Internet Infrastructure: DHS Faces Challenges in Developing a	 
Joint Public/Private Recovery Plan (16-JUN-06, GAO-06-672).	 
                                                                 
Since the early 1990s, growth in the use of the Internet has	 
revolutionized the way that our nation communicates and conducts 
business. While the Internet was originally developed by the	 
Department of Defense, the vast majority of its infrastructure is
currently owned and operated by the private sector. Federal	 
policy recognizes the need to prepare for debilitating Internet  
disruptions and tasks the Department of Homeland Security (DHS)  
with developing an integrated public/private plan for Internet	 
recovery. GAO was asked to (1) identify examples of major	 
disruptions to the Internet, (2) identify the primary laws and	 
regulations governing recovery of the Internet in the event of a 
major disruption, (3) evaluate DHS plans for facilitating	 
recovery from Internet disruptions, and (4) assess challenges to 
such efforts.							 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-06-672 					        
    ACCNO:   A55603						        
  TITLE:     Internet Infrastructure: DHS Faces Challenges in	      
Developing a Joint Public/Private Recovery Plan 		 
     DATE:   06/16/2006 
  SUBJECT:   Continuity of operations plan			 
	     Critical infrastructure				 
	     Critical infrastructure protection 		 
	     Disaster planning					 
	     Disaster recovery					 
	     Disaster recovery plans				 
	     Emergency preparedness				 
	     Federal law					 
	     Federal legislation				 
	     Internet						 
	     IT contingency plans				 
	     IT legislation					 
	     E-government					 
	     Public/private partnerships			 
	     National Communications System			 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-06-672

     

     * Report to Congressional Requesters
          * June 2006
     * INTERNET INFRASTRUCTURE
          * DHS Faces Challenges in Developing a Joint Public/Private
            Recovery Plan
     * Contents
          * Results in Brief
          * Background
               * The Internet: An Overview
               * The Internet Is a Critical Information Infrastructure
               * Attacks on the Information Infrastructure Are Increasing
               * Multiple Organizations Could Help in Recovering the Internet
                 from a Major Disruption
                    * Private Industry
                    * Collaborative Groups
               * Government Organizations-DHS
                    * National Cyber Security Division
                    * National Communications System
                    * Government Organizations-Federal Communications
                      Commission
               * Prior Evaluations of DHS's Cybersecurity Responsibilities
                 Have Highlighted Issues and Challenges Facing the Department
          * Although Both Cyber and Physical Incidents Have Caused
            Disruptions, the Internet Has Not Yet Suffered a Catastrophic
            Failure
               * Internet Disruptions Have Been Caused by Both Cyber and
                 Physical Incidents
               * The Internet Has Not Yet Experienced a Catastrophic
                 Disruption
          * Existing Laws and Regulations Apply to the Internet, but Numerous
            Uncertainties Exist in Using Them for Internet Recovery
          * DHS Initiatives Supporting Internet Recovery Planning Are under
            Way, but Much Remains to Be Done and the Relationships among
            Initiatives Are Not Evident
               * DHS Has Developed High-level Protection and Response Plans,
                 but Key Components Are Not Complete
               * Other DHS Initiatives Related to Internet Recovery Planning
                 Are under Way, but They Are Incomplete and the Relationships
                 among the Initiatives Are Not Evident
                    * DHS Plans to Revise the Role and Mission of the
                      National Communications System, but This Effort Is Not
                      Yet Complete
                    * National Cyber Response Coordination Group Is Defining
                      Its Roles and Responsibilities, but Much Remains to Be
                      Done
                    * The Internet Disruption Working Group Was Established
                      to Work with the Private Sector to Establish Plans to
                      Respond to Major Internet Disruptions, but It Lacks
                      Time Lines and Priorities for Its Initiatives
                    * The North American Incident Response Group Is an
                      Additional Mechanism for Outreach to the Private
                      Sector, but Its Efforts Are Early
                    * DHS Has Conducted Initial Exercises That Address Cyber
                      Disruption, but Efforts to Incorporate Lessons Learned
                      into DHS Operations Are Lacking
               * The Relationships and Interdependencies among Various DHS
                 Initiatives Are Not Evident
          * Multiple Challenges Exist to Planning for Recovery from Internet
            Disruptions
               * Key Internet Characteristics Make Recovery More Difficult
                    * Control of the Internet Is Diffuse
                    * Vulnerabilities in Internet-Related Protocols Make
                      Responding to Disruptions Difficult
                    * Lack of Standards for Measuring Internet Performance
                      Hinders the Ability to Recognize Disruptions and
                      Recover Accordingly
               * There Is No Consensus on DHS's Role in Responding to
                 Internet Disruption or the Appropriate Trigger for Its
                 Involvement
                    * DHS's Role Lacks Consensus
                    * The Trigger for Government Involvement Is Unclear
               * Legal Issues Affect DHS's Ability to Provide Assistance
                 during Recovery Efforts
               * Many in the Private Sector Are Reluctant to Share Internet
                 Information with the Government
               * DHS's Leadership and Organizational Issues Impact Its
                 Ability to Address Internet Disruption
                    * DHS Has Lacked Permanent Leadership in Key Roles
                    * DHS Organizations Have Overlapping Responsibilities
          * Conclusions
          * Matters for Congressional Consideration
          * Recommendations for Executive Action
          * Agency Comments
     * Objectives, Scope, and Methodology
     * Legislation and Regulations Govern Critical Infrastructure Protection,
       Disaster Response, and the Telecommunications Infrastructure
          * Multiple Laws and Regulations Govern Protection of Critical
            Infrastructure
               * The Homeland Security Act of 2002
               * Homeland Security Presidential Directive 7
          * Multiple Laws Govern Federal Response to Disasters and Incidents
            of National Significance
               * Defense Production Act
               * The Stafford Act
          * Specific Laws and Regulations Govern the Telecommunications
            Infrastructure That Supports the Internet
               * Communications Act of 1934, as Amended
               * NCS Authorities
     * Two Task Forces Have Assessed NCS Roles and Mission
          * Next Generation Network Task Force
          * National Coordinating Center Task Force
     * DHS Has Conducted Disaster Response Exercises That Include Cyber
       Incidents
          * DHS Has Conducted Regional Exercises Involving Cyber Attacks
          * Cyber Storm Was DHS's First National Exercise Focused on Cyber
            Attacks
     * Comments from the Department of Homeland Security
     * GAO Contacts and Staff Acknowledgments

Report to Congressional Requesters

June 2006

INTERNET INFRASTRUCTURE

DHS Faces Challenges in Developing a Joint Public/Private Recovery Plan

Contents

Tables

Figures

June 16, 2006 Letter

Congressional Requesters:

Since the early 1990s, increasing computer interconnectivity-most notably
growth in the use of the Internet-has revolutionized the way that our
government, our nation, and much of the world communicate and conduct
business. Our country has come to rely on the Internet as a critical
infrastructure supporting commerce, education, and communication. While
the benefits of this technology have been enormous, this widespread
interconnectivity poses significant risks to the government's and our
nation's computer systems and, more importantly, to the critical
operations and infrastructures they support.

Federal regulation establishes the Department of Homeland Security (DHS)
as the focal point for the security of cyberspace-including analysis,
warning, information sharing, vulnerability reduction, mitigation, and
recovery efforts for public and private critical infrastructure systems.1
To accomplish this mission, DHS is to work with federal agencies, state
and local governments, and the private sector. Federal policy also
recognizes the need to be prepared for the possibility of debilitating
disruptions in cyberspace and, because the vast majority of the Internet
infrastructure is owned and operated by the private sector, tasks DHS with
developing an integrated public/private plan for Internet recovery.2 Last
year, we reported on DHS efforts to fulfill its cybersecurity
responsibilities and noted that the department had not developed key
cybersecurity recovery plans-including a plan for recovering key Internet
functions.3

Because of your interest in DHS's efforts to develop a joint plan for
recovering the Internet in case of a major disruption, you asked that we
(1) identify examples of major disruptions to the Internet, (2) identify
the primary laws and regulations governing recovery of the Internet in the
event of a major disruption, (3) evaluate DHS's plans for facilitating
recovery from Internet disruptions, and (4) assess challenges to such
efforts.

To accomplish these objectives, we assessed documentation of disruptions
to the Internet and compiled case studies of incidents that have affected
the Internet. We also reviewed relevant laws and regulations related to
critical infrastructure protection, disaster response, and the
telecommunications infrastructure. We assessed DHS progress and plans for
handling Internet disruptions. In order to identify challenges to
effective Internet recovery planning, we also interviewed officials from
DHS, other federal agencies, and representatives of the private sector who
have a role in operating the Internet infrastructure. Appendix I provides
additional details on our objectives, scope, and methodology. We performed
our work from August 2005 to May 2006 in accordance with generally
accepted government auditing standards.

Results in Brief

A major disruption to the Internet could be caused by a cyber incident
(such as a software malfunction or a malicious virus), a physical incident
(such as a natural disaster or an attack that affects facilities and other
assets), or a combination of both cyber and physical incidents. Recent
cyber and physical incidents have caused localized or regional
disruptions, highlighting the importance of recovery planning. For
example, a 2002 root server attack highlighted the need to plan for
increased server capacity at Internet exchange points in order to manage
the high volumes of data traffic during an attack. However, recent
incidents also have shown the Internet as a whole to be flexible and
resilient. Even in past severe circumstances, the Internet did not suffer
a catastrophic failure.

Several federal laws and regulations provide broad guidance that applies
to the Internet, but it is not clear how useful these authorities would be
in helping to recover from a major Internet disruption. Specifically, the
Homeland Security Act of 2002 and Homeland Security Presidential Directive
7 provide guidance on protecting our nation's critical infrastructures.
However, they do not specifically address roles and responsibilities in
the event of an Internet disruption. In addition, the Defense Production
Act and the Stafford Act provide authority to federal agencies to plan for
and respond to incidents of national significance, such as disasters and
terrorist attacks. However, the Defense Production Act has never been used
for Internet recovery and the Stafford Act does not authorize the
provision of resources to for-profit companies-such as those that own and
operate core Internet components. The Communications Act of 1934 and the
National Communications System authorities govern the telecommunications
infrastructure and help ensure communications during national emergencies,
but they have never been used for Internet recovery. Thus, it is not clear
how effective they would be in assisting Internet recovery.

DHS has begun a variety of initiatives to fulfill its responsibility for
developing an integrated public/private plan for Internet recovery, but
these efforts are not yet complete or comprehensive. Specifically, DHS has
developed high-level plans for infrastructure protection and incident
response, but the components of these plans that address the Internet
infrastructure are not complete. In addition, DHS has started a variety of
initiatives to improve the nation's ability to recover from Internet
disruptions, including working groups to facilitate coordination and
exercises in which government and private industry practice responding to
cyber events. However, progress to date on these initiatives has been
limited and other initiatives lack time frames for completion. Also, the
relationships among these initiatives are not evident. As a result, risk
remains that the government is not yet adequately prepared to effectively
coordinate public/private plans for recovering from a major Internet
disruption.

Key challenges to establishing a plan for recovering from an Internet
disruption include (1) innate characteristics of the Internet (such as the
diffuse control of the many networks that make up the Internet and the
private-sector ownership of core components) that make planning for and
responding to disruptions difficult, (2) lack of consensus on DHS's role
and when the department should get involved in responding to a disruption,
(3) legal issues affecting DHS's ability to provide assistance to entities
working to restore Internet service, (4) reluctance of many in the private
sector to share information on Internet disruptions with DHS, and (5)
leadership and organizational uncertainties within DHS. Until these
challenges are addressed, DHS will have difficulty achieving results in
its role as a focal point for helping to recover the Internet from a major
disruption.

Given the importance of the Internet infrastructure to our nation's
communications and commerce, we are suggesting that Congress consider
clarifying the legal framework guiding Internet recovery. We are also
making recommendations to the Secretary of the Department of Homeland
Security to strengthen the department's ability to effectively serve as a
focal point for helping to recover from Internet disruptions by
establishing clear milestones for completing key plans, coordinating
various Internet recovery-related activities, and addressing key
challenges to Internet recovery planning.

DHS provided written comments on a draft of this report in which it agreed
with our recommendations and provided information on initial activities it
is taking to implement them (see app. V). DHS officials, as well as others
who were quoted in our report, also provided technical corrections, which
we have incorporated in this report as appropriate.

Background

The Internet: An Overview

The Internet is a vast network of interconnected networks. It is used by
governments, businesses, research institutions, and individuals around the
world to communicate, engage in commerce, do research, educate, and
entertain. While most Americans are familiar with Internet service
providers-such as America Online and EarthLink-that provide consumers with
a pathway, or "on-ramp," to the Internet, many are less familiar with how
the Internet was developed, the underlying structure of the Internet, and
how it works.

In the late 1960s and the 1970s, the Department of Defense's Advanced
Research Projects Agency developed a network to allow multiple
universities to communicate and share computing resources. In the ensuing
decades, this project grew to become a large network of networks and was
joined with an array of scientific and academic computers funded by the
National Science Foundation. This expanded network provided the backbone
infrastructure of today's Internet. In 1995, the federal government began
to turn the backbone of the Internet over to a consortium of commercial
backbone providers. From that point on, the Internet infrastructure was
owned and operated by private companies-including telecommunications
companies, cable companies, and Internet service providers.

Today's Internet connects millions of small, medium, and large networks.
When an Internet user wants to access a Web site or to send an e-mail to
someone who is connected to the Internet through a different Internet
service provider, the data must be transferred between networks. Transit
across the Internet is provided by either national backbone providers,
regional network operators, or a combination of both. National backbone
providers are companies that own and operate high-capacity, long-haul
backbone networks. These providers transmit data traffic over long
distances using high-speed, fiber-optic lines. Because national backbone
operators do not service all locations worldwide, regional network
providers supplement the long-haul traffic by providing regional service.
Data cross between networks at Internet exchange points-which can be
either hub points where multiple networks exchange data or private
interconnection points arranged by transit providers. At these exchange
points, computer systems called routers determine the optimal path for the
data to reach their destination. The data then continue their path through
the national and regional networks and exchange points, as necessary, to
reach the recipient's Internet service provider and the recipient (see
fig. 1).

Figure 1: Example of an E-mail Transiting the Internet

The networks that make up the Internet communicate via standardized rules
called protocols. These rules can be considered voluntary because there is
no formal institutional or governmental mechanism for enforcing them.
However, if any computer deviates from accepted standards, it risks losing
the ability to communicate with other computers that follow the standards.
Thus, the rules are essentially self enforcing. One critical set of rules
is the Transmission Control Protocol/Internet Protocol suite. These
protocols define a detailed process that a sender and receiver agree upon
for exchanging data. They describe the flow of data between the physical
connection to the network and on to the end-user application.
Specifically, these protocols control the addressing of a message by the
sender, its division into packets, its transmission across networks, and
its reassembly and verification by the receiver. This protocol suite has
become the de facto communication standard of the Internet because many
standard services (including mail transfer, news, and Web pages) are
available on systems that support these protocols.4

Another critical set of protocols, collectively known as the Domain Name
System, ensures the uniqueness of each e-mail and Web site address. This
system links names like www.senate.gov with the underlying numerical
addresses that computers use to communicate with each other. It translates
names into addresses and back again in a process invisible to the end
user. This process relies on a system of servers, called domain name
servers, which store data linking names with numbers. Each domain name
server stores a limited set of names and numbers. They are linked by a
series of 13  root servers, which coordinate the data and allow users to
find the server that identifies the sites they want to reach. Domain name
servers are organized into a hierarchy that parallels the organization of
the domain names. For example, when someone wants to reach the Web site at
www.senate.gov , his or her computer will ask one of the root servers for
help.5 The root server will direct the query to a second server that knows
the location of names ending in the .gov top-level domain.6 If the address
includes a subdomain, the second server refers the query to a third
server-in this case, one that knows the addresses for all names ending in
senate.gov. The third server will then respond to the request with a
numerical address, which the original requester uses to establish a direct
connection with the www.senate.gov site. Figure 2 illustrates this
example.

Figure 2: How the Domain Name System Translates a Web Site Name into a
Numerical Address

Another critical set of rules is called the Border Gateway Protocol-a
protocol for routing packets between autonomous systems.7 This protocol is
used by routers located at network nodes to direct traffic across the
Internet. Typically, routers that use this protocol maintain a routing
table that lists all feasible paths to a particular network. They also
determine metrics associated with each path (such as cost, stability, and
speed), so that the best available path can be chosen. This protocol is
important because if a certain path becomes unavailable, the system will
send data over the next best path (see fig. 3).

Figure 3: Example of Dynamic Routing Using Border Gateway Protocol

The Internet Is a Critical Information Infrastructure

From its origins in the 1960s as a research project sponsored by the U.S.
government, the Internet has grown increasingly important to both American
and foreign businesses and consumers, serving as the medium for hundreds
of billions of dollars of commerce each year. According to the U.S. Census
Bureau, retail e-commerce sales in the United States were an estimated $86
billion in 2005. The Internet has also become an extended information and
communications infrastructure, supporting vital services such as power
distribution, health care, law enforcement, and national defense.

Federal regulation recognizes the need to protect critical
infrastructures. In December 2003, the President updated a national
directive for federal departments and agencies to identify and prioritize
critical infrastructure sectors and key resources and to protect them from
terrorist attack. (See

table 1 for a list of critical infrastructure sectors.)8 This directive
recognized that since a large portion of these critical infrastructures is
owned and operated by the private sector, a public/private partnership is
crucial for the successful protection of these critical infrastructures.

Table 1: Critical Infrastructure Sectors

                                        

              Sector                             Description                  
Agriculture                  Provides for the fundamental need for food.   
                                The infrastructure includes supply chains for 
                                feed and crop production.                     
Banking and finance          Provides the financial infrastructure of the  
                                nation. This sector consists of commercial    
                                banks, insurance companies, mutual funds,     
                                government-sponsored enterprises, pension     
                                funds, and other financial institutions that  
                                carry out transactions, including clearing    
                                and settlement.                               
Chemicals and hazardous      Transforms natural raw materials into         
materials                    commonly used products benefiting society's   
                                health, safety, and productivity. The         
                                chemical industry produces more than 70,000   
                                products that are essential to automobiles,   
                                pharmaceuticals, food supply, electronics,    
                                water treatment, health, construction, and    
                                other necessities.                            
Commercial facilities        Includes prominent commercial centers, office 
                                buildings, sports stadiums, theme parks, and  
                                other sites where large numbers of people     
                                congregate to pursue business activities,     
                                conduct personal commercial transactions, or  
                                enjoy recreational pastimes.                  
Dams                         Comprises approximately 80,000 dam            
                                facilities, including larger and nationally   
                                symbolic dams that are major components of    
                                other critical infrastructures that provide   
                                electricity and water.                        
Defense industrial base      Supplies the military with the means to       
                                protect the nation by producing weapons,      
                                aircraft, and ships and providing essential   
                                services, including information technology    
                                and supply and maintenance.                   
Drinking water and water     Sanitizes the water supply through about      
treatment systems            170,000 public water systems. These systems   
                                depend on reservoirs, dams, wells, treatment  
                                facilities, pumping stations, and             
                                transmission lines.                           
Emergency services           Saves lives and property from accidents and   
                                disasters. This sector includes fire, rescue, 
                                emergency medical services, and law           
                                enforcement organizations.                    
Energy                       Provides the electric power used by all       
                                sectors and the refining, storage, and        
                                distribution of oil and gas. This sector is   
                                divided into electricity and oil and natural  
                                gas.                                          
Food                         Carries out the postharvesting of the food    
                                supply, including processing and retail       
                                sales.                                        
Government                   Ensures national security and freedom and     
                                administers key public functions.             
Government facilities        Includes the buildings owned and leased by    
                                the federal government for use by federal     
                                entities.                                     
Information technology       Produces hardware, software, and services     
                                that enable other sectors to function.        
National monuments and icons Includes key assets that are symbolically     
                                equated with traditional American values and  
                                institutions or U.S. political and economic   
                                power.                                        
Nuclear reactors, materials, Includes 104 commercial nuclear reactors;     
and waste                    research and test nuclear reactors; nuclear   
                                materials; and the transportation, storage,   
                                and disposal of nuclear materials and waste.  
Postal and shipping          Delivers private and commercial letters,      
                                packages, and bulk assets. The United States  
                                Postal Service and other carriers provide the 
                                services of this sector.                      
Public health and healthcare Mitigates the risk of disasters and attacks   
                                and also provides recovery assistance if an   
                                attack occurs. This sector consists of health 
                                departments, clinics, and hospitals.          
Telecommunications           Provides wired, wireless, and satellite       
                                communications to meet the needs of           
                                businesses and governments.                   
Transportation               Enables movement of people and assets that    
                                are vital to our economy, mobility, and       
                                security, using aviation, ships, rail,        
                                pipelines, highways, trucks, buses, and mass  
                                transit.                                      

Sources: Homeland Security Presidential Directive 7 and the National
Strategy for Homeland Security.

In its plan for protecting these critical infrastructures, DHS recognizes
that the Internet is a key resource composed of assets within both the
information technology and the telecommunications sectors.9 It notes that
the Internet is used by all sectors to varying degrees, and that it
provides information and communications to meet the needs of businesses,
government, and the other critical infrastructure sectors. Similarly, the
national cyberspace strategy states that cyberspace is the nervous system
supporting our nation's critical infrastructures and recognizes the
Internet as the core of our information infrastructure.10

It is also important to note that there are critical interdependencies
between sectors. For example, the telecommunications and information
technology sectors, like many other sectors, depend heavily on the energy
sector.

Attacks on the Information Infrastructure Are Increasing

In recent years, cyber attacks involving malicious software or hacking
have been increasing in frequency and complexity. These attacks can come
from a variety of actors. Table 2 lists sources of cyber threats that have
been identified by the U.S. intelligence community.

Table 2: Sources of Cyber Threats Identified by the U.S. Intelligence
Community

                                        

           Threat                             Description                     
Bot-network operators   Bot-network operators are hackers; however,        
                           instead of breaking into systems for the challenge 
                           or bragging rights, they take over multiple        
                           systems to enable them to coordinate attacks and   
                           to distribute phishinga schemes or malwareb        
                           attacks.                                           
Criminal groups         Criminal groups attack systems for monetary gain.  
                           Specifically, organized crime groups are using     
                           spam, phishing, and spyware/malware to commit      
                           identity theft and online fraud. International     
                           corporate spies and organized crime organizations  
                           also pose a threat to the United States through    
                           their ability to conduct industrial espionage and  
                           large-scale monetary theft and to hire or develop  
                           hacker talent.                                     
Foreign intelligence    Foreign intelligence services use cyber tools as   
services                part of their information-gathering and espionage  
                           activities. In addition, several nations are       
                           aggressively working to develop information        
                           warfare doctrine, programs, and capabilities. Such 
                           capabilities would enable a single entity to have  
                           a significant and serious impact by disrupting the 
                           supply, communications, and economic               
                           infrastructures that support military              
                           power-impacts that could affect the daily lives of 
                           U.S. citizens across the country.                  
Hackers                 Hackers break into networks for the thrill of the  
                           challenge or for bragging rights within the hacker 
                           community. Although remote cracking once required  
                           a fair amount of skill or computer knowledge,      
                           hackers can now download attack scripts and        
                           protocols from the Internet and launch them        
                           against victim sites. Thus, while attack tools     
                           have become more sophisticated, they also have     
                           become easier to use. According to the Central     
                           Intelligence Agency, the large majority of hackers 
                           do not have the requisite tradecraft to threaten   
                           difficult targets, such as critical U.S. networks. 
                           Nevertheless, the worldwide population of hackers  
                           poses a relatively high threat of causing an       
                           isolated or brief disruption that results in       
                           serious damage.                                    
Insiders                The disgruntled organization insider is a          
                           principal source of computer crime. Insiders may   
                           not need a great deal of knowledge about computer  
                           intrusions because their knowledge of a target     
                           system often allows them to gain unrestricted      
                           access to cause damage to the system or to steal   
                           system data. The insider threat also includes      
                           outsourcing vendors as well as employees who       
                           accidentally introduce malware into systems.       
Spyware/Malware authors Individuals or organizations with malicious intent 
                           carry out attacks against users by producing and   
                           distributing spyware and malware. Several          
                           destructive computer viruses and worms have harmed 
                           files and hard drives, including the Melissa Macro 
                           Virus, the Explore.Zip worm, the CIH (Chernobyl)   
                           Virus, NIMDA, Code Red, Slammer, and Blaster.      
Terrorists              Terrorists seek to destroy, incapacitate, or       
                           exploit critical infrastructures in order to       
                           threaten national security, cause mass casualties, 
                           weaken the U.S. economy, and damage public morale  
                           and confidence. Terrorists may use malicious       
                           software to gather sensitive information.          

Source: GAO analysis of data from the Federal Bureau of Investigation, the
Central Intelligence Agency, and the Software Engineering Institute's
CERT(R) Coordination Center.

aPhishing involves the creation and use of e-mail and Web sites that are
designed to look like the e-mail and Web sites of well-known legitimate
businesses or government agencies, in order to deceive Internet users into
disclosing their personal data for criminal purposes, such as identity
theft and fraud.

bSpyware/Malware is software designed with a malicious intent, such as a
virus.

An intelligence report on global trends11 forecast that terrorists may
develop capabilities to conduct both cyber and physical attacks against
nodes of the world's information infrastructure-including the Internet and
other systems that control critical industrial processes-such as
electricity grids, refineries, and flood control mechanisms. The report
stated that terrorists already have specified the U.S. information
infrastructure as a target and currently are capable of physical attacks
that would cause at least brief, isolated disruptions.

According to a Congressional Research Service report, the annual worldwide
cost of major cyber attacks was, on average, $13.5 billion from 2000 to
2003. A more recently published report estimated that the worldwide
financial impact of virus attacks was $17.5 billion in 2004 and $14.2
billion in 2005.

Multiple Organizations Could Help in Recovering the Internet from a Major
Disruption

In the event of a major Internet disruption, multiple organizations could
help recover Internet service. These organizations include private
industry, collaborative groups, and government organizations. Private
industry is central to Internet recovery because private companies own the
vast majority of the Internet's infrastructure and often have response
plans. Collaborative groups-including working groups and industry
councils-provide information-sharing mechanisms to allow private
organizations to restore services. Additionally, government initiatives
could facilitate responding to major Internet disruptions.

Private Industry

Private industry organizations are critical to recovering Internet
services in the event of a major disruption because they own and operate
the vast majority of the Internet's infrastructure. This group of Internet
infrastructure owners and operators includes telecommunications companies
(such as AT&T and Verizon Communications), cable companies (such as Cox
Communications and Time Warner Cable), Internet service providers (such as
AOL and EarthLink), and root server operators (such as VeriSign and the
University of Maryland). These entities own or operate cable lines;
telephone lines; fiber-optic cables; or critical core systems, such as
network routers and domain name servers.

These private companies currently deal with cyber attacks and physical
disruptions on the Internet on a regular basis. According to
representatives of Internet infrastructure owners and operators, these
firms typically have disaster recovery plans in place. For example, a
representative from a major telecommunications company stated that the
company has emergency response plans for its primary and secondary
emergency operations centers. Similarly, representatives of a cable trade
association reported that most cable companies have standard disaster
recovery plans and a network operations center from which they can monitor
recovery operations.

Infrastructure representatives also noted that in the event of a network
disruption, companies that are competitors work together to resolve the
disruption. They said that although the companies are competitors, they
have a business interest in cooperating because it is common to rely on
each other's networks. For example, a representative of a major
telecommunications company noted that the company has "mutual-aid"
agreements with its competitors to exchange technicians and hardware in
the event of an emergency.

Collaborative Groups

Collaborative groups-working groups and industry councils that the private
and public sectors have established to allow technical information
sharing-help handle and recover from Internet disruptions. These
collaborative groups are usually composed of individuals and experts from
separate organizations. In the event of a major Internet disruption, these
groups allow individuals from different companies to exchange information
in order to assess the scope of the disruption and to restore services.
Table 3 provides descriptions of selected collaborative groups.

Table 3: Examples of Collaborative Groups

                                        

              Group                             Description                   
North American Network      This group of network operators coordinates    
Operators Group             and disseminates technical information related 
                               to backbone/enterprise networking technologies 
                               and operational practices. It was originally   
                               established to discuss operational issues      
                               regarding the National Science Foundation's    
                               high-speed research and education network,     
                               which became the Internet. In the mid-1990s,   
                               the group revised its charter to include a     
                               broader base of network service providers.     
                               Although the National Science Foundation       
                               originally funded the group, it is now funded  
                               by conference registration fees and donations  
                               from vendors.                                  
                                                                              
                               Through the group's mailing list, members      
                               collaborate and assist each other in resolving 
                               network operating issues. In the event of a    
                               major Internet disruption, these               
                               information-sharing mechanisms are used to     
                               resolve issues related to the disruption. For  
                               example, group members used their mailing list 
                               to collaborate with each other when the        
                               Slammer worm hit in January 2003, causing      
                               significant Internet congestion. Through the   
                               mailing list, members were able to corroborate 
                               events and share mitigation strategies.        
Network Service Providers   This group was originally established in 2001  
Security Consortium         to allow individuals in the network service    
                               provider community to coordinate on network    
                               security issues and problems. Its primary      
                               information-sharing mechanism is through its   
                               e-mail list. Members of the list who observe   
                               disruptions or malicious activity can post     
                               their observations or concerns to the list,    
                               and other members can take action or provide   
                               assistance. Membership in the list is only     
                               available to those who have been identified by 
                               other group members as having a relevant need  
                               for the information on the list. As of March   
                               2006, approximately 500 people subscribe to    
                               the list. If the list were not available or an 
                               issue needed to be addressed immediately, the  
                               group's organizer would be able to coordinate  
                               collaboration between the necessary parties.   
                                                                              
                               According to the group's organizer, the closed 
                               nature of the list is crucial to its value.    
                               The limited membership allows the building of  
                               trusted relationships and gives each member    
                               confidence that information posted to the list 
                               will not be misused. The organizer stated that 
                               the list has been very effective at resolving  
                               disruption issues. For example, the            
                               consortium's mailing list played a major role  
                               in resolving the root Domain Name System       
                               server attacks that occurred in October 2002.  
Packet Clearing House       The Packet Clearing House is a nonprofit       
                               research institute that supports operations    
                               and analyses in the areas of Internet traffic  
                               exchange, routing economics, and global        
                               network development. It hosts a hotline        
                               telephone system, called the Inter-Network     
                               Operations Center Dial-By-Autonomous System    
                               Number (a unique identifier for autonomous     
                               systems on the Internet). This system is a     
                               global voice telephony network that connects   
                               the network operations centers and security    
                               incident response teams of critical Internet   
                               infrastructure owners and operators, such as   
                               backbone providers, Internet service           
                               providers, and Internet exchange point         
                               operators. The hotline also connects critical  
                               individuals within the policy, regulatory,     
                               Internet governance, security, and vendor      
                               communities. The hotline is a closed system,   
                               ensuring secure and authenticated              
                               communications. It uses a combination of       
                               mechanisms to create a resilient,              
                               high-survivability network. Additionally, the  
                               hotline telephone system carries both routine  
                               operational traffic and emergency-response     
                               traffic. Representatives of several Internet   
                               service providers noted that they use this     
                               system to contact other network operators in   
                               order to resolve problems quickly.             
Information Technology      This center is made up of representatives of   
Information Sharing and     companies from across the information          
Analysis Center             technology industry. It helps facilitate       
                               operational information sharing, communication 
                               with other infrastructure sectors, and crisis  
                               response.                                      
                                                                              
                               The center works to improve security,          
                               reliability, and disaster recovery in          
                               information technology. The center identifies  
                               threats and vulnerabilities to information     
                               technology infrastructure (including the       
                               Internet) and shares best practices for how to 
                               quickly and properly address them. The         
                               representatives also stated that the           
                               Information Technology Information Sharing and 
                               Analysis Center facilitates information        
                               sharing and participates in exercises to test  
                               its ability to respond to incidents such as a  
                               major Internet disruption. For example, the    
                               center assisted with DHS's recent Cyber Storm  
                               exercise in February 2006. The center took a   
                               leadership role in Cyber Storm and prepared a  
                               concept of operations that addressed incident  
                               response to cyber or physical attacks.         
Telecommunications          In 1984, following the divestiture of AT&T,    
Information Sharing and     the National Coordinating Center for           
Analysis Center             Telecommunications was established to allow    
                               information sharing between representatives of 
                               the telecommunications companies. In January   
                               2000, the center was designated the            
                               information sharing and analysis center for    
                               the telecommunications industry. The center is 
                               unique among information sharing and analysis  
                               centers in that it is actually a joint         
                               government/industry operation.                 
                                                                              
                               According to a center representative, the main 
                               role of the Telecommunications Information     
                               Sharing and Analysis Center during an Internet 
                               disruption is to provide a protected forum in  
                               which industry members can collaborate and     
                               freely share information. In turn, this        
                               coordination effort will help expedite the     
                               overall Internet recovery. The industry chair  
                               of the center noted that this forum enables    
                               members to form trusted relationships with     
                               each other where they otherwise may not exist  
                               between competitors. An example of this        
                               cooperation occurred during the Code Red and   
                               NIMDA cyber attacks. Center members            
                               coordinated to understand and mitigate the     
                               attacks.                                       
National Security           This committee provides industry-based         
Telecommunications Advisory analyses and recommendations to the President  
Committee                   and the executive branch regarding             
                               telecommunications policy and proposals for    
                               enhancing national security and emergency      
                               preparedness. The committee is made up of 30   
                               Presidentially appointed industry leaders,     
                               usually chief executive officers of companies  
                               in the telecommunications industry. Since the  
                               committee is composed of telecommunications    
                               executives, their role in Internet recovery is 
                               strategic as opposed to operational.           
                                                                              
                               Members of the committee have long established 
                               relationships with DHS's National              
                               Communications System and National             
                               Coordinating Center for Telecommunications.    
                               Committee representatives reported that the    
                               committee works closely with these entities    
                               during response and recovery activities        
                               following a terrorist attack or natural        
                               disaster. The committee and these entities     
                               also share information related to a variety of 
                               other issues, including modifications to       
                               federal policy associated with                 
                               telecommunications in support of national      
                               security and emergency preparedness and        
                               changes in the commercial telecommunications   
                               marketplace.                                   
                                                                              
                               Additionally, the committee publishes reports  
                               that cover topics related to Internet          
                               recovery. In an October 2005 report, the       
                               committee provides an industry perspective on  
                               lessons learned in responding to the September 
                               11, 2001, terrorist attacks. In the October    
                               report, the committee deemed Internet services 
                               to be increasingly important in disaster       
                               response and central to the mission-critical   
                               operations of business and government          
                               agencies, and it identified steps the          
                               government could take to help the coordination 
                               center better address potential network        
                               security issues, such as distributed           
                               denial-of-service attacks and software         
                               viruses.                                       

Source: GAO.

Government Organizations-DHS

Federal policies and plans12 assign DHS lead responsibility for
facilitating a public/private response to and recovery from major Internet
disruptions. Within DHS, responsibilities reside in two divisions within
the Preparedness Directorate: the National Cyber Security Division (NCSD)
and the National Communications System (NCS). NCSD operates the U.S.
Computer Emergency Readiness Team (US-CERT), which coordinates defense
against and response to cyber attacks. The other division, NCS, provides
programs and services that ensure the resilience of the telecommunications
infrastructure in times of crisis.

National Cyber Security Division

In June 2003, DHS created NCSD to serve as a national focal point for
addressing cybersecurity issues and to coordinate the implementation of
the National Strategy to Secure Cyberspace. Its mission is to secure
cyberspace and America's cyber assets in cooperation with public, private,
and international entities.

NCSD is the government lead on a public/private partnership supporting the
US-CERT, an operational organization responsible for analyzing and
addressing cyber threats and vulnerabilities and disseminating
cyber-threat warning information. In the event of an Internet disruption,
US-CERT facilitates coordination of recovery activities with the network
and security operations centers of owners and operators of the Internet
and with government incident response teams.

NCSD also serves as the lead for the federal government's cyber incident
response through the National Cyber Response Coordination Group. This
group is the principal federal interagency mechanism for coordinating the
preparation for, and response to, significant cyber incidents-such as a
major Internet disruption. In the event of a major disruption, the group
convenes to facilitate intragovernmental and public/private preparedness
and operations. The group brings together officials from national
security, law enforcement, defense, intelligence, and other government
agencies that maintain significant cybersecurity responsibilities and
capabilities. Members use their established relationships with the private
sector and with state and local governments to help coordinate and share
situational awareness, manage a cyber crisis, develop courses of action,
and devise response and recovery strategies.

NCSD also recently formed the Internet Disruption Working Group, which is
a partnership between NCSD, NCS, the Department of the Treasury, the
Department of Defense, and private-sector companies, to plan for ways to
improve DHS's ability to respond to and recover from major Internet
disruptions. The goals of the working group are to identify and prioritize
the short-term protective measures necessary to prevent major disruptions
to the Internet or reduce their consequences and to identify
reconstitution measures in the event of a major disruption.

National Communications System

NCS is responsible for ensuring a communications infrastructure for the
federal government under all conditions-ranging from normal situations to
national emergencies and international crises. NCS is composed of members
from 23 federal departments and agencies.13 Although originally focused on
traditional telephone service, due to the convergence of the Internet and
telecommunications NCS has taken a larger role in Internet-related issues
and has partnered with NCSD and private companies to address issues
related to major Internet disruptions. For example, NCS now helps manage
issues related to disruptions of the Internet backbone (e.g.,
high-capacity data routes).

The National Coordinating Center for Telecommunications  (National
Coordinating Center), which serves as the operational component of NCS,
also has a role in Internet recovery. The center has eight resident
industry members (representing companies that were originally telephone
providers) as well as additional nonresident members, including
representatives of newer, more Internet-oriented companies. During a major
disruption to telecommunications services, the center communicates with
both resident and nonresident members, with the goal of restoring service
as soon as possible. In the event of a major Internet disruption, the
National Coordinating Center plays a role in the recovery effort through
its partnerships and collaboration with telecommunications and
Internet-related companies.

Government Organizations-Federal Communications Commission

The Federal Communications Commission can support Internet recovery by
coordinating resources for restoring the basic communications
infrastructures over which Internet services run. For example, after
Hurricane Katrina, the commission granted temporary authority for private
companies to set up wireless Internet communications supporting various
relief groups; federal, state, and local government agencies; businesses;
and victims in the disaster areas.

The commission also sponsors the Network Reliability and Interoperability
Council. A primary goal of the council is to prevent Internet disruptions
from occurring in the first place. The council has developed a list of
best practices for Internet disaster recovery that provides guidance on
strategic issues (such as exercising disaster recovery plans) as well as
operational issues (such as how to restore a corrupt domain name
server).14

Prior Evaluations of DHS's Cybersecurity Responsibilities Have Highlighted
Issues and Challenges Facing the Department

In May 2005, we issued a report on DHS's efforts to fulfill its
cybersecurity responsibilities.15 We noted that while DHS had initiated
multiple efforts to fulfill its responsibilities, it had not fully
addressed any of the 13 key cybersecurity responsibilities (see table 4)
noted in federal law and policy. For example, we noted that the department
established US-CERT as a public/private partnership to make cybersecurity
a coordinated national effort, and it established forums to build greater
trust and information sharing among federal officials with information
security responsibilities and with law enforcement entities. However, DHS
had not yet developed national cyber threat and vulnerability assessment
or government/industry cybersecurity recovery plans-including a plan for
recovering key Internet functions.

We also noted in our May 2005 report that DHS faced a number of challenges
that have impeded its ability to fulfill its cyber responsibilities. These
challenges included achieving organizational stability, gaining
organizational authority, overcoming hiring and contracting issues,
increasing awareness of cybersecurity roles and capabilities, establishing
effective partnerships with stakeholders, achieving two-way information
sharing with stakeholders, and demonstrating the value that DHS can
provide. We made recommendations to the department to strengthen its
ability to implement key responsibilities by completing critical
activities and resolving underlying challenges. DHS agreed that
strengthening cybersecurity is central to protecting the nation's critical
infrastructures and that much remained to be done, but it has not yet
addressed our recommendations. We continue to evaluate DHS's progress in
implementing our recommendations.

Table 4: DHS's Key Cybersecurity Responsibilities

o Develop a national plan for critical  o Identify and assess cyber        
infrastructure protection, including    threats and vulnerabilities.       
cybersecurity.                                                             
                                           o Support efforts to reduce cyber  
o Develop partnerships and coordinate   threats and vulnerabilities.       
with other federal agencies, state and                                     
local governments, and the private      o Promote and support research and 
sector.                                 development efforts to strengthen  
                                           cyberspace security.               
o Improve and enhance public/private                                       
information sharing involving cyber     o Promote awareness and outreach.  
attacks, threats, and vulnerabilities.                                     
                                           o Foster training and              
o Develop and enhance national cyber    certification.                     
analysis and warning capabilities.                                         
                                           o Enhance federal, state, and      
o Provide and coordinate incident       local government cybersecurity.    
response and recovery planning efforts.                                    
                                           o Strengthen international         
                                           cyberspace security.               
                                                                              
                                           o Integrate cybersecurity with     
                                           national security.                 

Source: GAO analysis of law and policy.

Although Both Cyber and Physical Incidents Have Caused Disruptions, the
Internet Has Not Yet Suffered a Catastrophic Failure

The Internet's infrastructure is vulnerable to disruptions in service due
to terrorist and other malicious attacks, natural disasters, accidents,
technological problems, or a combination of the above. Disruptions to
Internet service can be caused by cyber and physical incidents-both
intentional and unintentional. Private network operators routinely deal
with Internet disruptions of both types. Recent cyber and physical
incidents have caused localized or regional disruptions, highlighting the
importance of recovery planning. However, these incidents have also shown
the Internet as a whole to be flexible and resilient. Even in severe
circumstances, the Internet has not yet suffered a catastrophic failure.

Internet Disruptions Have Been Caused by Both Cyber and Physical Incidents

The Internet can be disrupted by either cyber or physical incidents, or by
a combination of the two. These incidents can be intentional (such as a
cyber attack or a terrorist attack on our nation's physical
infrastructure) or unintentional (such as a software malfunction or a
natural disaster). Table 5 provides examples of intentional and
unintentional cyber and physical incidents.

Table 5: Examples of Potential Internet Disruptions

                     Cyber incident                   Physical incident       
Intentional act   o malicious code (virus, worm,   o terrorist bomb        
                     or other attack)                                         
                                                      o foreign nation attack 
                     o hacking                                                
                                                      o intentional cutting   
                     o distributed denial-of-service  of fiber-optic cables   
                     attack                           
                                                      
                     o insider manipulating systems   
                     (changing router configurations) 
Unintentional act o software glitch                o severe natural event  
                                                      (hurricane, earthquake, 
                     o hardware malfunction           or flood)               
                                                                              
                     o improper configuration of      o accidental cutting of 
                     software or hardware             fiber-optic cables      
                                                                              
                                                      o other industrial      
                                                      accidents (chemical     
                                                      spill or fire)          

Source: GAO.

A cyber incident could cause a disruption if it affects a network protocol
or an application that is integral to the working of the Internet. A cyber
incident could be unintended (such as a software problem) or intended
(such as an attack using malicious software or hacking that causes a
disruption of service). Unintended incidents have caused significant
disruptions in the past. For example, in 1998, a major Internet backbone
provider had a massive outage due to a software flaw in the infrastructure
that caused systems to crash; in 2002, a different provider had an outage
due to a router with a faulty configuration.

Intentional incidents, or malicious attacks, have been increasing in
frequency and complexity and recently have been linked to organized crime.
Examples of malicious attacks include viruses and worms. Viruses and worms
are often used to launch denial-of-service attacks, which flood targeted
networks and systems with so much data that regular traffic is either
slowed or stopped. Such attacks have been used ever since the
groundbreaking Morris worm in November 1988, which brought 10 percent of
the systems connected to the Internet to a halt. More recently, in 2001,
the Code Red worm used a denial-of-service attack to affect millions of
computer users by shutting down Web sites, slowing Internet service, and
disrupting business and government operations.16

Cyber attacks can also cause Internet disruptions by targeting specific
protocols, such as the Border Gateway Protocol or the Domain Name System.
If a vulnerability in the Border Gateway Protocol was exploited, the
ability of Internet traffic to reach its destination could be limited or
halted. Some experts believe that it could take weeks to recover from a
major attack on the Border Gateway Protocol. The Domain Name System is
also susceptible to various attacks, including the corruption of stored
domain name information and the misdirection of addresses. Recently,
hackers have used domain name servers to launch denial-of-service
attacks-thereby amplifying the strength of the attacks. A network security
expert stated that there have been numerous attacks of this type recently,
and that some attacks have targeted top-level domains17 and Internet
service providers. Attacks against top-level domain servers could disrupt
users' capability to connect to various Internet addresses. It could take
several days to recover from a massive disruption of the domain name
server system.

As the number of individuals with computer skills has increased, more
intrusion, or hacking, tools have become readily available and relatively
easy to use. Frequently, skilled hackers develop exploitation tools and
post them on Internet hacking sites. These tools are then readily
available for others to download, allowing even inexperienced programmers
to create a computer virus or to literally point and click to launch an
attack. According to the National Institute of Standards and Technology,
30 to 40 new attack tools are posted on the Internet every month. Experts
also agree that there has been a steady advance in the sophistication and
effectiveness of attack technology.

In the case of insider incidents, these tools may not even be necessary,
because insiders often have unfettered access to their employers' computer
systems. In one incident, an insider installed unauthorized backdoor
access to his employer's systems. After his termination, the insider used
these back doors to gain access to the systems and to delete accounts,
change passwords, and delete security logs. While this is a case of an
insider disrupting a single network, an insider could also use this
knowledge to disrupt the operation of an Internet service provider. For
example, an insider at a company that develops critical routing hardware
might be able to use specific technical knowledge of the products to
create an attack that could disrupt networks that use that particular
equipment.

To date, cyber attacks have caused various degrees of damage. The
following case studies provide examples of cyber attacks; the effects of
these attacks; and the government's role, if any, in recovery (see figs. 4
and 5).

Figure 4: Case Study-The Slammer Worm

On Saturday, January 25, 2003, the Slammer worm infected more than 90      
percent of vulnerable computers worldwide within 10 minutes of its release 
on the Internet by exploiting a known vulnerability for which a patch had  
been available since July 2002. Slammer caused network outages, canceled   
airline flights, and automated teller machine failures. In addition, the   
Nuclear Regulatory Commission confirmed that the Slammer worm had infected 
a private computer network at a nuclear power plant, disabling a safety    
monitoring system for nearly 5 hours and causing the plant's process       
computer to fail. The worm reportedly also affected communications on the  
control networks of at least five utilities by propagating so quickly that 
control system traffic was blocked. In addition, on Monday, January 27,    
the worm infected more networks when U.S. and European business hours      
started. Cost estimates on the impact of the worm range from $1.05 billion 
to $1.25 billion.                                                          
                                                                              
Slammer resulted in temporary loss of Internet access to some users and    
increased network traffic worldwide. Postincident studies noted that if    
the worm had been malicious or had exploited more widespread               
vulnerabilities, it would have caused a significant disruption to Internet 
traffic.                                                                   
                                                                              
Responses to Slammer were quick. Within 1 hour, Web site operators were    
able to filter the worm. The disruption was partly resolved by network     
operators blocking the main communication channel that the worm was using, 
which helped control the spread of the worm. Security experts advised      
network operators to use firewalls to block the channel and to apply the   
patch before reconnecting services. In addition, private-sector network    
operators used the North American Network Operators Group mailing list to  
collaborate with each other in restoring infected networks. The federal    
government coordinated with security companies and Internet service        
providers and released an advisory recommending that federal departments   
and agencies patch and block access to the affected channel. However, most 
of these activities occurred after the worm had stopped spreading because  
it had propagated so quickly.                                              

Source: GAO analysis of GAO and other published reports.

Figure 5: Case Study-A Root Server Attack

On Monday, October 21, 2002, a coordinated denial-of-service attack was    
launched against all of the root servers in the Domain Name System. All 13 
root servers, located around the world, were targeted. The root servers    
experienced an unusually high volume of traffic. Two root server operators 
reported that traffic was 3 times the normal level, while another reported 
that traffic was 10 times the normal level. The attacks lasted for         
approximately 1 hour and 15 minutes. While reports of the attack differ,   
they all agreed that at least 9 of the servers experienced degradation in  
service. Specifically, 7 failed to respond to legitimate network traffic   
and 2 others failed intermittently during the attack.                      
                                                                              
Some root servers were unreachable from many parts of the global Internet  
because of traffic congestion from the attack. While all of the servers    
continued to answer any queries they received (because of their            
substantial backup capacity), many did not receive all of the queries that 
had been routed to them due to the high volume of traffic. However,        
average end users hardly noticed the attack. The attack became visible     
only as a result of various Internet health-monitoring projects. According 
to experts, the root name servers would have to be down for several hours  
before the effects would be noticeable to end users.                       
                                                                              
The response to these attacks was handled by the server operators and      
their service providers. The Domain Name System servers worked as they     
were designed to, and demonstrated robustness against a concerted,         
synchronized attack. However, the attack pointed to a need to increase the 
capacity of servers at Internet exchange points in order to manage the     
high volumes of data traffic that occur during an attack. The attacks led  
to systems receiving faster-than-normal upgrades. According to experts     
familiar with the attack, the government did not have a role in recovering 
from this attack.                                                          

Source: GAO analysis of interviews and published reports from sources,
including root name server operators and current and former government
officials.

A physical incident could be caused by an intentional attack, a natural
disaster, or an accident. For example, terrorist attacks, storms,
earthquakes, and unintentional cutting of cables can all cause physical
disruptions. Physical incidents causing Internet and telecommunications
disruptions occur regularly-often as a result of the accidental cutting of
cable lines. Physical incidents could affect various aspects of the
Internet infrastructure, including underground or undersea cables and
facilities that house telecommunications equipment, Internet exchange
points, or Internet service providers. Such incidents could also disrupt
the power infrastructure-leading to an extended power outage and thereby
disrupting telecommunications and Internet service. The following case
studies provide examples of physical incidents that caused Internet
disruptions and the effect of these incidents (see figs. 6 to 8).

Figure 6: Case Study-The Baltimore Train Tunnel Fire

On July 18, 2001, a 60-car freight train derailed in a Baltimore tunnel,   
causing a fire that interrupted Internet and data services between         
Washington and New York. The tunnel housed fiber-optic cables that served  
seven of the biggest U.S. Internet service providers. The fire burned and  
severed fiber-optic cables, causing backbone slowdowns for at least three  
major Internet service providers. There were sporadic reports from across  
the Northeast corridor about service disruptions and delays. For example,  
users in Baltimore did not suffer disrupted service, while users in        
Washington D.C. did suffer disruptions. In addition, there were selected   
impacts far outside the disaster zone. For example, the U.S. embassy in    
Lusaka, Zambia, experienced problems with e-mail. Two of the service       
providers had service restored within 2 days. Despite the outages caused   
by the fire, the Internet continued to operate.                            
                                                                              
Efforts to recover Internet service were handled by the affected Internet  
service providers. City officials also worked with telecommunications and  
networking companies to reroute cables. Other federal and local government 
efforts to resolve the disruption consisted of responding to the immediate 
physical issues of extinguishing the fire, maintaining safety in the       
surrounding area, and rerouting traffic.                                   

Source: GAO analysis of a Department of Transportation report.

Figure 7: Case Study-The September 11, 2001, Terrorist Attack on the World
Trade Center

On September 11, 2001, terrorists crashed two commercial airplanes into    
the World Trade Center, which led to the deaths of nearly 3,000 people and 
the destruction of 12 buildings containing millions of square feet of      
office space. The attack physically damaged one of the Internet's most     
important hubs-New York City-disrupting the local communications           
infrastructure (including facilities, critical computer systems, and       
fiber-optic cables that ran under the ruined buildings). In addition, the  
attack disrupted electrical power in Lower Manhattan. Local                
telecommunications facilities used back-up power systems until these ran   
out of fuel or batteries, and then they shut down their operations. In     
addition, some undamaged local data centers were inaccessible because of   
areawide closures. Repairs of key infrastructure centers were delayed      
because of structural concerns for buildings, and government-ordered       
evacuations.                                                               
                                                                              
These events had a devastating effect on the regional communications       
infrastructure, but they had little effect on Internet service as a whole. 
The attack disrupted financial and communications systems, which led to    
the closing of financial markets for up to 1 week, and interrupted         
Internet connectivity to several universities, medical colleges, and       
hospitals and to the city government's official Web site. There were also  
some far-reaching and unexpected effects: Internet service providers in    
parts of Europe lost connectivity and there were Domain Name System        
disruptions in South Africa due to interconnections in New York City. For  
the Internet as a whole, however, functions were largely back to normal    
within 15 minutes, and there were no widespread connectivity issues. This  
demonstrated the flexibility and adaptability of the network. For example, 
when Internet users were unable to reach popular Web sites because of the  
high volume of traffic, Internet service providers reduced the complexity  
of Web sites and reallocated computer resources to handle more traffic. In 
addition, Internet operators rerouted traffic to bypass the physical       
damage in lower Manhattan.                                                 
                                                                              
In the aftermath of the attack, many Internet service providers increased  
staffing at network operations centers, coordinated with other service     
providers, and improvised links to ensure that their networks would        
continue to run smoothly. However, many problems in restoring              
telecommunications services were logistical ones, such as obtaining food,  
fuel, and access to restricted areas.                                      
                                                                              
The federal government's involvement in restoration efforts included       
facilitating communications and providing logistical support. The          
government was also responsible for securing the area and providing access 
to those with need. It also provided military transport to the New York    
area for key telecommunications personnel when commercial air traffic was  
shut down.                                                                 

Source: GAO analysis of report entitled The Internet Under Crisis
Conditions: Learning from September 11, the National Research Council,
National Academy Press: Washington, D.C., 2003, and other published
reports.

Figure 8: Case Study-Hurricane Katrina

On August 29, 2005, Hurricane Katrina made landfall in Louisiana and       
significantly damaged or destroyed the communications infrastructure in    
Louisiana, Mississippi, and Alabama. According to the Federal              
Communications Commission, the storm caused outages for over 3 million     
telephone customers, 38 emergency 9-1-1 call centers, hundreds of          
thousands of cable customers, and over 1,000 cellular sites. Importantly,  
the Coast Guard's computer hub in New Orleans dropped off-line, resulting  
in no computer or Internet connectivity to all coastal ports within the    
area. Coast Guard units resorted to using telephones and fax machines to   
communicate.                                                               
                                                                              
A substantial number of the networks that experienced service disruptions  
recovered relatively quickly. Many networks were restored during the night 
and the following morning, and hundreds were restored by August 30. In     
some cases, local providers restored their own service, while in other     
cases network service was moved to other providers. According to the       
Federal Communications Commission, commercial carriers restored service to 
over 80 percent of the 3 million affected telephone customers within 10    
days of Hurricane Katrina. Despite the overall devastation caused by       
Katrina, the hurricane had minimal affect on the overall functioning of    
the Internet. According to an Internet-monitoring service provider, while  
there was a loss of routing around the affected area, there was no         
significant impact on global Internet routing.                             
                                                                              
Federal and private-sector officials disagree on how effective the         
government was in facilitating telecommunications restoration after the    
storm. According to an NCS official, the organization heightened the alert 
status of the National Coordinating Center for Telecommunication's 24-hour 
watch, conducted analyses of critical communications assets in the         
projected impact area, and activated a National Response Coordination      
Center. Additionally, the National Coordinating Center and NCS coordinated 
with the communications companies for various preparations, such as moving 
personnel to safety, coordinating with fuel and equipment providers, and   
rerouting communications traffic away from affected areas. NCS officials   
acknowledged that the scope of the disaster and difficulties coordinating  
with state officials made these efforts challenging.                       
                                                                              
Private-sector representatives stated that with the exception of the       
Federal Communications Commission (which coordinated provision of some     
governmental resources and information), coordination with the government  
was limited and virtually no assistance was received. Representatives      
reported that requests for assistance, such as food, water, fuel, and      
secure access to facilities, were denied because the Stafford Act (which   
authorizes such provisioning) does not extend to for-profit companies.     
These representatives also stated that the government made time-consuming  
and duplicative requests for information about their networks without      
identifying how this reporting would be beneficial. Some reported that     
certain government actions impeded recovery efforts. For example, private  
security contractors hired by telecommunications companies were not        
permitted to carry firearms in Louisiana because of licensing rules. In    
certain cases, the government commandeered fuel destined for               
telecommunications companies and displaced telecommunications staff from   
hotels to house federal officials.                                         

Sources: GAO analysis of published reports and testimonies by DHS, FCC,
NSTAC, and Renesys as well as interviews with private-sector officials.

The Internet Has Not Yet Experienced a Catastrophic Disruption

Since its inception, the Internet has experienced disruptions of varying
scale-from fast-spreading worms, to denial-of-service attacks, to physical
destruction of key infrastructure components. However, the Internet has
yet to experience a catastrophic disruption. Experts agree-and case
studies show-that the Internet is resilient and flexible enough to handle
and recover from many types of disruptions. While specific regions may
experience Internet disruptions, backup servers and the ability to reroute
traffic limit the effect of many targeted attacks. These efforts highlight
the importance of recovery planning.

However, it is possible that a complex attack or set of attacks could
cause the Internet to fail. It is also possible that a series of attacks
against the Internet could undermine users' trust-and thereby reduce the
Internet's utility.

Existing Laws and Regulations Apply to the Internet, but Numerous
Uncertainties Exist in Using Them for Internet Recovery

Several federal laws and regulations provide broad guidance that applies
to the Internet infrastructure, but it is not clear how useful these
authorities would be in helping to recover from a major Internet
disruption, because some do not specifically address Internet recovery and
others have seldom been used. Pertinent laws and regulations address
critical infrastructure protection, federal disaster response, and the
telecommunications infrastructure (see app. II for additional details).

Specifically, the Homeland Security Act of 200218 and Homeland Security
Presidential Directive 719 establish critical infrastructure protection as
a national goal and describe a strategy for cooperative efforts by the
government and the private-sector to protect the cyber- and physical-based
systems that are essential to the operations of both the economy and the
government. These authorities apply to the Internet because it is a core
communications infrastructure supporting the information technology and
telecommunications sectors. However, this law and regulation do not
specifically address roles and responsibilities in the event of an
Internet disruption.

Regarding federal disaster response, the Defense Production Act20 and the
Stafford Act21 provide authority to federal agencies to plan for and
respond to incidents of national significance-like disasters and terrorist
attacks. Specifically, the Defense Production Act authorizes the President
to ensure the timely availability of products, materials, and services
needed to meet the requirements of a national emergency. The act is
applicable to critical infrastructure protection and restoration, but it
has never been used for Internet recovery. The Stafford Act authorizes
federal assistance to states, local governments, nonprofit entities, and
individuals in the event of a major disaster or emergency. However, the
act does not authorize assistance to for-profit companies-such as those
that own and operate core Internet components. Several representatives of
private companies reported that they were unable to obtain needed
resources to restore the communications infrastructure in the aftermath of
Hurricane Katrina because the act does not extend to for-profit companies.

Other legislation and regulations, including the Communications Act of
193422 and the National Communications System (NCS) authorities,23 govern
the telecommunications infrastructure and help ensure communications
during national emergencies. The act governs the regulation of the
telecommunications infrastructure upon which the Internet depends.
However, coverage of the Internet is subsumed in provisions that govern
interstate wire and radio communications, and there is no specific
provision governing Internet recovery. NCS authorities establish guidance
for operationally coordinating with industry to protect and restore key
national security and emergency preparedness communications services.
These authorities grant the President certain emergency powers regarding
telecommunications, including the authority to require any carrier subject
to the Communications Act of 1934 to grant preference or priority to
essential communications.24 The President may also, in the event of war or
national emergency, suspend regulations governing wire and radio
transmissions and authorize the use or control of any such facility or
station and its apparatus and equipment by any department of the
government. Although these authorities remain in force and are implemented
in the Code of Federal Regulations, they have been seldom used-and never
for Internet recovery. Thus, it is not clear how effective they would be
if used for this purpose.

In commenting on the statutory authority for Internet reconstitution
following a disruption, DHS agreed that this authority is lacking and
noted that the government's roles and authorities related to assisting
Internet reconstitution following a disruption are not fully defined. In a
written response, DHS attorneys identified several statutes and other
authorities that provide authority for the NCS telecommunications response
functions in a situation involving national security and emergency
preparedness. DHS stated the following:

DHS Initiatives Supporting Internet Recovery Planning Are under Way, but
Much Remains to Be Done and the Relationships among Initiatives Are Not
Evident

DHS has begun a variety of initiatives to fulfill its responsibility for
developing an integrated public/private plan for Internet recovery, but
these efforts are not complete or comprehensive. Specifically, DHS has
developed high-level plans for infrastructure protection and national
disaster response, but the components of these plans that address the
Internet infrastructure are not complete. In addition, DHS has started a
variety of initiatives to improve the nation's ability to recover from
Internet disruptions, including working groups to facilitate coordination
and exercises in which government and private industry practice responding
to cyber events. While these activities are promising, some initiatives
are not complete, others lack time lines and priorities, and still others
lack effective mechanisms for incorporating lessons learned. In addition,
the relationships among these initiatives are not evident. As a result,
the nation is not prepared to effectively coordinate public/private plans
for recovering from a major Internet disruption.

DHS Has Developed High-level Protection and Response Plans, but Key
Components Are Not Complete

Federal policy establishes DHS as the central coordinator for cyberspace
security efforts and tasks the department with developing an integrated
public/private plan for Internet recovery.25 DHS has two key documents
that guide its infrastructure protection and recovery efforts, but
components of these plans dealing with Internet recovery are not complete.

The National Response Plan is DHS's overarching framework for responding
to domestic incidents. The plan, which was released in December 2004,
contains the following two components that address issues related to
telecommunications and the Internet:

o The Emergency Support Function 2 of the plan identifies federal actions
to provide temporary emergency telecommunications during a significant
incident and to restore telecommunications after the incident. It assigns
roles and responsibilities to different federal agencies; provides
guidelines for incident response; and identifies actions to take before,
during, and after the incident. Because the Internet is supported by the
telecommunications infrastructure, this section of the plan could help
with Internet recovery efforts.

o The Cyber Incident Annex identifies policies and organizational
responsibilities for preparing for, responding to, and recovering from
cyber-related incidents impacting critical national processes and the
national economy. The annex recognizes the National Cyber Response
Coordination Group as the principal federal interagency mechanism to
coordinate the government's preparation for, response to, and recovery
from a major Internet disruption or significant cyber incident.

These components, however, are not complete in that the Emergency Support
Function 2 does not directly address Internet recovery, and the Cyber
Incident Annex does not reflect the National Cyber Response Coordination
Group's current operating procedures. DHS officials acknowledged that both
Emergency Support Function 2 and the Cyber Incident Annex need to be
revised to reflect the maturing capabilities of the National Cyber
Response Coordination Group, the planned organizational changes affecting
NCS and NCSD, and the convergence of voice and Internet networks. However,
DHS has not reached consensus on the best approach for revising these
components, and it has not established a schedule for revising the overall
plan.

The Draft National Infrastructure Protection Plan consists of both a base
plan and sector-specific plans, but these have not been finalized. A
January 2006 draft of the base plan identifies roles, responsibilities,
and a high-level strategy for infrastructure protection across all
sectors. It emphasizes the need to protect and recover the cyber
infrastructure, including the Internet. Additionally, the sector plans are
expected to apply the strategies identified in the base plan to the
infrastructure sectors. For example, the information technology sector
plan identifies relationships within the information technology sector and
with other infrastructure sectors. It also identifies preliminary steps
for infrastructure protection, such as identifying key assets and the
consequences of the failure of those assets.

DHS is planning to finalize its base plan in 2006, but it has not yet set
a date for doing so. Once this plan is released, it will lead to the
development of the more detailed sector-specific plans. The next versions
of the information technology and telecommunications sector plans are due
to DHS within 180 days of the release of the final base plan.

While DHS's intentions to revise these plans are necessary steps in the
right direction, the plans do not fulfill the department's responsibility
to develop an integrated public/private plan for Internet recovery.
Several representatives of private-sector firms supporting the Internet
infrastructure expressed concerns about both plans, noting that the plans
would be difficult to execute in times of crisis. Other representatives
were uneasy about the government developing recovery plans, because they
were not confident in the government's ability to successfully execute the
plans. DHS officials acknowledged that it will be important to obtain
input from private-sector organizations as they refine these plans and
initiate more detailed public/private planning.

Until both the National Response Plan and the National Infrastructure
Protection Plan are updated and more detailed public/private planning
begins, DHS lacks the integrated approach to Internet recovery called for
in the cyberspace strategy and risks not being prepared to effectively
coordinate such a recovery.

Other DHS Initiatives Related to Internet Recovery Planning Are under Way,
but They Are Incomplete and the Relationships among the Initiatives Are
Not Evident

While the National Response Plan outlines an overall framework for
incident response, it is designed to be supplemented by more specific
plans and activities. DHS has numerous initiatives under way to better
define its ability to assist in responding to major Internet disruptions.
These initiatives include task forces, working groups, and exercises.
While these activities are promising, some initiatives are incomplete,
others still lack time lines and priorities, and others lack an effective
mechanism for incorporating lessons learned. In addition, the
relationships and interdependencies among different initiatives are not
evident.

As a result, tangible progress toward improving the government's ability
to help recover from a major Internet disruption has been limited.

DHS Plans to Revise the Role and Mission of the National Communications
System, but This Effort Is Not Yet Complete

DHS plans to revise the role and mission of the National Communications
System (NCS) to reflect the convergence of voice and data communications,
but this effort is not yet complete. NCS is responsible for ensuring the
availability of a viable national security and emergency preparedness
communications infrastructure. Originally focused on traditional telephone
service, NCS has recently taken on a larger role in Internet-related
issues due to the convergence of the infrastructures that serve
traditional telephone traffic and those that serve data (such as Internet
traffic). A presidential advisory committee on telecommunications26 has
established two task forces to recommend changes to NCS's role, mission,
and functions to reflect this convergence. One task force focused on
changes due to next-generation network technologies, while the other
focused on revising the role and mission of NCS's National Communications
Center. Appendix III provides additional details on the two task forces.

Both task forces have made recommendations to improve NCS's operations,
but DHS has not yet developed plans to address these recommendations.
Until NCS completes efforts to revise its role and mission, the group is
at risk of not being prepared to address the unique issues that could be
caused by future Internet disruptions.

National Cyber Response Coordination Group Is Defining Its Roles and
Responsibilities, but Much Remains to Be Done

As a primary entity responsible for coordinating governmentwide responses
to cyber incidents-such as major Internet disruptions-DHS's National Cyber
Response Coordination Group is working to define its roles and
responsibilities, but much remains to be done. The group reported that it
has begun efforts to define its roles, responsibilities, capabilities, and
activities. For example, the group has developed a concept of
operations-which includes a high-level recovery function-but is waiting
for the results of additional analyses before revising and enhancing the
concept of operations. The group also drafted operating procedures that it
used during a national cyber exercise in February 2006, and it plans to
incorporate lessons learned from the exercise into the operating
procedures and to issue revised procedures by June 2006. The group also
reported that it has made progress on initiatives to (1) map the current
capabilities of government agencies to detect, respond to, and recover
from cyber incidents; (2) identify secure communications capabilities
within the government that can be used to respond to cyber incidents; (3)
perform a gap analysis of different agencies' capabilities for responding
to cyber incidents; and (4) establish formal resource-sharing agreements
with other federal agencies as well as state and local governments.
However, much remains to be done to complete these initiatives.

One challenge facing the National Cyber Response Coordination Group is the
"trigger" for government involvement. Currently, the group can be
activated by

o a cyber incident that may relate to or constitute a terrorist attack, a
terrorist threat, a threat to national security, a disaster, or any other
cyber emergency requiring federal government response;

o a confirmed, significant cyber incident directed at one or more national
critical infrastructures;

o a cyber incident that impacts or potentially impacts national security,
national economic security, public health or safety, or public confidence
and morale;

o discovery of an exploitable vulnerability in a widely used protocol;

o other complex or unusual circumstances related to a cyber incident that
requires interagency coordination; or

o any cyber incident briefed to the President.

DHS officials acknowledged that the trigger to activate this group is
imprecise and will need to be clarified. Because key activities to define
roles, responsibilities, capabilities, and the appropriate trigger for
government involvement are still under way, the group is at risk of not
being able to act quickly and definitively during a major Internet
disruption.

The Internet Disruption Working Group Was Established to Work with the
Private Sector to Establish Plans to Respond to Major Internet
Disruptions, but It Lacks Time Lines and Priorities for Its Initiatives

Since most of the Internet is owned and operated by the private sector,
NCSD and NCS established the Internet Disruption Working Group to work
with the private sector to establish priorities and develop action plans
to prevent major disruptions of the Internet and to identify recovery
measures in the event of a major disruption. The group includes
representatives of both domestic and international government agencies and
private Internet-related companies. According to DHS officials who
organized the group, the group held its first forum in November 2005 to
begin to identify real versus perceived threats to the Internet, refine
the definition of an Internet disruption, determine the scope of a planned
analysis of disruptions, and identify near-term protective measures.

DHS officials stated that they had identified a number of potential future
plans, including meeting with industry representatives to

o better understand what constitutes normal network activity and what
suggests malicious activity;

o further refine the definition of an Internet disruption;

o determine which public/private organizations would be contacted in an
emergency and what contingency plans the government could establish;

o encourage implementation of best practices for protecting key Internet
infrastructure, including the Domain Name System; and

o consider requiring improved security technologies for the Domain Name
System and the Border Gateway Protocol in government contracts.

Efforts such as those previously mentioned appear to be worthwhile;
however, agency officials have not yet finalized plans, resources, or
milestones for these efforts. Until they do, the benefits of these efforts
will not be fully realized.

The North American Incident Response Group Is an Additional Mechanism for
Outreach to the Private Sector, but Its Efforts Are Early

In addition to the Internet Disruption Working Group, US-CERT officials
formed the North American Incident Response Group. The group, modeled on
similar groups in Asia and Europe, includes both public and private-sector
network operators who would be the first to recognize and respond to cyber
disruptions. In September 2005, US-CERT officials conducted regional
workshops with group members to share information on structure and
programs and incident response, and to seek ways for the government and
industry to work together operationally. The attendees included 32
organizations, such as computer security incident response teams;
information sharing and analysis centers; members of private firms that
provide security services; information technology vendors; and other
organizations that participate in cyber watch, warning, and response
functions. US-CERT officials stated that these events were highly
successful, and that they hope to continue to hold such events quarterly
beginning in 2006.

As a result of the first meetings, US-CERT officials developed a list of
action items and assigned milestones to some of these items. For example,
US-CERT has established a secure instant messaging capability to
communicate with group members. In addition, it plans to conduct a survey
of the group members to determine what they need from US-CERT and what
types of information they can provide.

While the outreach efforts of the North American Incident Response Group
are promising, DHS has only just begun developing plans and activities to
address the concerns of private-sector stakeholders.

DHS Has Conducted Initial Exercises That Address Cyber Disruption, but
Efforts to Incorporate Lessons Learned into DHS Operations Are Lacking

Over the last few years, DHS has conducted several broad intergovernmental
exercises to test regional responses to significant incidents that could
affect the critical infrastructure. These regional exercises included
incidents that could cause localized Internet disruptions, and they
resulted in numerous findings and recommendations regarding the
government's ability to respond to and recover from a major Internet
disruption. For example, selected exercises found that both the government
and private-sector organizations were poorly prepared to effectively
respond to cyber events. They cited the lack of clarity on roles and
responsibilities, the lack of coordination and communication, and a
limited understanding of cybersecurity concerns as serious obstacles to
effective response and recovery from cyber attacks and disruptions.
Furthermore, regional participants reported being unclear regarding who
was in charge of incident management at the local, state, and national
levels.

More recently, in February 2006, DHS conducted an exercise called Cyber
Storm, which was focused primarily on testing responses to a cyber-related
incident of national significance. The exercise involved a simulated
large-scale attack affecting the energy and transportation
infrastructures, using the telecommunications infrastructure as a medium
for the attack. The results of this exercise have not yet been published.
(Details on these exercises are provided in app. IV.)

Exercises that include Internet disruptions can help to identify issues
and interdependencies that need to be addressed. However, DHS has not yet
identified planned activities and milestones or identified which group
should be responsible for incorporating into its plans and initiatives
lessons learned from the regional and Cyber Storm exercises. Without a
coordination process, plans, and milestones, there is less chance that the
lessons learned from the exercises will be successfully transferred to
operational improvements.

The Relationships and Interdependencies among Various DHS Initiatives Are
Not Evident

While DHS has various initiatives under way-including efforts to update
the National Response Plan, task forces assessing changes to NCS, working
groups on responding to cyber incidents, and exercises to practice
recovery efforts-the relationships and interdependencies among these
various efforts are not evident. For example, plans to update the National
Response Plan to better reflect the Internet infrastructure are related to
task force efforts to suggest changes to NCS to deal with the convergence
of voice and data technologies. However, it is not clear how these
initiatives are being coordinated. Furthermore, the National Cyber
Response Coordination Group, the Internet Disruption Working Group, and
the North American Incident Response Group are all meeting to discuss ways
to address Internet recovery, but the interdependencies among the groups
have not been clearly established. Additionally, it is not evident that
lessons learned from the various cyber-related exercises are being
incorporated in the planned revision of the National Response Plan or the
ongoing efforts of the various working groups. Without a thorough
understanding of the interrelationships among its various initiatives, DHS
risks pursuing redundant efforts and missing opportunities to build on
related efforts.

DHS officials acknowledged that they have not yet fully coordinated the
various initiatives aimed at enhancing the department's ability to help
respond to and recover from a major Internet disruption, but they noted
that the complexity of this undertaking and the number of entities
involved in Internet recovery make this effort challenging.

Multiple Challenges Exist to Planning for Recovery from Internet
Disruptions

Although DHS has various initiatives under way to improve Internet
recovery planning, it faces key challenges in developing a public/private
plan for Internet recovery, including (1) innate characteristics of the
Internet that make planning for and responding to a disruption difficult,
(2) a lack of consensus on DHS's role and on when the department should
get involved in responding to a disruption, (3) legal issues affecting
DHS's ability to provide assistance to restore Internet service, (4)
reluctance of the private-sector to share information on Internet
disruptions with DHS, and (5) leadership and organizational uncertainties
within DHS. Until it addresses these challenges, DHS will have difficulty
achieving results in its role as the focal point for recovering the
Internet from a major disruption.

Key Internet Characteristics Make Recovery More Difficult

The Internet's diffuse structure, vulnerabilities in its basic protocols,
and lack of agreed-upon performance measures make planning for and
responding to a disruption more difficult.

Control of the Internet Is Diffuse

The diffuse control of the Internet makes planning for recovering from a
disruption more challenging. The components of the Internet are not all
governed by the same organization. Some components of the Internet are
controlled by government organizations, while others are controlled by
academic or research institutions. However, the vast majority of the
Internet is owned and operated by the private sector. Each organization
makes decisions to implement or not implement various standards based on
issues such as security, cost, and ease of use. Therefore, any plan for
responding to a disruption requires the agreement and cooperation of these
private-sector organizations.

In addition, the Internet is international. According to private-sector
estimates, only about 20 percent of Internet users are in the United
States. Cyber actors in one country have the potential to impact systems
connected to the Internet in another country. This geographical diversity
makes planning for Internet recovery more difficult.

Vulnerabilities in Internet-Related Protocols Make Responding to
Disruptions Difficult

The Internet's protocols have vulnerabilities that can be exploited.
Examples of these vulnerabilities include the following:

o The version of Internet Protocol (IPv4) that is widely used today has
certain security limitations that have been addressed but are not fully
integrated into the protocol. The newest version of the protocol (IPv6)
addresses some of these limitations, but it has not yet been fully
adopted.27

o The Domain Name System, which directs users to the correct Web site
based on the name they typed in, was not originally built with the intent
of being resistant to attacks. Domain name servers or caches storing
Domain Name System information can be corrupted. Although some protective
measures have been implemented, a method to encrypt and protect Domain
Name System information has not yet been widely deployed.

o Border Gateway Protocol, the protocol that transmits routing information
among separate networks, has vulnerabilities that, if not mitigated, could
subject those networks to attack. For example, a malicious actor could
advertise incorrect routing information. Because this protocol provides
the basis for all Internet connectivity, a successful attack could have
wide-ranging effects.

Lack of Standards for Measuring Internet Performance Hinders the Ability
to Recognize Disruptions and Recover Accordingly

There are no well-accepted standards for measuring and monitoring the
Internet infrastructure's availability and performance. Instead,
individuals and organizations rate the Internet's performance according to
their own priorities.

The commonly used version of Internet Protocol (IPv4) does not guarantee a
priority or speed for delivery, but rather provides "best effort" service.
The next version (IPv6) has features that may help the delivery of future
Internet traffic, but it is not yet widely used.28 The topic of
guaranteeing a particular level of service, called "quality of service,"
is currently the subject of much research. For example, NCS requested
information from private companies on the potential for prioritizing
certain types of Internet service over others if network capacity was
limited; NCS found that there is currently no offering of a priority
service, nor is there any consensus by industry on a standard approach to
prioritization. Obstacles to offering the service include both technical
and financial challenges. Since there are no clear standards for quality
of service, prioritizing service if capacity is limited or setting
thresholds that indicate a disrupted network can be difficult.

Private-sector representatives identified additional challenges to network
measurement and performance standards, including a reluctance to share
proprietary performance data that other companies could use for
competitive advantage, flaws in measurement techniques, and the ability to
"spoof" performance data.

The lack of agreement on standards for measurement and performance limits
the ability of the government and private sector to readily identify poor
performance and identify when recovery efforts should begin.

There Is No Consensus on DHS's Role in Responding to Internet Disruption
or the Appropriate Trigger for Its Involvement

There is a lack of consensus about the role DHS should play in responding
to a major Internet disruption and about the appropriate trigger for its
involvement. As we previously noted in this report, the lack of clear
legislative authority for Internet recovery efforts complicates the
definition of this role.

DHS's Role Lacks Consensus

DHS is currently providing information to private industry through
existing US-CERT and National Coordinating Center relationships and
conducting exercises such as Cyber Storm. US-CERT and National
Coordinating Center officials are also working to improve their
relationships with the private sector. However, DHS officials acknowledged
that their role in recovering from an Internet disruption needs additional
clarification, because private industry owns and operates the vast
majority of the Internet.

Private-sector officials representing telecommunication backbone providers
and Internet service providers were also unclear about the types of
assistance DHS could provide in responding to an incident and about the
value of such assistance. While many officials stated that the government
did not have a direct recovery role, others identified a variety of roles
ranging from providing information on specific threats (which DHS
currently does through US-CERT), providing security and disaster relief
support during a crisis, funding backup communication infrastructures, and
driving improved Internet security through requirements for its own
procurement. Clearly, there was no consensus among the officials on this
issue. Table 6 summarizes potential roles suggested by private-sector
representatives and DHS officials' assessments of each area.

Table 6: Potential DHS Roles

Potential role                   DHS assessment of activities              
Serve as a focal point with      NCS officials stated that credentials are 
state and local governments to   primarily controlled by state and local   
establish standard credentials   government officials. However, NCS stated 
to allow Internet and            that it is working with a                 
telecommunications companies     telecommunications company and Georgia on 
access to areas that have been   a pilot credentialing process for         
restricted or closed in a        telecommunications and electric power     
crisis.                          teams in a disaster area to restore       
                                    critical infrastructure. Once the pilot   
                                    process is generally agreed to with       
                                    Georgia officials, NCS stated it will     
                                    share this information with other state   
                                    and local officials to provide them with  
                                    the option of adopting it the next        
                                    hurricane season. The agency may consider 
                                    a formal credentialing system for the     
                                    next hurricane season.                    
Provide logistical assistance,   NCS currently does not provide such       
such as fuel, power, and         services directly, and the Stafford Act   
security, to Internet            does not authorize DHS to provide direct  
infrastructure operators.        assistance to private companies. However, 
                                    the National Coordinating Center has      
                                    assisted companies in obtaining these     
                                    services from other companies in previous 
                                    physical disruptions. An NCS official     
                                    acknowledged that providing these         
                                    services in the case of Hurricane Katrina 
                                    was challenging because of the scale of   
                                    the disaster and difficulties in          
                                    coordination with other government        
                                    organizations.                            
Conduct a more formal analysis   NCS stated it has developed a formal      
of physical diversity in service analysis process to assist federal        
routes so that a customer with   agencies in conducting analyses of        
multiple telecommunications      physical diversity in service routes for  
vendors would be able to         any given site. The formal NCS analysis   
determine the extent to which    process requires full collaboration       
the vendors' circuits physically between NCS and the requesting agency. An 
overlap.                         abbreviated analysis process is also      
                                    available for those agencies wishing to   
                                    conduct their analyses independently.     
                                    However, DHS stated that an overall       
                                    analysis of physical diversity in service 
                                    routes for all federal agency locations   
                                    would be a massive undertaking. It would  
                                    also be extremely expensive and is        
                                    currently beyond even industry's          
                                    capability to maintain.                   
Focus on smaller scale exercises DHS officials stated that they agree with 
targeted at specific Internet    this premise and are planning a tabletop  
disruption issues. An example    exercise specifically focused on the      
would be an exercise focused on  Internet. A group of government and       
root server/top-level domain     private-sector experts first met to plan  
attacks.                         the exercise in March 2006. The exercise  
                                    is currently planned for June 2006.       
Limit the initial focus for      DHS officials agree that this may be a    
Internet recovery planning to    more appropriate place to start. They     
key national security and        stated that a focus on these areas would  
emergency preparedness           likely be more positively received by the 
functions, such as public health private sector than larger scale planning 
and safety, similar to NCS's     efforts. However, they stated that this   
approach to telephone service.   prioritization will require discussions   
This would make the scope of     among stakeholders. These officials noted 
planning efforts more            that the Next Generation Network Task     
manageable.                      Force addressed prioritization. However,  
                                    there are no immediate plans that target  
                                    this particular issue.                    
Potential role                   DHS assessment of activities              
Fund backup communications       NCS initiated a program, called the       
systems.                         Shared Resources High-Frequency Radio     
                                    Program, to provide backup radio          
                                    communications during an emergency. The   
                                    purpose of the program is to provide a    
                                    single, interagency emergency             
                                    message-handling system by bringing       
                                    together existing radio resources of      
                                    federal, state, and industry              
                                    organizations when normal communications  
                                    are destroyed or unavailable for the      
                                    transmission of national security and     
                                    emergency preparedness information.       
                                                                              
                                    In addition, DHS operates the Critical    
                                    Infrastructure Warning Information        
                                    Network, a private communications network 
                                    designed to serve as a reliable and       
                                    survivable network capability with no     
                                    logical dependency on the Internet or the 
                                    public-switched network. In the event of  
                                    a significant cyber attack that disrupts  
                                    telecommunications networks and/or the    
                                    Internet, this network is expected to     
                                    provide a secure capability for           
                                    interagency incident managers to          
                                    communicate. DHS plans to extend the      
                                    network to private-sector communications  
                                    backbone providers.                       
Establish a system for           DHS officials and industry                
prioritizing recovery of         representatives noted that the existing   
Internet service similar to the  Telecommunications Service Priority       
existing Telecommunications      Program applies to physical restoration   
Service Priority Program.        of both voice circuits and data circuits, 
                                    including Internet traffic. However,      
                                    prioritization of particular traffic on   
                                    the Internet faces numerous technical     
                                    challenges and is not supported by        
                                    current legislation. DHS stated that this 
                                    issue will become more significant as     
                                    existing telecommunications               
                                    circuit-switched networks migrate to      
                                    packet-switched networks.                 
Use federal contracting          DHS officials noted that they can         
mechanisms to require use of     coordinate with the Office of Management  
more secure Internet             and Budget in addressing this issue, but  
technologies, such as secure     that the office has authority for         
Domain Name System and secure    providing federal agencies with           
Border Gateway Protocols.        overarching policy.                       
                                                                              
                                    They also stated that DHS's Science and   
                                    Technology Directorate and the National   
                                    Institute of Standards and Technology     
                                    have developed guidance documents to      
                                    encourage the use of a secure Domain Name 
                                    System in federal information technology  
                                    systems. The Science and Technology       
                                    Directorate is also coordinating with the 
                                    General Services Administration to begin  
                                    to implement a secure Domain Name System  
                                    in the .gov and global root Domain Name   
                                    System servers.                           
                                                                              
                                    These officials noted that standards for  
                                    securing Border Gateway Protocol are      
                                    still not fully agreed to-beyond some     
                                    common best practices for simple          
                                    security-and that DHS and the National    
                                    Institute of Standards and Technology are 
                                    working to develop standards and          
                                    technology to support securing Border     
                                    Gateway Protocol.                         
                                                                              
                                    These officials cautioned that expenses   
                                    and the timing of implementation are key  
                                    issues. Federal agencies can specify what 
                                    they want, but ultimately the costs of    
                                    enhanced services will have to be paid.   

Sources: GAO interviews with private-sector infrastructure owners and
operators to identify potential roles and a written assessment by DHS on
these potential roles.

The Trigger for Government Involvement Is Unclear

The difference between a minor and a major Internet disruption can be a
combination of factors. The severity of a disruption can be influenced by

o the length of time that the disruption lasts;

o the impact of the disruption on the operation of the Internet, both in
quality of operation (e.g., if the speed of the Internet is affected), and
the number of users that cannot access the Internet;

o the impact that the disruption has on society, such as the impact on
national security or economic security; and

o the simultaneity of events (e.g., a disruption coinciding with a
national disaster or terrorist attack could be more severe than a
disruption occurring on an uneventful day).

However, it is not clear when the government should get involved in a
disruption. For example, the lessons learned from the DHS-sponsored
regional exercises show that

o organizations do not know how and to whom they should report a cyber
attack and what information to convey;

o local and state emergency operations centers often lack procedures to
determine when they should activate for a cyber event;

o private-sector participants often do not inform government authorities
about what they see as routine events because of company policy, legal
constraints, or liability concerns; and

o it is unclear when a cybersecurity incident becomes a source of concern
and what types of incidents should be communicated to local and federal
law enforcement.

The trigger for the National Response Plan, which is DHS's overall
framework for incident response, is poorly defined and has been found by
both GAO and the White House to need revision.29 DHS officials
acknowledged that the definition for activation of its National Cyber
Response Coordination Group is very broad and needs clarification. In
addition, other DHS officials stated that, in their meetings with
private-sector firms and other government agencies, they have determined
that they need to further refine the definition of when government should
be involved during an Internet disruption.

DHS officials have stated that a successful public/private partnership is
critical to the success of efforts to plan for responding to Internet
disruptions. Since private-sector participation in DHS planning activities
for Internet disruption is voluntary, agreement on the appropriate trigger
for government involvement and on the role of government in resolving an
Internet disruption are essential to any plan's success. Without a
consensus on the appropriate role of government in responding to the
disruption, or on the trigger for government involvement, planning for
response to the disruption is difficult.

Legal Issues Affect DHS's Ability to Provide Assistance during Recovery
Efforts

There are key legal issues affecting DHS's ability to provide assistance
to help restore Internet service. As previously noted, key legislation and
regulations guiding critical infrastructure protection, disaster recovery,
and the telecommunications infrastructure do not provide specific
authorities for Internet recovery. As a result, there is no clear
legislative guidance on what government entity would be responsible in the
case of a major Internet disruption.

In addition, while the Stafford Act authorizes the government to provide
federal assistance to states, local governments, nonprofit entities, and
individuals in the event of a major disaster or emergency, it does not
authorize assistance to for-profit corporations. Several representatives
of telecommunications companies reported that they had requested federal
assistance from DHS during Hurricane Katrina. Specifically, they requested
food, water, and security for the teams they were sending in to restore
the communications infrastructure, and fuel to power their generators. DHS
responded that it could not fulfill these requests, noting that the
Stafford Act did not extend to for-profit companies.

Many in the Private Sector Are Reluctant to Share Internet Information
with the Government

Because a large percentage of the nation's critical
infrastructure-including the Internet-is owned and operated by the private
sector, public/private partnerships are crucial for successful critical
infrastructure protection. Although certain policies direct DHS to work
with the private sector to ensure infrastructure protection, DHS does not
have the authority to direct Internet owners and operators in their
recovery efforts. Instead, it must rely on the private sector to share
information on incidents, disruptions, and recovery efforts.

We have previously reported that many in the private sector are reluctant
to share information with the federal government.30 Many private-sector
representatives questioned the value of providing information to DHS
regarding planning for and recovery from Internet disruption. Concerns
included the potential for disclosure of the information and the perceived
lack of benefit in providing the information. In addition, DHS identified
provisions of the Federal Advisory Committee Act31 as having a "chilling
effect" on cooperation with the private sector. The act governs the
structure of certain federal advisory groups and requires that membership
in and information about the groups' activities be public record. However,
both the act itself and other federal legislation provide the ability to
limit disclosure of sensitive information provided to the government.
While DHS officials stated that the agency was working on a solution to
problems posed by the act, they did not provide us with information on
potential solutions or milestones for completing these activities.  The
uncertainties regarding the value and risks of cooperation with the
government limit incentives for the private sector to cooperate in
Internet recovery planning efforts.

DHS's Leadership and Organizational Issues Impact Its Ability to Address
Internet Disruption

In 2003 and again in 2005, we identified the transformation of DHS from 22
agencies into one department as a high-risk area.32 As part of this body
of work, we noted that organizational and management practices are
critical to successfully transforming an organization. Additionally, we
reported on the importance of top leadership driving any transformation
and the need for a stable and authoritative organizational structure.
However, DHS has lacked permanent leadership while developing its plans
for Internet recovery and reconstitution. In addition, the organizations
with roles in Internet recovery have overlapping responsibilities and may
be reorganized once DHS selects permanent leadership. As a result, it is
difficult for DHS to develop a clear set of organizational priorities and
to coordinate among the various activities responsible for Internet
recovery planning.

DHS Has Lacked Permanent Leadership in Key Roles

In recent years, DHS has experienced a high level of turnover in its
cybersecurity division and has lacked permanent leadership in key roles.
In May 2005, we reported that multiple senior DHS cybersecurity officials
had recently left the department.33 These officials included the NCSD
Director, the Deputy Director responsible for Outreach and Awareness, the
Director of the US-CERT Control Systems Security Center, the Under
Secretary for the Information Analysis and Infrastructure Protection
Directorate, and the Assistant Secretary responsible for the Information
Protection Office.

Subsequently, in July 2005, the DHS Secretary announced a major
reorganization of the department. Under this reorganization, the
Information Analysis and Infrastructure Protection Directorate, which
contained NCS and NCSD, was renamed the Directorate for Preparedness,
which would be managed by an appointed under secretary. The
responsibilities of NCS and NCSD were placed under a new Assistant
Secretary for Cyber Security and Telecommunications. DHS stated that the
creation of a position for Assistant Secretary for Cyber Security and
Telecommunications within the department would elevate the position of
cybersecurity in the department and by doing so raise visibility for the
issue. However, as of May 2006, no candidate for the assistant secretary
position had yet been publicly announced. In addition, the current head of
NCSD is in an acting position and has been since October 2004.

While DHS stated that the lack of a permanent assistant secretary has not
hampered its efforts in protecting critical infrastructure, several
private-sector representatives stated that DHS's lack of leadership in
this area has limited progress. Specifically, these representatives stated
that filling key leadership positions would enhance DHS's visibility to
the Internet industry and potentially improve its reputation.

DHS Organizations Have Overlapping Responsibilities

DHS officials acknowledged that the current organizational structure has
overlapping responsibilities in planning for and recovering from a major
Internet disruption. NCSD is responsible for planning and response
activities governing information technology, while NCS has the lead for
telecommunications. However, because of the convergence of voice and data
networks, NCS has become more involved in Internet issues.

There is currently no written division of responsibilities between NCS and
NCSD related to Internet recovery. NCS officials stated that a revision of
the Emergency Support Function 2 would help address the apparent overlap,
but DHS has not established a date for finalizing this document.
Furthermore, DHS officials stated that the new assistant secretary would
have discretion to reorganize NCS and NCSD. For example, NCS and NCSD
could be combined, or one or more program areas could be modified. As a
result, it is difficult for DHS to develop a clear set of organizational
priorities and to coordinate among the various activities responsible for
Internet recovery planning.

Conclusions

As a critical information infrastructure supporting our nation's commerce
and communications, the Internet is subject to disruption-from both
intentional and unintentional incidents. While major incidents to date
have had regional or local impacts, the Internet has not yet suffered a
catastrophic failure. Should such a failure occur, however, existing
legislation and regulations supporting critical infrastructure protection,
disaster response, and the telecommunications infrastructure do not
specifically address roles and responsibilities for Internet recovery.

A national policy, the National Strategy to Secure Cyberspace, establishes
DHS as the focal point for ensuring the security of cyberspace-a role that
includes developing joint public/private plans for facilitating a recovery
from a major Internet disruption. While DHS has initiated efforts to
refine high-level disaster recovery plans, the components of these plans
that pertain to the Internet are not complete. Additionally, while DHS has
undertaken several initiatives to improve Internet recovery planning, much
remains to be done. Specifically, some initiatives lack clear time lines,
lessons learned are not consistently being incorporated in recovery plans,
and the relationships between the various initiatives are not clear.

DHS faces numerous challenges to developing integrated public/private
recovery plans-not the least of which is the fact that the government does
not own or operate much of the Internet. In addition, there is no
consensus among public and private stakeholders about the appropriate role
of DHS and when it should get involved; legal issues limit the actions the
government can take; the private sector is reluctant to share information
on Internet performance with the government; and DHS is undergoing
important organizational and leadership changes. As a result, the exact
role of the government in helping to recover the Internet infrastructure
following a major disruption remains unclear.

Matters for Congressional Consideration

Given the importance of the Internet as a critical infrastructure
supporting our nation's communications and commerce, Congress should
consider clarifying the legal framework that guides roles and
responsibilities for Internet recovery in the event of a major disruption.
This effort could include providing specific authorities for Internet
recovery as well as examining potential roles for the federal government,
such as providing access to disaster areas, prioritizing selected entities
for service recovery, and using federal contracting mechanisms to
encourage more secure technologies. This effort also could include
examining the Stafford Act to determine if there would be benefits in
establishing specific authority for the government to provide for-profit
companies-such as those that own or operate critical communications
infrastructures-with limited assistance during a crisis.

Recommendations for Executive Action

To improve DHS's ability to facilitate public/private efforts to recover
the Internet in case of a major disruption, we recommend that the
Secretary of the Department of Homeland Security implement the following
nine actions:

o Establish dates for revising the National Response Plan and finalizing
the National Infrastructure Protection Plan-including efforts to update
key components relevant to the Internet.

o Use the planned revisions to the National Response Plan and the National
Infrastructure Protection Plan as a basis, draft public/private plans for
Internet recovery, and obtain input from key Internet infrastructure
companies.

o Review the NCS and NCSD organizational structures and roles in light of
the convergence of voice and data communications.

o Identify the relationships and interdependencies among the various
Internet recovery-related activities currently under way in NCS and NCSD,
including initiatives by US-CERT, the National Cyber Response Coordination
Group, the Internet Disruption Working Group, the North American Incident
Response Group, and the groups responsible for developing and implementing
cyber recovery exercises.

o Establish time lines and priorities for key efforts identified by the
Internet Disruption Working Group.

o Identify ways to incorporate lessons learned from actual incidents and
during cyber exercises into recovery plans and procedures.

o Work with private-sector stakeholders representing the Internet
infrastructure to address challenges to effective Internet recovery by

o further defining needed government functions in responding to a major
Internet disruption (this effort should include a careful consideration of
the potential government functions identified by the private sector in
table 6 of this report),

o defining a trigger for government involvement in responding to such a
disruption, and

o documenting assumptions and developing approaches to deal with key
challenges that are not within the government's control.

Agency Comments

We received written comments from DHS on a draft of this report (see app.
V). In DHS's response, the Director of the Departmental GAO/Office of
Inspector General Liaison Office concurred with our recommendations. DHS
stated that it recognizes that the Internet is an important component of
the information infrastructure in which both the information technology
and telecommunications sectors share an interest. It also stated that
because of the increasing reliance of various critical infrastructure
sectors on interconnected information systems, the Internet represents a
significant source of interdependencies for many sectors. DHS agreed that
strengthened collaboration between the public and private sectors is
critical to protecting the Internet. DHS also provided information on
initial actions it is taking to implement our recommendations.

DHS officials, as well as others who were quoted in our report, also
provided technical corrections, which we have incorporated in this report
as appropriate.

As agreed with your offices, unless you publicly announce the contents of
this report earlier, we plan no further distribution of it until 30 days
from the report date. At that time, we will send copies of this report to
interested congressional committees, the Secretary of the Department of
Homeland Security, and other interested parties. In addition, this report
will be available at no charge on GAO's Web site at w  ww.gao.gov.

If you have any questions on matters discussed in this report, please
contact us at (202) 512-9286 and at (202) 512-6412, or by e-mail at p 
[email protected] and r  [email protected]. Contact points for our Offices of
Congressional Relations and Public Affairs may be found on the last page
of this report. GAO staff who made major contributions to this report are
listed in appendix VI.

David A. Powner Director, Information Technology Management Issues

Keith A. Rhodes Chief Technologist Director, Center for Technology and
Engineering

List of Congressional Requesters:

The Honorable Joseph I. Lieberman Ranking Member Committee on Homeland
Security and Governmental Affairs United States Senate

The Honorable Tom Coburn, MD Chairman The Honorable Tom Carper Ranking
Member Subcommittee on Federal Financial Management, Government
Information, and International Security Committee on Homeland Security and
Governmental Affairs United States Senate

The Honorable Joe Barton Chairman Committee on Energy and Commerce House
of Representatives

The Honorable Tom Davis Chairman Committee on Government Reform House of
Representatives

Appendix I:  Objectives, Scope, and Methodology

Our objectives were to (1) identify examples of major disruptions to the
Internet, (2) identify the primary laws and regulations governing recovery
of the Internet in the event of a major disruption, (3) evaluate the
Department of Homeland Security's (DHS) plans for facilitating recovery
from Internet disruptions, and (4) assess challenges to such efforts.

To determine the types of major disruptions to the Internet, we analyzed
our prior work on cybersecurity issues as well as reports by private
organizations, research experts, and government agencies. We identified
incidents that were representative of types of disruptions that have
actually occurred. We compiled case studies by reviewing and summarizing
research reports and interviewing private-industry experts and government
officials. We also conducted interviews with individuals in the
private/public sectors, including representatives of private companies
that operate portions of Internet infrastructure.

To determine the primary laws and regulations for recovering the Internet
in the event of a major disruption, we analyzed relevant laws and
regulations related to infrastructure protection, disaster response, and
the telecommunications infrastructure. These laws and regulations included
the Homeland Security Act of 2002, Homeland Security Presidential
Directive 7, the Defense Production Act, the Stafford Act, the
Communications Act of 1934, and the National Communications System (NCS)
authorities. We also obtained the perspectives of DHS and the Federal
Communications Commission on the laws and regulations that govern Internet
recovery. Additionally, we conducted interviews with DHS and other
government officials as well as representatives of the telecommunications
and information technology sectors.

To assess plans for recovery of Internet service in the event of a major
disruption, we analyzed key documents, such as the interim National
Infrastructure Protection Plan, the National Response Plan, a report from
the National Coordinating Center Task Force, and reports from regional
tabletop security exercises. We observed a portion of DHS's Cyber Storm
exercise, which focused on facilitating government and private industry
organizations to address an array of cybersecurity issues. We also spoke
with the Deputy Manager of NCS and the Deputy Director of the NCSD to
identify DHS's initiatives in the area of Internet protection and
recovery. Additionally, we interviewed representatives from private
companies that operate portions of Internet infrastructure. These included
representatives of major telecommunications and cable companies, Internet
service providers, and root server operators. We also interviewed
representatives from three information sharing and analysis centers1 to
obtain their perspectives on DHS's capabilities in the area of Internet
recovery.

To identify the challenges that may affect current recovery plans, we
analyzed DHS plans, congressional testimony, and other evaluations of
challenges to Internet recovery. We also interviewed officials at DHS,
including NCSD's Deputy Director of Strategic Initiatives and Deputy
Director of Operations and NCS's Chief of the Critical Infrastructure
Protection Division. In addition, we interviewed other agencies that are
involved with the government's efforts in the area of Internet recovery
and experts in the private sector and academia. We performed our work from
August 2005 to May 2006 in accordance with generally accepted government
auditing standards.

Appendix II:  Legislation and Regulations Govern Critical Infrastructure Protection,
Disaster Response, and the Telecommunications Infrastructure 

Multiple Laws and Regulations Govern Protection of Critical Infrastructure

Federal laws and policies establish critical infrastructure protection as
a national goal and describe a strategy for cooperative efforts by
government and the private sector to protect the cyber- and physical-based
systems that are essential to the minimum operations of the economy and
the government. The primary authorities governing protection of critical
infrastructure include the Homeland Security Act of 2002 and Homeland
Security Presidential Directive 7.

The Homeland Security Act of 2002

The Homeland Security Act of 20021 established DHS and gave it lead
responsibility for preventing terrorist attacks in the United States,
reducing the vulnerability of the United States to terrorist attacks, and
minimizing the damage and assisting in the recovery from attacks that do
occur.

The act also assigns DHS a number of responsibilities for critical
infrastructure protection, including (1) developing a comprehensive
national plan for securing the key resources and critical infrastructure
of the United States; (2) recommending measures to protect the key
resources and critical infrastructure of the United States in coordination
with other federal agencies and in cooperation with state and local
government agencies and authorities, the private sector, and other
entities; and (3) disseminating, as appropriate, information analyzed by
the department-both within the department and to other federal, state, and
local government agencies and private-sector entities-to assist in the
deterrence, prevention, or preemption of or response to terrorist attacks.

Additionally, the act specifically charged DHS with providing state and
local government entities and, upon request, private entities that own or
operate critical infrastructure, with

o analyses and warnings concerning vulnerabilities and threats to critical
infrastructure systems,

o crisis management support in response to threats or attacks on critical
information systems, and

o technical assistance with respect to recovery plans to respond to major
failures of critical information systems.

Homeland Security Presidential Directive 7

Homeland Security Presidential Directive 7, dated December 17, 2003,
superseded Presidential Decision Directive 63 and established a national
policy for federal departments and agencies to identify and prioritize
critical infrastructures and key resources and to protect them from
terrorist attack. The directive defines responsibilities for (1) DHS, (2)
sector-specific federal agencies that are responsible for addressing
specific critical infrastructure sectors, and (3) other departments and
agencies.

The directive also makes DHS responsible for coordinating the national
effort to enhance the protection of the critical infrastructure and key
resources of the United States. Under the directive, the Secretary of DHS
is to serve as the principal federal official to lead, integrate, and
coordinate implementation of efforts among federal departments and
agencies, state and local governments, and the private sector to protect
critical infrastructure and key resources. The Secretary also is to work
closely with other federal departments and agencies, state and local
governments, and the private sector in accomplishing the objectives of the
directive. The Secretary is given responsibility to coordinate protection
activities for several key infrastructure sectors, including the
information technology and telecommunications sectors.

Homeland Security Presidential Directive 7 provides that DHS is to
collaborate with the appropriate private-sector entities and to encourage
the development of information-sharing and analysis mechanisms.
Additionally, the department and sector-specific agencies are to
collaborate with the private sector and continue to support
sector-coordinating mechanisms to

o identify, prioritize, and coordinate the protection of critical
infrastructure and key resources and

o facilitate sharing of information about cyber and physical threats,
vulnerabilities, incidents, potential protective measures, and best
practices.

Multiple Laws Govern Federal Response to Disasters and Incidents of
National Significance

Federal planning for disaster recovery is governed by legislation
including the Defense Production Act and the Stafford Act.

Defense Production Act

The Defense Production Act was enacted at the outset of the Korean War to
ensure the availability of industrial resources to meet the needs of the
Department of Defense.2 The act is intended to facilitate the supply and
timely delivery of products, materials, and services to military and
civilian agencies, in times of peace as well as in times of war.
Presently, only titles I, III, and VII of the Defense Production Act
remain in effect.3 DHS identified the act as a primary authority that
supports telecommunications emergency planning and response functions.

Title I of the act authorizes the President to ensure the timely
availability of products, materials, and services needed to meet current
defense preparedness and military readiness requirements as well as the
requirements of a national emergency. Under section 101 of the act, the
President may require preferential performance on contracts and orders to
meet approved national defense requirements and may allocate materials,
services, and facilities as necessary to promote the national defense in a
national emergency. Homeland Security Presidential Directive 7, previously
discussed, specifically acknowledges the authority of the Department of
Commerce to use the act to ensure the timely availability of industrial
products, materials, and services to meet homeland security requirements.

Title III of the act authorizes the use of financial incentives to expand
productive capacity and supply. It authorizes loan guarantees, loans,
purchases, purchase guarantees, and installation of equipment in
contractor facilities for those goods necessary for national defense. It
is used only in cases where domestic sources are required and domestic
firms cannot, or will not, act on their own to meet a national defense
production need.

Title VII of the Defense Production Act defines national defense to
include domestic emergency preparedness and critical infrastructure
protection and restoration activities. The act's authorities, therefore,
are available to meet requirements in a civil disaster, such as a major
Internet disruption.

The act also authorizes the President to provide antitrust defenses to
private firms participating in voluntary agreements aimed at solving
production and distribution problems.

The Year 2000 computer transition and the September 11, 2001, attacks
prompted new interest in the act and its application to information
technology and cybersecurity. Some commentators indicated that the act
would be a useful tool in managing a critical infrastructure emergency.4
In January 2001, President Clinton directed the Secretary of Energy to
exercise authority under the act, among other statutes, to ensure the
availability of natural gas for high-priority uses in California.
President Clinton found that ensuring natural gas supplies to California
was necessary and appropriate to maximize domestic supplies and to promote
the national defense. President Bush subsequently extended this executive
order.5

In recent years, Congress has expanded the Defense Production Act's
coverage to include crises resulting from natural disasters or "man-caused
events" not amounting to an armed attack on the United States.6 The
definition of national defense in the act was expanded in 1994 to include

emergency preparedness activities authorized by the Stafford Act.7 In
2003, the act was reauthorized through September 30, 2008.8 It was also
amended to add explicit authority to use the act for critical
infrastructure protection and restoration. In addition, the 2003 Act
(section 5) added a definition of critical infrastructure to the act.9

The Stafford Act

The Robert T. Stafford Disaster Relief and Emergency Assistance Act (the
Stafford Act)10 authorizes federal assistance to states, local
governments, nonprofit entities, and individuals in the event of a major
disaster or emergency. For example, the President, at the request of a
governor, may declare a "major disaster," which is defined as follows:

A presidential declaration that a major disaster has occurred activates
the federal response plan for the delivery of federal disaster assistance.
The Federal Emergency Management Agency is responsible for coordinating
the federal and private response effort. A presidential declaration of a
major disaster11 triggers several Stafford Act authorities, including, for
example, federal activities to

o support state and local governments to facilitate the distribution of
consumable supplies;

o help distribute aid to victims through state and local governments and
voluntary organizations, perform life- and property-saving assistance,
clear debris, and use the resources of the Department of Defense;

o repair and reconstruct federal facilities;

o repair, restore, and replace damaged facilities owned by state and local
governments, as well as private nonprofit facilities that provide
essential services or contributions for other facilities or hazard
mitigation measures in lieu of repairing or restoring damaged facilities;
and

o establish-during or in anticipation of an emergency-temporary
communications systems, and make such communications available to state
and local government officials.

Specific Laws and Regulations Govern the Telecommunications Infrastructure
That Supports the Internet

The Internet is enabled by the telecommunications infrastructure that
supports transmission of data. Key laws and regulations include the
Communications Act of 1934, as amended, and the National Communications
System (NCS) authorities.

Communications Act of 1934, as Amended

The primary federal telecommunications law is the Communications Act of
1934. Its original purpose was to regulate interstate and foreign commerce
in communications by wire and radio by licensing radio stations and
regulating the telecommunications monopolies of the time.12 The 1934 Act
also created the Federal Communications Commission to implement the act.13
The 1934 act, as amended, has remained for more than 60 years as the

basis of federal regulation of telecommunications services.14 The
Telecommunications Act of 199615 amended the 1934 Act to enhance
competition in the telecommunications market. These laws govern regulation
of forms of transmission upon which the Internet depends. There is,
however, no general regulatory provision for the Internet in the act and
no specific provision providing authorities and responsibilities for
Internet recovery.

NCS Authorities

NCS was established by a memorandum signed by President Kennedy in 1963,
following the Cuban Missile Crisis.16 The memorandum called for
establishing a national communications system by linking together and
improving the communication facilities and components of various federal
agencies. This original memorandum has since been amended and superseded
over time.

The executive order currently in force is Executive Order 12472, April 3,
1984, which was amended slightly by Executive Order 13286 on February 28,
2003. Executive Order 12472, as amended by Executive Order 13286,
established NCS and provided that its mission was to assist the President,
the National Security Council, the Homeland Security Council, the Director
of the Office of Science and Technology Policy, and the Director of the
Office of Management and Budget in, among other responsibilities, "the
coordination of the planning for and provision of national security and
emergency preparedness communications for the Federal government under all
circumstances, including crisis or emergency, attack, recovery and
reconstitution."

The administrative structure includes a National Communications System
Committee of Principals, an executive agent, and a manager. The Homeland
Security Act of 2002 transferred NCS to DHS. To reflect this change,
Executive Order 13286 made the Secretary of DHS the Executive Agent.

NCS's mission with regard to critical infrastructure protection is to
ensure the reliability and availability of telecommunications for national
security and emergency preparedness. Its mission includes, but it is not
necessarily limited to, responsibility for (1) ensuring the government's
ability to receive priority services for national security and emergency
preparedness purposes in current and future telecommunications networks by
conducting research and development and participating in national and
international standards bodies and (2) operationally coordinating with
industry for protecting and restoring national security and emergency
preparedness services in an all-hazards environment.17

Section 706 of the Communications Act of 1934 grants the President certain
emergency powers regarding telecommunications, including the authority to
grant essential communications "preference or priority with any carrier"
subject to this act.18 The President may also, in the event of war or
national emergency, suspend regulations governing wire and radio
transmissions and "authorize the use or control of any such facility or
station and its apparatus and equipment by any department of the
Government." Section 706 is implemented in Executive Order 12472, which
provides that the Director of the Office of Science and Technology Policy
shall direct the exercise of the war power functions of the President
under section 706(a), (c)-(e) of the Communications Act of 1934, as
amended (47 U.S.C. 606). Section 706 is implemented in the Code of Federal
Regulations at title 47, chapter II.

Two Task Forces Have Assessed NCS Roles and Mission Appendix III

The National Security Telecommunications Advisory Committee advises the
President on issues and problems related to implementing national security
and emergency preparedness telecommunications policy. The committee
recently formed two task forces to provide recommendations on changes to
DHS's NCS division and operations.

Next Generation Network Task Force

In May 2004, the Next Generation Network Task Force was formed to develop
recommendations on changes that needed to be made to NCS as a result of
issues such as the convergence of voice and data communications. The task
force was to (1) define the expected structure for next-generation
networks, such as those using Internet-based protocols; (2) identify
national security and emergency preparedness user requirements for
next-generation networks and outline how these requirements will be met;
and (3) examine relevant user scenarios and expected cyber threats and
recommend optimal actions to address these threats.

The task force agreed to present its findings and recommendations in two
separate reports to the President-a near-term recommendations report and a
final comprehensive report.

In March 2005, the task force issued near-term recommendations for the
federal government. While the recommendations did not address NCS's role
in recovering from an Internet disruption, they included

o exploring the use of government networks as alternatives for critical
emergency communications during times of national crisis;

o using and testing existing and leading-edge technologies and commercial
capabilities to support critical emergency user requirements for security
and availability;

o studying and supporting industry efforts in areas that present the
greatest emergency communications risks during the period of convergence,
including gateways, control systems, and first responder communications
systems; and

o reviewing the value of satellite systems as a broad alternative
transmission channel for critical emergency communications.

The final report, issued in March 2006, contained recommendations that the
federal government

o require federal agencies to plan for and invest in resilient and
alternate communications mechanisms to be used in a crisis,

o develop identity management tools to support priority emergency
communication on next-generation networks,

o develop supporting policies for emergency communications on
next-generation networks, and

o improve DHS incident management capabilities.

DHS has not yet developed specific plans to address the recommendations
from either report.

National Coordinating Center Task Force

In October 2004, a task force was established to examine the future
mission and role of the National Coordinating Center, which is part of
NCS. This task force was to study the direction of the center over the
next year, 3 years, and 5 years, including how industry members of the
center should continue to partner with the government and how the center
should be structured.

The task force researched the center's functions and mapped the center's
authorities to its missions. It studied the center's organizational
structure, information sharing and analysis, incident management and
leadership, and international mutual-aid abilities.

In its report issued in May 2006, the task force found that since the
September 11 attacks the number of companies participating in the National
Coordinating Center has more than doubled, but the influx of new members
has hindered information sharing because of the time it takes to develop
trusted relationships between members. The report also found that members
wanted government to increase its sharing of threat information with the
communications industry through the National Coordinating Center. The
report recommended that

o the National Coordinating Center broaden center membership by including
additional firms, such as cable operators, satellite operators, and
Internet service providers;

o NCS examine the possible combination of the National Coordinating Center
and the Information Technology Information Sharing and Analysis Center;

o DHS clarify responsibilities and authorities in emergency situations to
facilitate response to telecommunications disruptions;

o DHS revise the Cyber Incident Annex to the National Response Plan to
clarify the trigger for the annex and the appropriate role of the
government in responding to such an incident;

o the National Coordinating Center develop a concept of operations for
responding to cyber events; and

o DHS resolve confusion over legal or jurisdictional issues in responding
to cyber or communications crises.

DHS has not yet developed a plan to address these findings and
recommendations.

DHS Has Conducted Disaster Response Exercises That Include Cyber
IncidentsAppendix IV

DHS Has Conducted Regional Exercises Involving Cyber Attacks

Over the last few years, DHS has conducted several exercises to test the
federal and regional response to incidents affecting critical
infrastructures. Among other events, these exercises included incidents
that could cause localized Internet disruptions. Specifically, DHS
sponsored two cyber tabletop exercises with Connecticut and New Jersey, as
well as a series of exercises in the Pacific Northwest and Gulf Coast
regions of the United States.

The series of exercises in the Pacific Northwest was named Blue Cascades.
Blue Cascades II, conducted in September 2004, addressed a scenario
involving cyber attacks and attacks that disrupted infrastructure,
including telecommunications and electric power. The scenario explored
regional capabilities to deal with threats, interdependences, cascading
impacts, and incident response. Blue Cascades III, conducted in March
2006, focused on the impact of a major earthquake in the area and the
resulting efforts to recover and restore services. Both exercises were
sponsored by NCSD and organized by the Pacific Northwest Economic Region.

Purple Crescent II, held in New Orleans, Louisiana, in October 2004, was
also designed to raise awareness of infrastructure interdependencies and
to identify how to improve regional preparedness. The scenario involved a
cell of terrorists that used an approaching major hurricane to test their
ability to disrupt regional infrastructures, government and private
organizations, and particularly disaster preparedness operations using
cyber attacks. The exercise was sponsored by the Gulf Coast Regional
Partnership for Infrastructure Security and funded by NCSD.

The objectives of these exercises included

o raising awareness of infrastructure-related cybersecurity issues and
vulnerabilities;

o identifying response and recovery challenges;

o bringing together physical security, emergency management, and other
disciplines involved in homeland security and disaster response;

o identifying roles and responsibilities in addressing cyber attacks and
disruptions;

o determining ways to foster public/private cooperation and information
sharing;

o identifying preparedness gaps associated with cybersecurity and related
interdependencies; and

o producing an action plan of activities.

The exercises resulted in many findings regarding the overall preparedness
for cyber incidents (see table 7). Overall, the exercises found that both
the government and private-sector organizations were poorly prepared to
effectively respond to cyber events. The lack of clarity on roles and
responsibilities coupled with both the lack of coordination and
communication and limited understanding of cybersecurity concerns pose
serious obstacles to effective response and recovery from cyber attacks
and disruptions. Furthermore, it was unclear who was in charge of incident
management at the local, state, or national levels.

Table 7: Selected Lessons Learned from DHS Regional Exercises with Cyber
Components

                                        

            Area                        Selected lessons learned              
Skills, knowledge, and  o Many exercise participants demonstrated a basic  
preparedness            understanding of high-level cybersecurity issues,  
                           but they were not knowledgeable about more complex 
                           cyber vulnerabilities and interdependencies that   
                           could cause cascading impacts.                     
                                                                              
                           o Organizations overestimated their technical      
                           capabilities to protect against threats and        
                           attacks and to respond and recover expeditiously   
                           in the exercise scenario.                          
                                                                              
                           o It appeared that few organizations had any       
                           formal alternative communications plans.           
                                                                              
                           o The dependence of emergency preparedness         
                           activities on information systems and electronic   
                           communications needs to be tested and assessed.    
                           Furthermore, vulnerabilities need to be identified 
                           and cost-effective mitigation measures need to be  
                           adopted.                                           
                                                                              
                           o It was unclear what redundant and alternative    
                           communications were available to organizations in  
                           a major cyber disruption, or if available, whether 
                           these capabilities were regularly tested.          
Coordination            o While a cooperative spirit was demonstrated by   
                           participating organizations during the exercise,   
                           this cooperation appeared to be based on ad hoc    
                           personal relationships, and it is focused on       
                           physical incidents.                                
                                                                              
                           o Participants for the most part focused on their  
                           own organizational interests, with minimal         
                           public/private coordination or formalized          
                           relationships.                                     
                                                                              
                           o With the exception of sector-specific            
                           Information Sharing and Analysis Centers and       
                           cybersecurity professional associations,           
                           organizations rarely coordinate on cyber threat    
                           and incident response activities, chiefly for      
                           legal and liability reasons.                       
                                                                              
                           o Government agencies at the state level interact  
                           with other state entities, and federal agencies    
                           with federal offices, with little coordination at  
                           federal and state levels. There appears to be      
                           little coordination among the many federal, other  
                           government and private organizations with          
                           cybersecurity missions.                            
                                                                              
                           o Private-sector participants emphasized that      
                           their organizations do not inform government       
                           authorities about what is seen as routine events   
                           because of company policy, legal constraints or    
                           liability concerns.                                
Triggers and thresholds o Regional organizations lack information on what  
for reporting           organization they should contact to report a cyber 
                           event or to seek guidance in dealing with an       
                           incident.                                          
                                                                              
                           o State and local emergency operations centers     
                           lack threshold criteria to determine when they     
                           should activate for a cyber attack.                
                                                                              
                           o It is unclear when a cybersecurity incident      
                           becomes a source of concern and what types of      
                           incidents should be communicated to local and      
                           federal law enforcement.                           
Government actions      o No one organization is mandated as the focal     
                           point for cybersecurity threats and incident       
                           response. The federal government has a number of   
                           organizations that have missions to respond to     
                           cyber incidents and there are also state and       
                           private-sector response organizations and vendors. 
                           As a result, it was not clear to the participants  
                           what role DHS elements and other federal agencies  
                           would play in a cyber incident.                    
                                                                              
                           o Some participants believed DHS and US-CERT       
                           should undertake the lead role in dealing with     
                           major cyber attacks while other                    
                           participants-chiefly private-sector                
                           representatives-did not see a federal government   
                           lead role as appropriate or desirable.             
                                                                              
                           o Participants described cyber incident management 
                           as "confused" or "loose."                          

Source: GAO analysis of the Purple Crescent II exercise held in October
2004 and the Blue Cascades II exercise held in September 2004.

The after-action reports from the exercises recommended areas for
additional study and planning, including

o additional study of the vulnerabilities of critical infrastructures to
cyber attack;

o improved information on training, assessments, and resources to be used
against cyber attacks;

o improved federal, state, local, and private-sector planning and
coordination; and

o defined thresholds for what constitutes a major cyber attack.

Cyber Storm Was DHS's First National Exercise Focused on Cyber Attacks

Cyber Storm, held in February 2006 in Washington, D.C., was the first
DHS-sponsored national exercise to test response to a cyber-related
incident of national significance. The exercise involved a simulated,
large-scale attack affecting the energy, information technology,
telecommunications, and transportation infrastructures. DHS officials
stated that they plan to hold a similar exercise every other year.

According to information provided by agency officials, the exercise
involved eight federal departments and three agencies, three states, and
four foreign countries. The exercise also involved representatives from
the private sector, including nine information technology companies, six
electric companies, and two airlines. The exercise objectives included
testing interagency, intergovernmental, and public/private coordination of
incident response.

Representatives of private-sector companies provided mixed responses on
the value of exercises such as Cyber Storm. Selected representatives
expressed concerns about the overly broad scope and the difficulty in
justifying dedicating resources for the exercises due to the lack of clear
goals and outcomes. Another representative stated that government
exercises help the government but exercises involving private-sector
coordination with multiple agencies would also be helpful. Another
representative stated that exercises were only of value if there was a
process for integrating lessons learned from the exercises into policies
and procedures. Two representatives, from a private-sector company that
participated in Cyber Storm, stated that, while useful, the exercise was
not designed for network operators, who would benefit from more
comprehensive training in incident response.

Appendix V:  Comments from the Department of Homeland Security

Appendix VI:  GAO Contacts and Staff Acknowledgments

GAO Contacts

David A. Powner, (202) 512-9286 or [email protected]  Keith A. Rhodes,
(202) 512-6412 or r  [email protected]

Staff
Acknowledgments

In addition to those named above, Don R. Adams, Naba Barkakati, Scott
Borre, Neil Doherty, Vijay D'Souza, Joshua A. Hammerstein, Bert Japikse,
Joanne Landesman, Frank Maguire, Teresa M. Neven, and Colleen M. Phillips
made key contributions to this report.

(310499)

www.gao.gov/cgi-bin/getrpt? GAO-06-672 .

To view the full product, including the scope

and methodology, click on the link above.

For more information, contact David Powner at (202) 512-9286 or
[email protected].

Highlights of GAO-06-672 , a report to congressional requesters

June 2006

INTERNET INFRASTRUCTURE

DHS Faces Challenges in Developing a Joint Public/Private Recovery Plan

Since the early 1990s, growth in the use of the Internet has
revolutionized the way that our nation communicates and conducts business.
While the Internet was originally developed by the Department of Defense,
the vast majority of its infrastructure is currently owned and operated by
the private sector. Federal policy recognizes the need to prepare for
debilitating Internet disruptions and tasks the Department of Homeland
Security (DHS) with developing an integrated public/private plan for
Internet recovery. GAO was asked to (1) identify examples of major
disruptions to the Internet, (2) identify the primary laws and regulations
governing recovery of the Internet in the event of a major disruption, (3)
evaluate DHS plans for facilitating recovery from Internet disruptions,
and (4) assess challenges to such efforts.

What GAO Recommends

GAO is suggesting that Congress consider clarifying the legal framework
guiding Internet recovery. GAO is also making recommendations to the
Secretary of the Department of Homeland Security to strengthen the
department's ability to serve as a focal point for helping to recover from
Internet disruptions by completing key plans and activities and addressing
challenges. In written comments, DHS agreed with GAO's recommendations and
provided information on activities it was taking to implement them.

A major disruption to the Internet could be caused by a cyber incident
(such as a software malfunction or a malicious virus), a physical incident
(such as a natural disaster or an attack that affects key facilities), or
a combination of both cyber and physical incidents. Recent cyber and
physical incidents have caused localized or regional disruptions but have
not caused a catastrophic Internet failure.

Federal laws and regulations addressing critical infrastructure
protection, disaster recovery, and the telecommunications infrastructure
provide broad guidance that applies to the Internet, but it is not clear
how useful these authorities would be in helping to recover from a major
Internet disruption. Specifically, key legislation on critical
infrastructure protection does not address roles and responsibilities in
the event of an Internet disruption. Other laws and regulations governing
disaster response and emergency communications have never been used for
Internet recovery.

DHS has begun a variety of initiatives to fulfill its responsibility for
developing an integrated public/private plan for Internet recovery, but
these efforts are not complete or comprehensive. Specifically, DHS has
developed high-level plans for infrastructure protection and incident
response, but the components of these plans that address the Internet
infrastructure are not complete. In addition, the department has started a
variety of initiatives to improve the nation's ability to recover from
Internet disruptions, including working groups to facilitate coordination
and exercises in which government and private industry practice responding
to cyber events. However, progress to date on these initiatives has been
limited, and other initiatives lack time frames for completion. Also, the
relationships among these initiatives are not evident. As a result, the
government is not yet adequately prepared to effectively coordinate
public/private plans for recovering from a major Internet disruption.

Key challenges to establishing a plan for recovering from Internet
disruptions include (1) innate characteristics of the Internet (such as
the diffuse control of the many networks making up the Internet and
private sector ownership of core components) that make planning for and
responding to disruptions difficult, (2) a lack of consensus on DHS's role
and when the department should get involved in responding to a disruption,
(3) legal issues affecting DHS's ability to provide assistance to restore
Internet service, (4) reluctance of many in the private sector to share
information on Internet disruptions with DHS, and (5) leadership and
organizational uncertainties within DHS. Until these challenges are
addressed, DHS will have difficulty achieving results in its role as a
focal point for helping to recover the Internet from a major disruption.
*** End of document. ***