of
staffing analysts who are responsible for working with each critical
infrastructure sector. The analysts would serve as the primary points of
contact within DHS for the sectors and would address information sharing,
coordination, infrastructure protection, and other issues raised by the
sectors.
According to a DHS official, the department does not intend to establish a
single point of contact for ISACs within the department. Rather, the
department plans to develop policies and procedures to ensure effective
coordination and sharing of ISAC-provided information among the
appropriate DHS components. At the time of our review, DHS had not
developed those policies and procedures and had no specific time frame for
their completion. Because of the many DHS components potentially
interacting with critical infrastructure sectors, establishment of
policies and procedures could help DHS ensure that information is
effectively and efficiently shared within the IAIP Directorate and among
DHS components, as well as with other federal agencies and infrastructure
sectors, by clarifying roles, responsibilities, and processes.
Conclusions Although DHS has taken a number of actions to establish and
improve information sharing relationships among entities within the
infrastructure sectors and between the infrastructure sectors and the
federal government, a number of challenges remain that are barriers to
developing effective public-private partnerships. The ISACs and other
stakeholders, including sector-specific agencies and sector coordinators,
could benefit from an overall DHS strategy, as well as specific guidance,
that clearly describes their roles, responsibilities, relationships, and
expectations. In developing such a strategy, it will also be important to
consider input from all stakeholders to help ensure that a comprehensive
and trusted information-sharing process is established. DHS has also not
yet developed the internal policies and procedures needed to ensure that
appropriate information sharing occurs within the department, which could
affect its
Page 12 GAO-04-780 Critical Infrastructure ISACs
overall ability to perform analysis and disseminate critical information
about incidents, vulnerabilities, or threats.
Recommendations for Executive Action
To help improve the effectiveness of DHS's information-sharing efforts
with the ISACs and others, we recommend that the Secretary of Homeland
Security direct officials within the IAIP Directorate to take the
following two actions:
o Proceed with and establish milestones for the development of an
information-sharing plan that includes (1) a clear description of the
roles and responsibilities of DHS, the ISACs, the sector coordinators, and
the sector-specific agencies and (2) actions designed to address
information-sharing challenges. Efforts to develop this plan should
include soliciting feedback from the ISACs, sector coordinators, and
sector-specific agencies to help ensure that challenges identified by the
ISACs and the ISAC Council are appropriately considered in the final plan.
o Considering the roles, responsibilities, and actions established in the
information-sharing plan, develop appropriate DHS policies and procedures
for interacting with ISACs, sector coordinators, and sector-specific
agencies and for coordination and information sharing within the IAIP
Directorate (such as the National Cyber Security Division and
Infrastructure Coordination Division) and other DHS components that may
interact with the ISACs, including TSA.
Agency Comments We received written comments on a draft of this report
from DHS, HHS, and the Department of the Treasury (see apps. II, III, and
IV, respectively). In DHS's response, a representative from DHS's Office
of the Chief Financial Officer stated that the report generally provides
an accurate analysis of the current sector ISAC landscape. In addition,
the director provided planned actions to address the recommendations
identified in this report. HHS's Acting Principal Deputy Inspector General
stated that the department had no comments. In Treasury's response, the
Under Secretary for Domestic Finance stated that the department agreed
with our findings. These departments also provided technical comments,
which were incorporated into the report, as appropriate.
Page 13 GAO-04-780 Critical Infrastructure ISACs
In addition, the Environmental Protection Agency provided separate
technical comments, which were incorporated into this report, as
appropriate. The Departments of Agriculture and Energy reviewed a draft of
this report and responded by stating that they had no comments.
As agreed with your offices, unless you publicly announce the contents of
this report earlier, we plan no further distribution until 30 days from
the report date. At that time, we will send copies of this report to other
interested congressional committees, the Secretary of Homeland Security,
and the heads of the agencies discussed in this report. We also will make
copies available to others upon request. In addition, the report will be
available at no charge on the GAO Web site at http://www.gao.gov.
If you should have any questions about this report, please contact me at
(202) 512-3317 or Ben Ritt, Assistant Director, at (202) 512-6443. We can
also be reached by e-mail at [email protected] and [email protected],
respectively. Key contributors to this report are listed in appendix V.
Robert F. Dacey Director, Information Security Issues
Page 14 GAO-04-780 Critical Infrastructure ISACs
Appendix I
GAO's April 21, 2004, Testimony
Highlights of GAO-04-699T, testimony before the Subcommittees on
Cybersecurity, Science, and Research & Development and on Infrastructure
and Border Security, Select Committee on Homeland Security, House of
Representatives
Critical infrastructure protection (CIP) activities that are called for in
federal policy and law are intended to enhance the security of the cyber
and physical public and private infrastructures that are essential to our
nation's security, economic security, and public health and safety. As our
reliance on these infrastructures increases, so do the potential threats
and attacks that could disrupt critical systems and operations. Effective
information-sharing partnerships between industry sectors and government
can contribute to CIP efforts.
Federal policy has encouraged the voluntary creation of Information
Sharing and Analysis Centers (ISACs) to facilitate the private sector's
participation in CIP by serving as mechanisms for gathering and analyzing
information and sharing it among the infrastructure sectors and between
the private sector and government. This testimony discusses the management
and operational structures used by ISACs, federal efforts to interact with
and support the ISACs, and challenges to and successful practices for
ISACs' establishment, operation, and partnerships with the federal
government.
www.gao.gov/cgi-bin/getrpt?GAO-04-699T.
To view the full product, including the scope and methodology, click on
the link above. For more information, contact Robert F. Dacey at
202-512-3317 or [email protected].
CRITICAL INFRASTRUCTURE PROTECTION
Establishing Effective Information Sharing with Infrastructure Sectors
Federal awareness of the importance of securing the nation's critical
infrastructures-and the federal government's strategy to encourage
cooperative efforts among state and local governments and the private
sector to protect these infrastructures-have been evolving since the
mid1990s. Federal policy continues to emphasize the importance of the
ISACs and their information-sharing functions. In addition, federal policy
established specific responsibilities for the Department of Homeland
Security (DHS) and other federal agencies involved with the private sector
in CIP. The ISACs themselves, although they have similar missions, were
developed to serve the unique needs of the sectors they represent, and
they operate under different business models and funding mechanisms.
According to ISAC representatives and a council that represents many of
them, a number of challenges to their successful establishment, operation,
and partnership with DHS and other federal agencies remain. These
challenges include increasing the percentage of entities within each
sector that are members of its ISAC; building trusted relationships and
processes to facilitate information sharing; overcoming barriers to
information sharing, clarifying the roles and responsibilities of the
various government and private sector entities that are involved in
protecting critical infrastructures; and funding ISAC operations and
activities. According to a DHS official, these issues are being
considered, and the department is developing a plan that will document the
current information-sharing relationships among DHS, the ISACs, and other
agencies; goals for improving those informationsharing relationships; and
methods for measuring progress toward these goals.
Information Sharing and Analysis Centers by Sector
Sector ISAC Established
Banking and Financial October 1999
Finance Services
Chemicals &
Hazardous Chemical April 2002
Materials
Emergency Emergency Fire October 2000
Services
Energy Electric October 2000
Energy Energy November 2001
Food Food February 2002
Government Multi-State January 2003
Information Technology & Telecommunications IT December 2000
Telecom January 2000
Research & Education Network February 2003
Transportation Public Transit January
2003
Surface May 2002
Transportation
Highway March
2003
Drinking Water & December
Water Treatment Water 2002
Systems
Other Real Estate April
2003
Source: GAO
Page 16 GAO-04-780 Critical Infrastructure ISACs
Table 1: Critical Infrastructure Sectors Identified by the National
Strategy for Homeland Security and HSPD-7
Sector Description Sector-specific agency
Agriculture Provides for the fundamental need for food. The
infrastructure includes Department of Agriculture supply chains for feed
and crop production.
Banking and Finance Provides the financial infrastructure of the nation.
This sector consists of Department of the Treasury commercial banks,
insurance companies, mutual funds, governmentsponsored enterprises,
pension funds, and other financial institutions that carry out
transactions including clearing and settlement.
Chemicals and hazardous Transforms natural raw materials into commonly
used products benefiting Department of Homeland
materials society's health, safety, and productivity. The chemical
industry Security represents a $450 billion enterprise and produces more
than 70,000 products that are essential to automobiles, pharmaceuticals,
food supply, electronics, water treatment, health, construction, and other
necessities.
Defense industrial base Supplies the military with the means to protect
the nation by producing Department of Defense weapons, aircraft, and ships
and providing essential services, including information technology and
supply and maintenance.
Emergency services Saves lives and property from accidents and disaster.
This sector Department of Homeland includes fire, rescue, emergency
medical services, and law enforcement Security organizations.
Energy Provides the electric power used by Department of Energy
all sectors, including critical
infrastructures, and the refining,
storage, and distribution of oil
and gas.
The sector is divided into
electricity and oil and natural
gas.
Carries out the post-harvesting of
Food the food supply, including Department of
processing Agriculture and
and retail sales. Department of Health
and
Human Services
Government Ensures national security and Department of
freedom and administers key public Homeland
functions. Security
Information technology Provides communications and processes to meet the
needs of Department of Homeland and telecommunications businesses and
government. Security
Postal and shipping Delivers private and commercial letters, packages,
and bulk assets. The Department of Homeland U.S. Postal Service and other
carriers provide the services of this sector. Security
Public Health and Mitigates the risk of disasters and attacks and also
provides recovery Department of Health and Healthcare assistance if an
attack occurs. The sector consists of health departments, Human Services
clinics, and hospitals.
Transportation Enables movement of people and assets that are vital to
our economy, Department of Homeland mobility, and security with the use of
aviation, ships, rail, pipelines, Security highways, trucks, buses, and
mass transit.
Drinking water and water Sanitizes the water supply with the use of about
170,000 public water Environmental Protection
treatment systems systems. These systems depend on reservoirs, dams,
wells, treatment Agency facilities, pumping stations, and transmission
lines.
Source: GAO analysis based on the President's National Strategy documents
and HSPD-7.
In January, the President issued HSPD-9, which established a national
policy to defend the agriculture and food system against terrorist
attacks, major disasters, and other emergencies. HSPD-9 defines
responsibilities for DHS, lead federal agencies, or sector-specific
agencies, responsible for
Page 10 GAO-04-699T
Page 26 GAO-04-780 Critical Infrastructure ISACs
DHS officials, the Emergency Law Enforcement ISAC that was formally
operated by the NIPC and transferred to IAIP is not currently staffed and
will be considered in current efforts to organize the Emergency Services
sector.
Table 2: Summary of ISAC Characteristics
Critical Infrastructures Hazards Sharing and their ISAC(s) Coverage
Funding model covered Analysis capability mechanisms Agriculture
None at this time.
Banking & Finance Chemicals & Hazardous Materials
Financial 200 members, Funded by and Operates 24 Text-based
Services operated Cyber hours alerts,
including with tiered through a
(est. Oct. membership Physical a day, 7 days a notification
1999) commercial banks, fees. week. system, backed
up by
securities firms, and Watch desk telephone.
Contractor analyzes and Biweekly threat
operated.insurance categorizes intelligence
companies. threats,
Represents 90% of incidents, and conference call
with
the financial warnings based DHS and SAIC.
on
the sector's
sector's assets. needs.
Chemical 538 Funded and operated by Operates E-mails alerts
individual Cyber 24x7. and
Currently
members working
(est. representing ACC's Chemical to warnings.
April the chemical PhysicalTransportation develop Chemistry ISAC
2002) industries. Emergency Center. an Web site.
analysis
center.
285 Biweekly
businesses. conference
Represents calls with
90% of DHS.
chemical
sector. Secure
communications
network with
DHS.
Defense Industrial Base
None at this time.
Emergency Services
Emergency 10 FEMA Funded by Cyber Developing 24x7 Electronic
Management Regions FEMA's messaging
Telephone
& Response 6 major Office of Cyber operations. and when
(est. Oct. stakeholders Security with Physical Analyzes and necessary,
2000) of EMR supplementation disseminates a secure
sector. from USFA. telephone
unit.
Represents actionable
100% of the intelligence on
essential Contractor threats,
components operated. attacks,
of the EMR vulnerabilities,
Sector. anomalies, and
security best
practices.
Page 18 GAO-04-699T
Page 34 GAO-04-780 Critical Infrastructure ISACs
Critical Infrastructures Hazards Sharing and their ISAC(s) Coverage
Funding model covered Analysis capability mechanisms Energy Food
Electric More then Funded and Cyber Operates 24x7. Secure
90% of telephone,
The ES-ISAC and fax,
and Web server NERC
NERC have created E-mail
members are the Indications,
members of Satellite
the ISAC telephones.Analysis,
including and Warnings Program
large and Information such as
(est. small (IAW) that provides
Oct. electric managed/operated Physical incident reports and a
2000) utilities, by NERC. set of guidelines
regional warnings,
electric vulnerability for
utility reporting assessments,
companies, and operational and
and power related documents
marketers. cyber incidents that
are posted on the
adversely affect the
public Web site.
electric power
infrastructure.
80 plus Funded by grants Operates 24x7.
Energy members from Cyber Conference calls
Analyzes threats, Fax,
Email, pager.
from the vulnerabilities, and
oil and gas Detailed
(est. sector. DOE. Contractor informationincident
Nov. Represents operated. Physical information. on
2001) 85% of the warnings provided
oil and gas Provides security on a
sector. membership information
and only, secure Web
site.
solutions.
Food Over 40 food-No current funding. Physical Operates 24x7. E-mail
(est. Feb. 2002) industry trade Operated by volunteer No analysis Watch
Commander associations and labor from each member capability, due to
Listtheir members. association.
members' privacy Currently working to
concerns. Depends develop a secure eon DHS for mail system.analysis.
Government
State Gov. 49 states (excluding Funded and operated by Cyber Operates
24x7. Monthly conference (est. Jan. 2003) Kansas) and the New York State.
Physical & Issues bulletins, calls
District of Columbia. States provide time and Natural (as advisories, and
E-mail resources as it relates to alerts. Telephone appropriate. cyber).
Page 19 GAO-04-699T
Page 35 GAO-04-780 Critical Infrastructure ISACs
Critical Infrastructures Hazards Sharing and their ISAC(s) Coverage
Funding model covered Analysis capability mechanisms Information
Technology & Telecommunications
IT 90% of all desktop Funded and operated by Cyber Operates 24x7. CWIN
(est. Dec. 2000) operating systems. foundational member contributions,
will soon Physical Analyzes cyber Encrypted e-mail
85% of all alerts and SSL-protected Webdatabases. implement membership
advisories and sites
fees (tiered). reports physical50% of all desktop Contractor operated.
issues. Cellular phones computers.
85% of all routers. VoIP telephony GETS7 system for
65% of software priority calls security.
Telecom
(est. Jan. 2000)
95% of wireline providers.
Over 60% of wireline vendors.
95% of wireless providers.
90% of wireless vendors.
42% of Internet Service subscribers.
90% of Internet Service networks.
6 of the top system integrators in the U.S. Federal IT market.
15% of Domain Name Service root and global Top Level Domain operators.
Funded by NCS. Cyber Operates 24x7.
Operated by NCC. Physical Analyzes data to
Agencies bear the costs Natural avoid crises that
of their own personnel. could affect the entire telecom infrastructure.
E-mail Telephone Fax Meetings CWIN
7Government Emergency Telecommunications Service (GETS)
Page 20 GAO-04-699T
Page 36 GAO-04-780 Critical Infrastructure ISACs
Critical Hazards Sharing
Infrastructures
and their ISAC(s) Coverage Funding model Analysis capability
covered mechanisms
Research & 200 Funded and
Education Universities. operated by Operates 24x7.
Cyber Public information
Receives and
restricted to
Networking (est. All U.S. Indiana disseminates
Feb. 2003) universities and University. aggregate views of
colleges that information the
are connected to network.
regarding network
national R&E Information
identifying
networks have security
institutions or
basic vulnerabilities and
membership. individuals not
threats in the
higher reported
publicly.
education Detailed
and sensitive
community.
information shared
only with affected
institutions.
Postal & Shipping
None at this time.
Public Health & Healthcare
HealthCare
None at this time.
Transportation
Public Approximately 100 Federally Cyber Operations 24x7.
Transit funded. E-mail tree
Collects, analyzes,
of the major Secure e-mail and
(est. Jan. national transit Contractor Physical disseminates Public
2003) organizations. operated. Transit Web
security
information. site
Links to HSOC, and
DOT and TSA's
Operation Centers.
Surface Includes Funded by Cyber Operates Surface
Transportation the major membership 24x7.
North fees and a Conducts
American grant from the mid-to Transportation
(est. May freight Federal Physical long-term Web site.
2002) railroads Transit Natural technical Secure
and Administration analysis telephone.
Amtrak. (FTA). on all
Represents Contractor threats.
95% of operated.
the U.S.
freight
railroad
industry
and
Amtrak.
Page 21 GAO-04-699T
Page 37 GAO-04-780 Critical Infrastructure ISACs
Critical Infrastructures Hazards Sharing and their ISAC(s) Coverage
Funding model covered Analysis capability mechanisms Drinking Water &
Water Treatment Systems Other Sectors That Have Established ISACs
Highway Over 90% of Funded and operated Developing Highway ISAC
the by Cyber 24x7 Web
(est. largest the American operations.
March for-hire Trucking Channels site Highway
2003) motor PhysicalAssociation warnings, watch center
carriers. (ATA).
Represents threat
60% information,
economic and advisories Blast fax
activity to the E-mail
with over industry and
50% of to
long haul. drivers
through its Print media
call center. communications
Amber alerts
Water 275-300 Funded by tired Cyber Operates Encrypted
small and 24x7. e-mail
large water Analyzes
utilities. membership fees threat and Secure
(est. Represents and a grant incident portal
Dec. 45% of from EPA. Physical information Secure
2002) water Contractor for its electronic
utilities operated. potential bulletin
with secure Receives impact on boards and
portals. contributions the chat rooms
Represents from AMWA. sector.
85% of
the water
utilities
that
receive
e-mail
alerts.
Real 10 trade Funded by Physical Operates 2-way
Estate trade 24x7.
associations
representing Depends communications
(est. hotels, associations. on DHS network and Web
April realtors, Contractor for site Conference
2003) shopping operated. threat calls with top
centers, and analysis. executives from
others.
various sectors
as
needed.
Sector Coordinator Roles Differ
As discussed earlier, federal CIP policy establishes the position of
sector coordinator for identified critical infrastructure sectors to
initiate and build cooperative relationships across an entire
infrastructure sector. In most cases, sector coordinators have played an
important role in the development of their respective infrastructure
sectors' ISACs. In many cases the sector coordinator also manages or
operates the ISAC.
o The North American Electric Reliability Council, as sector coordinator
for the electricity segment of the energy sector, operates the Electricity
Sector ISAC.
Page 22 GAO-04-699T
Page 38 GAO-04-780 Critical Infrastructure ISACs
GAO's Mission The General Accounting Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.
The fastest and easiest way to obtain copies of GAO documents at no cost
isObtaining Copies of through the Internet. GAO's Web site (www.gao.gov)
contains abstracts and full-GAO Reports and text files of current reports
and testimony and an expanding archive of older
products. The Web site features a search engine to help you locate
documentsTestimony using key words and phrases. You can print these
documents in their entirety, including charts and other graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document files.
To have GAO e-mail this list to you every afternoon, go to www.gao.gov and
select "Subscribe to e-mail alerts" under the "Order GAO Products"
heading.
Order by Mail or Phone The first copy of each printed report is free.
Additional copies are $2 each. A check or money order should be made out
to the Superintendent of Documents. GAO also accepts VISA and Mastercard.
Orders for 100 or more copies mailed to a single address are discounted 25
percent. Orders should be sent to:
U.S. General Accounting Office 441 G Street NW, Room LM Washington, D.C.
20548
To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061
To Report Fraud, Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm
Waste, and Abuse in E-mail: [email protected]
Federal Programs Automated answering system: (800) 424-5454 or (202)
512-7470
Jeff Nelligan, Managing Director, [email protected] (202) 512-4800
Public Affairs U.S. General Accounting Office, 441 G Street NW, Room 7149
Washington, D.C. 20548
Page 57 GAO-04-780 Critical Infrastructure ISACs
Appendix II
Comments from the Department of Homeland Security
Appendix II Comments from the Department of Homeland Security
Page 59 GAO-04-780 Critical Infrastructure ISACs
Appendix II Comments from the Department of Homeland Security
Page 60 GAO-04-780 Critical Infrastructure ISACs
Appendix III
Comments from the Department of Health and Human Services
Appendix IV
Comments from the Department of the Treasury
Appendix V
GAO Contact and Staff Acknowledgments
GAO Contact Ben Ritt (202) 512-6443
Staff In addition to the individual named above, William Cook, Joanne
Fiorino, Laurence Gill, Michael Gilmore, Barbarol James, Lori Martinez,
and Kevin
Acknowledgments Secrest made key contributions to this report.
(310519) Page 63 GAO-04-780 Critical Infrastructure ISACs
GAO's Mission The General Accounting Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.
Obtaining Copies of The fastest and easiest way to obtain copies of GAO
documents at no cost
is through GAO's Web site (www.gao.gov). Each weekday, GAO postsGAO
Reports and newly released reports, testimony, and correspondence on its
Web site. To Testimony have GAO e-mail you a list of newly posted products
every afternoon, go to
www.gao.gov and select "Subscribe to Updates."
Order by Mail or Phone The first copy of each printed report is free.
Additional copies are $2 each. A check or money order should be made out
to the Superintendent of Documents. GAO also accepts VISA and Mastercard.
Orders for 100 or more copies mailed to a single address are discounted 25
percent. Orders should be sent to:
U.S. General Accounting Office 441 G Street NW, Room LM Washington, D.C.
20548
To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061
To Report Fraud, Contact:
Waste, and Abuse in Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: [email protected] Programs Automated answering system: (800)
424-5454 or (202) 512-7470
Congressional Gloria Jarmon, Managing Director, [email protected] (202)
512-4400 U.S. General Accounting Office, 441 G Street NW, Room 7125
Relations Washington, D.C. 20548
Public Affairs Jeff Nelligan, Managing Director, [email protected] (202)
512-4800 U.S. General Accounting Office, 441 G Street NW, Room 7149
Washington, D.C. 20548
Presorted Standard
Postage & Fees Paid
GAO
Permit No. GI00
United States
General Accounting Office
Washington, D.C. 20548-0001
Official Business
Penalty for Private Use $300
Address Service Requested
*** End of document. ***