Critical Infrastructure Protection: Further Efforts Needed to	 
Integrate Planning for and Response to Disruptions on Converged  
Voice and Data Networks (26-JUN-08, GAO-08-607).		 
                                                                 
Technological advances have led to an increasing convergence of  
previously separate networks used to transmit voice and data	 
communications. While the benefits of this convergence are	 
enormous, such interconnectivity also poses significant 	 
challenges to our nation's ability to respond to major		 
disruptions. Two operations centers--managed by the Department of
Homeland Security's (DHS) National Communications System and	 
National Cyber Security Division--plan for and monitor		 
disruptions on voice and data networks. In September 2007, a DHS 
expert task force made three recommendations toward establishing 
an integrated operations center that the department agreed to	 
adopt. To determine the status of efforts to establish an	 
integrated center, GAO reviewed documentation, interviewed	 
relevant DHS and private sector officials, and reviewed laws and 
policies to identify DHS's responsibilities in addressing	 
convergence.							 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-08-607 					        
    ACCNO:   A82552						        
  TITLE:     Critical Infrastructure Protection: Further Efforts      
Needed to Integrate Planning for and Response to Disruptions on  
Converged Voice and Data Networks				 
     DATE:   06/26/2008 
  SUBJECT:   Communication security				 
	     Communication systems				 
	     Critical infrastructure				 
	     Critical infrastructure protection 		 
	     Cyber security					 
	     Data centers					 
	     Data transmission					 
	     Government information dissemination		 
	     Information technology				 
	     Internal controls					 
	     Network infrastructure components			 
	     Risk management					 
	     Security policies					 
	     Strategic planning 				 
	     Telecommunications 				 
	     Telecommunications networks			 
	     National Communications System			 
	     National Coordination Center			 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-08-607

   

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to [email protected]. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to the Subcommittee on Emerging Threats, Cybersecurity, and 
Science and Technology, Committee on Homeland Security, House of 
Representatives: 

United States Government Accountability Office: 
GAO: 

June 2008: 

Critical Infrastructure Protection: 

Further Efforts Needed to Integrate Planning for and Response to 
Disruptions on Converged Voice and Data Networks: 

GAO-08-607: 

GAO Highlights: 

Highlights of GAO-08-607, a report to the Subcommittee on Emerging 
Threats, Cybersecurity, and Science and Technology, Committee on 
Homeland Security, House of Representatives. 

Why GAO Did This Study: 

Technological advances have led to an increasing convergence of 
previously separate networks used to transmit voice and data 
communications. While the benefits of this convergence are enormous, 
such interconnectivity also poses significant challenges to our 
nationï¿½s ability to respond to major disruptions. Two operations 
centersï¿½managed by the Department of Homeland Securityï¿½s (DHS) National 
Communications System and National Cyber Security Divisionï¿½plan for and 
monitor disruptions on voice and data networks. In September 2007, a 
DHS expert task force made three recommendations toward establishing an 
integrated operations center that the department agreed to adopt. To 
determine the status of efforts to establish an integrated center, GAO 
reviewed documentation, interviewed relevant DHS and private sector 
officials, and reviewed laws and policies to identify DHSï¿½s 
responsibilities in addressing convergence. 

What GAO Found: 

DHS has taken the first of three steps toward integrating its centers 
that are responsible for planning for, monitoring, and responding to 
disruptions to the communications infrastructure, including voice and 
data networks, and the security of data and applications that use these 
networks. Specifically, in November 2007, it moved the operations 
center for communications infrastructure (NCC Watch) to office space 
adjacent to the center for data and applications (US-CERT). This close 
proximity allows the approximately 41 coordination center and 95 
readiness team analysts to, among other things, readily collaborate on 
planned and ongoing activities. In addition, the centers have jointly 
acquired common software tools to identify and share physical, 
telecommunications, and cyber information related to performing their 
missions. For example, the centers use one of the tools to develop a 
joint ï¿½morning reportï¿½ specifying their respective network security 
issues and problems, which is used by the analysts in coordinating 
responses to any resulting disruptions. 

While DHS has completed the first integration step, it has yet to 
implement the remaining two steps. Specifically, although called for in 
the task forceï¿½s recommendations, the department has not 
organizationally merged the two centers or invited key private sector 
critical infrastructure officials to participate in the planning, 
monitoring, and other activities of the proposed joint operations 
center. A key factor contributing to DHSï¿½s lack of progress in 
implementing the latter two steps is that completing the integration 
has not been a top DHS priority. Instead, DHS officials stated that 
their efforts have been focused on other initiatives, most notably the 
Presidentï¿½s recently announced cyber initiative, which is a federal 
governmentwide effort to manage the risks associated with the 
Internetï¿½s nonsecure external connections. Nevertheless, DHS officials 
stated that they are in the process of drafting a strategic plan to 
provide overall direction for the activities of the National 
Communications System and the National Cyber Security Division. 
However, the plan is in draft and has been so since mid-2007. In 
addition, DHS officials could not provide a date for when it would be 
finalized. Consequently, the department does not have a strategic plan 
or related guidance that provides overall direction in this area and 
has not developed specific tasks and milestones for achieving the two 
remaining integration steps. 

Until DHS completes the integration of the two centers, it risks being 
unable to efficiently plan for and respond to disruptions to 
communications infrastructure and the data and applications that travel 
on this infrastructure, increasing the probability that communications 
will be unavailable or limited in times of need. 

What GAO Recommends: 

GAO is recommending that the Secretary of Homeland Security complete 
(1) its strategic plan and (2) define tasks and milestones for 
completing remaining integration steps. DHS concurred with GAOï¿½s first 
recommendation. With regard to the second, DHS stated it supports 
integrating overlapping functions, but does not support merging the 
centers. However, there is strong evidence supporting the need to merge 
the centers to enhance incident response. 

To view the full product, including the scope and methodology, click on 
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-08-607]. For more 
information, contact David A. Powner at (202) 512-9286 or 
[email protected]. 

[End of section] 

Contents: 

Letter: 

Results in Brief: 

Background: 

DHS Has Completed the First of Its Three-Step Integration Approach, but 
Has Yet to Implement the Remaining Steps: 

Conclusions: 

Recommendations for Executive Action: 

Agency Comments and Our Evaluation: 

Appendix I: Objective, Scope, and Methodology: 

Appendix II: Critical Infrastructure Sectors: 

Appendix III: Comments from the Department of Homeland Security: 

Appendix IV: GAO Contact and Staff Acknowledgments: 

Table: 

Table 1: Critical Infrastructure Sectors and Designated Sector-Specific 
Agencies: 

Figure: 

Figure 1: Packet Switching vs. Circuit Switching: 

Abbreviations: 

DHS: Department of Homeland Security: 

IT: information technology: 

NCC Watch: National Coordination Center Watch: 

NCC: National Coordination Center: 

NCS: National Communications System: 

NCSD: National Cyber Security Division: 

US-CERT: U.S. Computer Emergency Readiness Team: 

[End of section] 

United States Government Accountability Office: Washington, DC 20548: 

June 26, 2008: 

The Honorable James R. Langevin: 
Chairman: 
The Honorable Michael T. McCaul: 
Ranking Member: 
Subcommittee on Emerging Threats, Cybersecurity, and Science and 
Technology: Committee on Homeland Security: 
House of Representatives: 

Effective voice and data networks and the information traveling on them 
are essential to our ability as a nation to maintain public health and 
safety during a catastrophic natural disaster, such as a hurricane, or 
a man-made event, such as a terrorist attack. Technological advances in 
these networks have led to an increasing consolidation of previously 
separate voice and data networks into converged "next generation" 
networks that are capable of transmitting both voice and data on a 
single network. Federal policies assign two Department of Homeland 
Security (DHS) components--the National Cyber Security Division (NCSD) 
and the National Communications System (NCS)--responsibilities for 
planning for and facilitating our nation's response to major 
disruptions on the communications infrastructure, including voice and 
data networks. 

In April 2007, DHS established a task force of subject matter experts 
to study, among other things, whether there were opportunities to merge 
NCSD and NCS operations. In September 2007, the task force made three 
recommendations aimed at integrating aspects of NCSD and NCS 
operations, namely those responsible for preparing for and responding 
to network disruptions. DHS accepted the recommendations and, in doing 
so, adopted a high-level approach for integrating the operations that 
included the following steps: 

* collocating the operations center of the national communications 
system that oversees the communications infrastructure, including voice 
and data networks--namely, the National Coordination Center Watch (NCC 
Watch) with the operations center of the NCSD that oversees the 
security of data and applications that use the communications 
infrastructure--called the U.S. Computer Emergency Readiness Team (US- 
CERT); 

* developing an integrated operations center by merging NCC-Watch and 
US-CERT; and: 

* inviting private sector critical infrastructure officials to 
participate in the planning, monitoring, and other activities of the 
new operations center. 

In response to your request, our objective was to determine the status 
of efforts to integrate NCSD and NCS activities to prepare for and 
respond to disruptions on converged voice and data networks. To 
accomplish this, we reviewed DHS documentation and interviewed DHS 
officials. To determine how these components were addressing 
convergence issues, we interviewed private sector stakeholders to 
obtain their perspectives on DHS's efforts to address convergence and 
reviewed laws and policies to identify DHS's responsibilities in 
addressing convergence. We conducted our work in the Washington, D.C. 
metropolitan area, from September 2007 to June 2008 in accordance with 
generally accepted government auditing standards. Those standards 
require that we plan and perform the audit to obtain sufficient, 
appropriate evidence to provide a reasonable basis for our findings and 
conclusions based on our audit objectives. Details on our objective, 
scope, and methodology are in appendix I. 

Results in Brief: 

DHS has taken the first of three steps toward integrating its centers 
responsible for planning for and monitoring the communications 
infrastructure, including voice and data networks, and the security of 
data and applications residing on these networks. Specifically, in 
November 2007, it moved the operations center for communications 
infrastructure--NCC Watch--to office space adjacent to the center for 
data and applications--US-CERT. This close proximity allows the 
approximately 41 coordination center and 95 readiness team analysts to, 
among other things, readily collaborate on planned and ongoing 
activities. In addition, the centers have jointly acquired common 
software tools to identify and share physical, telecommunications, and 
cyber information related to performing their missions. For example, 
the centers use one of the tools to develop a joint "morning report" 
specifying their respective security issues and problems, which is used 
by the analysts in coordinating responses to any resulting disruptions. 

While DHS has completed this first integration step, it has yet to 
implement the other two. Specifically, the department has not 
organizationally merged the two centers or invited key private sector 
critical infrastructure officials to participate in the operation of 
the proposed joint center. DHS's lack of progress on the latter steps 
is attributable, in part, to it not making integration a top DHS 
priority. Instead, its management efforts have been focused on other 
priorities, such as the President's recently announced cyber 
initiative. DHS officials stated that they are in the process of 
drafting a strategic plan to provide overall direction for the 
activities of NCS and NCSD, including completing the integration of the 
centers. However, the plan is in draft and has been so since mid-2007. 
In addition, DHS officials could not provide a date for when it would 
be finalized. Consequently, the department does not have a strategic 
plan or related guidance that provides overall direction in this area 
and has not developed specific tasks and milestones for achieving the 
remaining two integration steps. 

Until DHS completes the integration of the two centers, it risks being 
unable to efficiently plan for and respond to disruptions to 
communications infrastructure and the data and applications that reside 
on this infrastructure, increasing the probability that communications 
will be unavailable or limited in times of need. Accordingly, we are 
recommending that the Secretary of DHS complete its strategic plan for 
NCSD and NCS and define the specific tasks and milestones for 
completing the remaining integration steps. 

In commenting on a draft of this report, the department agreed with our 
first recommendation and did not support our second recommendation. 
With regard to the second recommendation, DHS stated that, while it 
supports further integration of overlapping functions, it does not 
support organizationally merging the centers at this time and added 
that the lack of a merger will not impact its ability to respond to 
incidents. We do not agree. To the contrary, there is strong evidence 
that DHS's ability to respond is negatively impacted by the use of 
separate centers, rather than a single integrated and merged entity. 
Our past work has shown that overlapping roles for incident response 
have adversely affected DHS's ability to prioritize and coordinate 
incident response activities. 

Background: 

An effective communications infrastructure, including voice and data 
networks, is essential to our ability as a nation to maintain public 
health and safety during a catastrophic natural disaster, such as a 
hurricane, or a man-made event, such as a terrorist attack. 
Technological advances in these networks have led to a convergence of 
the previously separate networks used to transmit voice and data 
communications. These new networks--next generation networks--are 
capable of transmitting both voice and data on a single network and 
eventually will be the primary means for voice and data transmissions. 

Converged voice and data networks have many benefits. For example, 
these networks use technology based on packet switching, which allows 
greater resiliency. Packet switching involves breaking a message into 
packets, or small chunks of data, and transferring the packets across a 
network to a destination where they are recombined. The resiliency of 
using a packet-switching network is due to the packet's ability to be 
transmitted over multiple routes, avoiding areas that may be congested 
or damaged. Conversely, conventional voice services use traditional 
telephone networks, which are based on circuit switching technology. 
Instead of breaking a message up into packets, circuit-switching uses a 
dedicated channel to transmit the voice communication. Once all of the 
channels are occupied, no further connections can be made until a 
channel becomes available. Figure 1 shows a comparison between packet 
switching and circuit switching. 

Figure 1: Packet Switching vs. Circuit Switching: 

[See PDF for image] 

This figure contains illustrations of Packet Switching vs. Circuit 
Switching, as follows: 

Packet-switched network: 

Original message: Mr. Watson, Come here. I need you.
Broken into packets; 
Routed across a network path that can be modified as needed; 
Reassembled to form original message. 

Circuit-switched network: 
Original message: Mr. Watson, Come here. I need you.
Broken into packets; 
Routed across a fixed network path; 
Reassembled to form original message. 

Source: GAO analysis; Art Explosion (images). 

[End of figure] 

Converged networks, however, also pose certain technical challenges. 
For example, current national programs to provide priority voice 
services in an emergency are based primarily on voice or traditional 
telephone networks, which are circuit-switched. Implementing these 
networks on packet-switched networks is difficult because there is no 
uniformly accepted standard for providing priority service on a packet- 
switched network. Also, the Internet-based protocols used on packet- 
switched networks have vulnerabilities and in certain cases, packet- 
switched networks may be unreliable for emergency communications due to 
delays in transmission and loss of packets. 

Federal Policies Provide for Critical Infrastructure Protection for 
Communications: 

Federal policies[Footnote 1] call for the protection of essential 
public and private infrastructures, such as the electric power grid, 
chemical plants, and water treatment facilities that control the vital 
functions critical to ensuring our national economic security and 
public health and safety. These infrastructures, called critical 
infrastructures, also include communications infrastructure, such as 
voice and data communication networks. Federal policies also designate 
certain federal agencies as lead points of contact for each key 
critical infrastructure sector and assign responsibility for 
infrastructure protection activities and for coordination with other 
relevant federal agencies, state and local governments, and the private 
sector. (See app. II for a description of the sectors and the 
designated federal agencies.) DHS is the lead federal agency for both 
the telecommunications and information technology (IT) sectors. DHS is 
also designated as the focal point for the security of cyberspace-- 
including analysis, warning, information sharing, vulnerability 
reduction, mitigation, and recovery efforts for public and private 
critical infrastructure information systems. 

As part of its responsibilities, DHS created the National 
Infrastructure Protection Plan[Footnote 2] to coordinate the protection 
efforts of critical infrastructures. The plan recognizes the Internet 
as a key resource composed of assets within both the IT and the 
telecommunications sectors. It notes that the Internet is used by all 
critical infrastructure sectors to varying degrees and that it provides 
information and communications to meet the needs of businesses, 
government, and the other sectors. The National Infrastructure 
Protection Plan requires lead federal agencies for the critical 
infrastructure sectors to work with public and private sector 
stakeholders to develop sector-specific plans that address how the 
sectors' stakeholders will improve the security of their assets, 
systems, networks, and functions. We recently reported[Footnote 3] on 
how comprehensively these sector-specific plans address the cyber 
security aspects of their sectors, including the plans for the IT and 
telecommunications sectors. We found that the plans varied in how 
sector stakeholders identified their cyber risks and developed plans to 
identify, respond to, and recover from a cyber attack. Accordingly, we 
recommended specific measures to help DHS strengthen the development, 
uniformity, and use of the plans. 

DHS's Office of Cyber Security and Communications Is Responsible for 
Both Cyber and Telecommunications Security and Recovery: 

Federal policies[Footnote 4] provide DHS the lead responsibility for 
facilitating a public-private response to disruptions to major 
communications infrastructure, such as voice and data networks. Within 
DHS, the responsibility is assigned to NCSD and NCS in the Office of 
Cyber Security and Communications. NCSD has responsibility for the 
security of data and applications and executes this duty via its 
operations center--US-CERT--while NCS has responsibility for the 
communications infrastructure that carries data and applications and 
carries out its duty through its coordination center, NCC, and its 
operations center, NCC Watch. 

National Cyber Security Division: 

In June 2003, DHS created NCSD to serve as the national focal point for 
addressing cyber security issues. NCSD's mission is to secure 
cyberspace and America's cyber assets in cooperation with public, 
private, and international entities. The division carries out its 
mission via its US-CERT operations center, which is responsible for, 
among other things, analyzing and addressing cyber threats and 
vulnerabilities and disseminating cyber-threat warning information. In 
the event of a security issue or disruption affecting data and 
applications, US-CERT is to facilitate coordination of recovery 
activities with the network and security operations centers of owners 
and operators of these networks and with government officials (e.g., 
incident response teams) responsible for protecting government 
networks. NCSD is the government lead on a public/private partnership 
supporting US-CERT and serves as the lead for the federal government's 
cyber incident response through the National Cyber Response 
Coordination Group. This group is the principal federal interagency 
mechanism for coordinating the preparation for and response to 
significant cyber incidents, such as a major Internet disruption, and 
includes members from 19 federal departments and agencies.[Footnote 5] 

National Communications System: 

NCS is responsible for ensuring that communications infrastructure used 
by the federal government is available under all conditions--ranging 
from normal situations to national emergencies and international 
crises. The system does this through several activities, including a 
program that gives calling priority to federal executives, first 
responders, and other key officials in times of emergency. NCS was 
established by presidential direction[Footnote 6] in August 1963 in 
response to voice communication failures associated with the Cuban 
Missile Crisis. Its role was further clarified through an executive 
order[Footnote 7] issued in April 1984 that established the Secretary 
of Defense as the executive agent for NCS. In 2003, it was transferred 
to the responsibility of the Secretary of DHS.[Footnote 8] 

NCS is composed of members from 24 federal departments and agencies. 
Although it originally focused on "traditional" voice services via 
common carriers, NCS has now taken a larger role in Internet-related 
issues due to the convergence of voice and data networks. For example, 
it now helps manage issues related to disruptions of the Internet 
backbone (e.g., high-capacity data routes). NCC, which serves as the 
coordination component of NCS, is the point of contact with the private 
sector on issues that could affect the availability of the 
communications infrastructure. According to DHS, the center includes 47 
members from major telecommunications organizations, such as Verizon 
and AT&T. These members represent 95 percent of the wireless and wire 
line telecommunications service providers and 90 percent of the 
Internet service provider backbone networks. 

During a major disruption in telecommunications services, NCC Watch is 
to coordinate with NCC members in an effort to restore service as soon 
as possible. In the event of a major Internet disruption, it is to 
assist recovery efforts through its partnerships and collaboration with 
telecommunications and Internet-related companies. Using these 
partnerships, NCC has also created several programs that, in times of 
emergency, provide calling priority in to enable first responders and 
key officials at all levels to communicate using both landline phones 
and cellular devices. 

Federal and Private Sector Experts Have Recommended a More Integrated 
Approach to Planning for and Responding to Disruptions on Converged 
Networks: 

Since February 2002, we, along with federal government and private 
sector experts, have examined the convergence of voice and data 
networks into next generation networks. All these experts recommend 
that federal agencies such as DHS adopt an integrated approach-- 
including integrating their organizations--to planning for and 
responding to network disruptions.[Footnote 9] In February 2002, before 
the formation of DHS, a White House advisory group recommended that the 
federal government develop such an approach.[Footnote 10] Specifically, 
it found that timely information sharing was essential to effective 
incident response, that existing coordination within the government was 
ineffective and needed senior management attention, and that NCS should 
broaden its capabilities to include more IT industry expertise. 

In March 2006, the National Security Telecommunications Advisory 
Committee, a presidential advisory group, also recommended that DHS 
develop an integrated approach to incident response on next generation 
networks and update priority communications programs to improve 
existing recovery abilities.[Footnote 11] The committee recommended 
that DHS establish an inclusive and effective incident response 
capability that includes functions of the NCC and a broadened 
membership, including firms in the IT sector. The committee also stated 
that most new communications providers are not members of the NCC, were 
not easily accessible during an incident, and had not yet developed 
close working relationships with other industry stakeholders and the 
federal government. 

In June 2006, we recommended that DHS improve its approach to dealing 
with disruptions by examining the organizational structure of NCSD and 
NCS in light of the convergence of voice and data networks. We found 
that DHS had overlapping responsibilities for incident response, which 
affected the ability of DHS to prioritize and coordinate incident 
response activities.[Footnote 12] 

Furthermore, in December 2006, the Telecommunications and Information 
Technology Information Sharing and Analysis Centers, composed of 
representatives of private telecommunications and IT companies, sent a 
letter to DHS asking that the department develop a plan to integrate 
critical infrastructure protection efforts including planning for and 
responding to disruptions. In a January 2007 written response signed by 
the Assistant Secretary for Cyber Security and Communications, DHS 
agreed with the importance of this effort and stated that developing a 
road map for integration was a priority. 

Moreover, in April 2007, the two information sharing and analysis 
centers established a task force (referred to as a "tiger team" by DHS) 
with DHS that, among other things, identified overlapping 
responsibilities between NCC Watch and US-CERT in the following areas: 
[Footnote 13] 

* developing and disseminating warnings, advisories, and other urgent 
notifications; 

* evaluating the scope of an event; 

* facilitating information sharing; 

* deploying response teams during an event; 

* integrating cyber, communications, and emergency response exercises 
into operational plans and participation; and: 

* the management of relationships with others, such as industry 
partners. 

Consequently, the tiger team task force recommended merging the two 
centers to establish an integrated operations center and further 
recommended that DHS adopt a three-step approach to integration of the 
centers. The approach should include: 

* moving NCC Watch to office space physically adjacent to US-CERT; 

* developing an integrated operations center by merging US-CERT and NCC 
Watch, and: 

* inviting private sector critical infrastructure officials to join 
this new center. 

In addition to these three steps, the task force also recommended 
specific actions to be taken in implementing them. For example, in 
developing an integrated operations center by merging NCC Watch and US- 
CERT, the task force recommended, among other things, that DHS (1) 
appoint a project manager to lead this effort; (2) develop policies and 
procedures that integrate operations and address overlapping 
responsibilities, including how the new center is to respond in an 
integrated manner to threats and incidents; and (3) establish 
performance measures to monitor progress. In addition, with regard to 
involving key private sector critical infrastructure officials in the 
new center, the task force recommended that the department also appoint 
a project manager to lead this effort. This effort would include 
seeking participation of appropriate private sector officials, 
identifying any potential legal issues to having these officials serve 
in the new center, and developing measures to monitor progress. 

In September 2007, DHS approved the report, accepting the 
recommendations and adopting the three-step approach. 

DHS Has Completed the First of Its Three-Step Integration Approach, but 
Has Yet to Implement the Remaining Steps: 

DHS has taken the first of three steps toward integrating NCSD and NCS 
by moving the two centers, NCC Watch and US-CERT, to adjacent office 
space in November 2007. This close proximity allows the approximately 
41 coordination center and 95 readiness team analysts to, among other 
things, readily collaborate on planned and ongoing activities. In 
addition, the centers have jointly acquired common software tools to 
identify and share physical, telecommunications, and cyber information 
related to performing their missions. For example, the centers use one 
of the tools to develop a joint "morning report" specifying their 
respective security issues and problems, which is used by the analysts 
in coordinating responses to any resulting disruptions. 

While DHS has completed the first step, it has yet to implement the 
remaining two steps and supporting actions. Specifically, the 
department has not organizationally merged or integrated operation 
centers or completed any of the supporting actions. For example, the 
department has not hired a project manager, developed common operating 
procedures, or established progress measures. In addition, according to 
DHS officials, they have no efforts planned or underway to implement 
this step and associated actions. 

With regard to involving key private sector officials to participate in 
the proposed joint center,[Footnote 14] the department has not 
accomplished this step and supporting actions either. For example, it 
has not hired a project manager or sought participation of appropriate 
private sector officials to work at the new center. DHS officials told 
us they also have no efforts planned or underway to implement this step 
and its supporting actions. 

A key factor contributing to DHS's lack of progress in implementing 
these steps is that completing the integration is not a top department 
priority. Instead, DHS officials stated that their efforts have been 
focused on other initiatives, most notably the President's recently 
announced cyber initiative, which is a federal governmentwide effort to 
manage the risks associated with the Internet's nonsecure external 
connections. Officials from DHS's Office of Cyber Security and 
Communications stated that they are in the process of drafting a 
strategic plan to provide overall direction for the activities of NCS 
and NCSD, including completing the integration of the centers. However, 
the plan is in draft and has been so since mid-2007. In addition, DHS 
officials could not provide a date for when it would be finalized. 
Consequently, the department does not have a strategic plan or related 
guidance that provides overall direction in this area and has not 
developed specific tasks and milestones for achieving the remaining two 
integration steps. 


Until DHS completes the integration of these two centers, it risks 
being unable to efficiently plan for and respond to disruptions to 
communication infrastructure, including voice and data networks, and 
the information traveling on these networks, increasing the probability 
that communications will be unavailable or limited in times of need. 

Conclusions: 

While DHS has taken initial steps toward integrating the key centers 
that plan for and respond to disruptions to the communications 
infrastructure, including voice and data networks, and the data and 
applications on these networks, these offices are still not fully 
integrated as envisioned. Consequently, the risks associated with not 
having a fully integrated response to disruptions to the communications 
infrastructure remain. Effectively mitigating these risks will require 
swift completion of the integration. To do this will also require 
strong leadership to make the integration effort a department priority 
and to managing it accordingly, including completing the strategic plan 
and defining remaining integration tasks and milestones. To do less 
will continue to expose the nation's communications networks to 
continuing risk of inadequate response to an incident. 

Recommendations for Executive Action: 

We are making two recommendations to the Secretary of Homeland Security 
to direct the Assistant Secretary for Cyber Security and Communications 
to: 

* Establish milestones for completing the development and 
implementation of the strategic plan for NCSD and NCS. 

* Define specific tasks and associated milestones for establishing the 
integrated operations center through merging NCC Watch and US-CERT and 
inviting and engaging key private sector critical infrastructure 
officials from additional sectors to participate in the operations of 
the new integrated center. 

Agency Comments and Our Evaluation: 

In written comments on a draft of this report (see app. III), signed by 
the Acting Director of DHS's Departmental Liaison Office, the 
department concurred with our first recommendation and stated it is 
taking steps to implement it. Specifically, the department said that as 
part of its effort to develop and implement a strategic plan, it 
intends to take into consideration, among other things, the 
recommendations of the various expert groups that have studied issues 
confronting DHS in this area and the lessons learned from collocating 
the two centers. Further, the department stated that this strategic 
planning also is to provide for integrating the centers' existing 
overlapping functions with the aim of increasing mission effectiveness. 

With regard to our second recommendation, DHS stated that, while it 
supports further integration of overlapping functions, it does not 
support organizationally merging the centers at this point and added 
that the lack of a merger will not impact its ability to respond to 
incidents. 

We do not agree. To the contrary, there is strong evidence that shows 
that DHS's ability to respond is negatively impacted by the use of 
separate centers, rather than a single integrated and merged entity. 
Specifically, our past work has shown that overlapping responsibilities 
for incident response have adversely affected DHS's ability to 
prioritize and coordinate incident response activities. For example, 
private-sector firms have reported that in responding to a critical 
incident, DHS made time-consuming and duplicative requests for 
information without identifying how this information would be 
beneficial in helping respond to the event. In addition, the DHS- 
commissioned expert task force on the subject recently reported that 
without an organizationally integrated center, the department will not 
have a comprehensive operating picture of the nation's cyber and 
communications infrastructure and thus not be able to effectively 
implement activities necessary to prepare, protect, respond, and 
recover this infrastructure. Further, our interviews with private- 
sector cyber and communications infrastructure executives performed as 
part of this engagement found that they also favor a merged 
organization that includes broad industry participation. This evidence 
calls for DHS to take a closer look at the issue of whether to merge 
the centers. 

DHS also commented on the report's description of the roles and 
responsibilities of NCC and US-CERT. Specifically, DHS noted that our 
original characterization of NCC as dealing with voice systems and US- 
CERT with data systems was not totally accurate. Instead, DHS offered 
that a more accurate distinction would be that NCC deals with 
communication infrastructure, including voice and data networks, and US-
CERT deals with the security of systems and data using the networks, 
which DHS commonly refers to as cyber situational awareness and 
response. We agree with this comment and have incorporated it in the 
report where appropriate. 

In addition to its written response, the department also provided 
technical comments that we have incorporated in the report where 
appropriate. 

We will send copies of this report to interested congressional 
committees, the Secretary of Homeland Security, and other interested 
parties. In addition, this report will be available at no charge on 
GAO's Web site at [hyperlink, http://www.gao.gov]. If you have any 
questions on matters discussed in this report, please contact David A. 
Powner at (202) 512-9286 or at [email protected]. Contact points for our 
Offices of Congressional Relations and Public Affairs may be found on 
the last page of this report. GAO staff who made major contributions to 
this report are listed in appendix IV. 

Signed by: 

David A. Powner: 
Director, Information Technology Management Issues: 

[End of section] 

Appendix I: Objective, Scope, and Methodology: 

Our objective was to determine the status of Department of Homeland 
Security (DHS) efforts to integrate the activities of its National 
Cyber Security Division (NCSD) and National Communications System (NCS) 
in preparing for and responding to disruptions in converged voice and 
data networks. 

To accomplish this, we first analyzed pertinent laws, policies, and 
related DHS documentation (e.g., charters and mission statements) 
showing the responsibilities of NCSD and NCS, particularly with regard 
to the increasing convergence of voice and data networks. We also 
analyzed key studies on DHS's approach to managing convergence. We did 
this to identify key findings and recommendations pertinent to our 
objective. In particular, we focused on the Industry-Government Tiger 
Team Report and Recommendations for a Cyber Security and Communications 
Joint Operations Center, which recommended establishing an integrated 
operations center. DHS adopted the recommendations as part of its three-
step approach to establish such a capability by (1) moving the National 
Coordination Center (NCC) Watch to office space physically adjacent to 
the US Computer Emergency Readiness Team (US-CERT), (2) developing an 
integrated operations center by merging NCC Watch and US-CERT, and (3) 
inviting private sector critical infrastructure officials to 
participate in this new center. We also interviewed DHS and industry 
officials who served on the tiger team task force and developed the 
report findings and recommendations. 

To determine the status of DHS's efforts to integrate the centers, we 
analyzed department progress against the three steps specified in DHS's 
approach. We also obtained and analyzed plans and related documentation 
from DHS on its status in establishing an integrated operations center 
capability. In particular, we assessed department plans and related 
documentation on the status of collocating and merging the NCS and NCSD 
operations centers. In addition, we analyzed documentation on DHS's 
status in inviting key private sector infrastructure officials to join 
the operations of the new center. We also interviewed relevant 
officials in these organizations, including the managers of the 
National Coordination Center and the U.S. Computer Emergency Readiness 
Team, the Director of NCS, and the Acting Director of NCSD, to get 
their perspectives and to validate our understanding of their efforts 
to date. We also interviewed private sector officials--including the 
Chair of the Communications Information Sharing and Analysis Center and 
the President and Vice President of the IT Information Sharing and 
Analysis Center--to obtain their perspectives on DHS's progress in 
addressing convergence, including establishing the integrated center 
and to determine whether they had received DHS invitations to 
participate in the operation of the integrated center. 

Next, to identify gaps, we compared the state of DHS's progress against 
the task force recommendations adopted by DHS as part of its three step 
approach to integration. When gaps were identified, we also interviewed 
responsible DHS officials to determine any causes and their impact. 

We conducted this performance audit in the Washington, D.C. 
metropolitan area from September 2007 to June 2008 in accordance with 
generally accepted government auditing standards. Those standards 
require that we plan and perform the audit to obtain sufficient, 
appropriate evidence to provide a reasonable basis for our findings and 
conclusions based on our audit objectives. We believe that the evidence 
obtained provides a reasonable basis for our findings and conclusions 
based on our audit objectives. 

[End of section] 

Appendix II: Critical Infrastructure Sectors: 

Table 1: Critical Infrastructure Sectors and Designated Sector-Specific 
Agencies: 

Sector: Agriculture and food; 
Sector-specific agency: Department of Agriculture, Department of Health 
and Human Services, Food and Drug Administration[A]. 

Sector: Banking and finance; 
Sector-specific agency: Department of the Treasury. 

Sector: Chemical; 
Sector-specific agency: Department of Homeland Security. 

Sector: Commercial facilities; 
Sector-specific agency: Department of Homeland Security. 

Sector: Commercial nuclear reactors, materials, and waste; 
Sector-specific agency: Department of Homeland Security. 

Sector: Critical Manufacturing; 
Sector-specific agency: Department of Homeland Security. 

Sector: Dams; 
Sector-specific agency: Department of Homeland Security. 

Sector: Defense industrial base; 
Sector-specific agency: Department of Defense. 

Sector: Drinking water and water treatment systems; 
Sector-specific agency: Environmental Protection Agency. 

Sector: Emergency services; 
Sector-specific agency: Department of Homeland Security. 

Sector: Energy; 
Sector-specific agency: Department of Energy. 

Sector: Government facilities; 
Sector-specific agency: Department of Homeland Security. 

Sector: Information technology; 
Sector-specific agency: Department of Homeland Security. 

Sector: National monuments and icons; 
Sector-specific agency: Department of the Interior. 

Sector: Postal and shipping; 
Sector-specific agency: Department of Homeland Security. 

Sector: Public health and health care; 
Sector-specific agency: Department of Health and Human Services. 

Sector: Telecommunications; 
Sector-specific agency: Department of Homeland Security. 

Sector: Transportation systems; 
Sector-specific agency: Department of Homeland Security. 

Sources: The National Infrastructure Protection Plan, Homeland Security 
Presidential Directive 7, and the National Strategy for Homeland 
Security. 

[A] The Department of Agriculture is responsible for food (including 
meat, poultry, and eggs) and agriculture; and the Department of Health 
and Human Services, Food and Drug Administration, is responsible for 
food other than meat, poultry, and egg products. 

[End of table] 

[End of section] 

Appendix III: Comments from the Department of Homeland Security: 

U.S. Department of Homeland Security: 
Washington, DC 20528: 
[hyperlink, http://www.dhs.gov]: 

Mr. David A. Powner: 
Director: 
Information Technology Management Issues: 
United States Government Accountability Office: 
441 G Street, NW: 
Washington, DC 20548: 

Dear Mr. Powner: 

Thank you for the opportunity to review and comment on the Government 
Accountability Office's (GAO's) Draft Report GAO-08-607 entitled 
Critical Infrastructure Protection: Further Efforts Needed to Integrate 
Planning for and Response to Disruptions on Converged Voice and Data 
Networks. Technical comments have been provided under separate cover. 

General Comments: 

1. This GAO report deals with the issue of the convergence of the 
communications and IT sectors by focusing primarily on the integration 
of the National Communications System's (NCS) National Coordinating 
Center (NCC) and the National Cyber Security Division's (NCSD) U.S. 
Computer Emergency Readiness Team (US-CERT). The fundamental concern is 
as technology converges into the Next Generation Network (NGN), this 
network continues to support national security and emergency 
preparedness (NS/EP) needs. 

NCS and NCSD have established a variety of programs to ensure NS/EP 
communications are available during crisis and disasters when the 
general public's ability to communicate has been interrupted. The NCS 
is working to ensure priority services continue as industry converts to 
an Internet Protocol (IP) based transport network. 

Current projections for NS/EP NGN priority voice over IP (VoIP) include 
an Initial Operational Capability (IOC) in 2012 while projections for 
NS/EP NGN broadband (data) priority services IOC is delayed due to 
receiving less funding than requested in FY 2008. Until these priority 
services are fielded, NS/EP priority voice and data communications over 
next generation IP networks will be unavailable to support Continuity 
of Government (COG) and Continuity of Operations (COOP) mission 
critical applications in times of crisis. This represents a greater 
risk to the ability of the Department to efficiently plan for and 
respond to voice and data network disruptions. 

2. Much of this GAO report accepts the September 2007 recommendations 
of a "Tiger Team" to study the possibility of establishing a Cyber 
Security & Communications (CS&C) Joint Operations Center. The Tiger 
Team recommended merging US-CERT and NCC through a three-step approach. 
Given the importance of collaboration, US-CERT and NCC acted quickly to 
implement the fast step by co-locating their facilities in November 
2007. The co-location has ensured close coordination and improved 
information sharing between the two watches. The recent Estonia denial 
of service attack illustrated the capability of the NCC and US-CERT to 
jointly respond to an incident in an efficient and effective manner. 

Co-locating these two centers has certainly increased the effectiveness 
of each, and further integration of certain complementary functions 
will likely yield better results. However, merging these two centers 
organizationally is not a top priority for a number of operational 
reasons: 

* NCSD and NCS have focused time and resources on other initiatives, 
such as the Comprehensive National Cyber Initiative and the NGN (see 
General Comment #1 above). 

* Although NCC and US-CERT have significant interdependencies which 
will increase as voice and data technologies converge, they have 
distinct missions, as described in General Comment #3 below. 

* The increased coordination between the NCC and US-CERT has shown the 
uniqueness of their functions. This GAO report cites a list of 
overlapping responsibilities identified by the Tiger Team; however the 
execution of these responsibilities has proved to be different in 
several cases due to different subject matter, audiences, and missions 
(see Technical Comments, GAO Report page 11). 

* Workspace classification level is another distinction between the two 
watches. US-CERT requires TS/SCI capability for its operations center, 
while NCS must maintain an operating space at SECRET and unclassified 
levels to coordinate with its industry partners. A merged watch would 
still require separate spaces to perform all of the necessary 
functions. 

GAO's statement that without a merger, DHS risks not being able to 
efficiently plan for and respond to voice and data network disruptions 
is inaccurate. US-CERT and NCC have demonstrated through their 
collaborative planning and operational processes that there is little 
to no risk that a response cannot be planned and executed in limes of 
need. 

3. Throughout this report, the distinction between the NCC and the US-
CERT is made by characterizing NCC as dealing with voice systems and US-
CERT with data systems. This is not an accurate distinction. The 
mission of the NCC, as established by Executive Order 12472, is to 
assist in the initiation, coordination, restoration, and reconstitution 
of NS/EP telecommunications services or facilities under all conditions 
of crisis or emergency. Telecommunications services, as defined by the 
Federal Communications Commission, is "the transmission, emission, or 
reception of signals, signs, writing, images, sounds or intelligence of 
any nature, by wire, cable, satellite, fiber optics, laser, radio, 
visual or other electronic, electric, electromagnetic, or acoustically 
coupled means, or any combination thereof." This clearly encompasses 
more than just voice. A more accurate distinction between the NCC and 
USCERT would be: 

* NCC deals with communications infrastructure; 
* US-CERT deals with cyber situational awareness and response. 

To a large extent, the NCS deals with the infrastructure backbone and 
NCSD deals with the data and applications that ride on that backbone. 
This interdependence is illustrated by the fact that the internet 
backbone is owned largely by NCC industry members. Both NCC and US-CERT 
deal with all types of information transfer, whether it be voice, data, 
or multimedia. Indeed, as we move towards the NGN, the distinction 
between voice and data becomes less relevant. Certainly 
interdependencies between communications infrastructure and cyber 
security will increase and the collaboration between NCC and US-CERT 
will create synergies and efficiencies, but there will always be a need 
for two distinct functions: ensure communications infrastructure 
supports NS/EP requirements and ensure the data and applications riding 
that infrastructure are secure. 

Recommendation 1: 

* establish milestones for completing the development and 
implementation of the strategic plan for NCSD and NCS, and: 

Response: 

The NCS and NCSD concur with this recommendation and are taking steps 
to address it. However, the NCS and NCSD strategic plans, as an element 
of the CS&C strategic plan, should take into consideration not only the 
recommendations from the National Security Telecommunications Advisory 
Committee and the Tiger Team, but also lessons learned since co-
locating NCC and USCERT in November 2007. Co-location has provided a 
heightened awareness of the NCC's and USCERT's distinct missions and 
operational requirements. The NCS and NCSD strategic plans should 
provide vision for communication collaboration while integrating 
overlapping functions that will increase the effectiveness of each 
organization. 

Recommendation 2: 

* define specific tasks and associated milestones for establishing the 
integrated operations center through merging NCC and US-CERT and 
inviting and engaging key private sector critical infrastructure 
officials to participate in the operations of the new integrated 
center. 

Response: 

As discussed in the General Comments, NCSD and NCS have distinct 
missions and operational requirements. Ensuring collaboration between 
NCC and US-CERT is paramount to successful response to national events. 
However, merging these two centers organizationally may not be 
practical or efficient for a number of operational reasons. NCS and 
NCSD support further integration of certain overlapping functions as 
appropriate, but they do not support organizationally merging the NCC 
and US-CERT at this time. 

Thank you again for the opportunity to comment on this Draft Report and 
we look forward to working with you on future homeland security issues. 

Signed by: 

Penelope G. McCormack: 
Acting Director: 
Departmental Audit Liaison Office: 

[End of section] 

Appendix IV: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

David A. Powner, (202) 512-9286 or [email protected]: 

Staff Acknowledgments: 

In addition to the individual named above, Gary Mountjoy (Assistant 
Director), Scott Borre, Camille Chaires, Neil Doherty, Vijay D'Souza, 
Nancy Glover, Lee McCracken, and Jeffrey Woodward made key 
contributions to this report. 

[End of section] 

Footnotes: 

[1] Homeland Security Presidential Directive Number 7 (Washington, 
D.C., December 2003), National Infrastructure Protection Plan 
(Washington, D.C., June 2006), National Response Framework (Washington, 
D.C., January 2008), and National Strategy to Secure Cyberspace 
(Washington, D.C., February 2003). 

[2] Department of Homeland Security, National Infrastructure Protection 
Plan, (Washington, D.C., 2006). 

[3] GAO, Critical Infrastructure Protection: Sector-Specific Plans' 
Coverage of Key Cyber Security Elements Varies, [hyperlink, 
http://www.gao.gov/cgi-bin/getrpt?GAO-08-113] (Washington, D.C.: Oct. 
31, 2007). 

[4] See, for example, National Strategy to Secure Cyberspace, the 
National Infrastructure Protection Plan, the Cyber Incident Annex to 
the National Response Framework, and Homeland Security Presidential 
Directive 7. 

[5] They are the Central Intelligence Agency; the Departments of 
Agriculture, Commerce, Defense, Energy, Health and Human Services, 
Homeland Security, Interior, Justice, State, Transportation, and the 
Treasury; the Director of National Intelligence; the Environmental 
Protection Agency; the Homeland Security Council; the National Security 
Agency; the National Security Council; the National Counterintelligence 
Executive; and the Office of Management and Budget. 

[6] National Security Action Memorandum 252. 

[7] Executive Order No. 12472, Section 1.e, April 3, 1984. 

[8] Executive Order No. 12386, March 1, 2003. 

[9] GAO, Internet Infrastructure: DHS Faces Challenges in Developing a 
Public/Private Recovery Plan, [hyperlink, http://www.gao.gov/cgi-
bin/getrpt?GAO-06-672] (Washington, D.C.: June 16, 2006) and The 
President's National Security Telecommunications Advisory Committee, 
Next Generation Network Task Force Report (Washington, D.C., Mar. 28, 
2006). 

[10] White House Convergence Working Group, Impact of Network 
Convergence on NS/EP Telecommunications: Initial Findings and FY02/FY03 
Programmatic Recommendations Information Infrastructure Protection 
Assurance Group (IIPAG) (Washington, D.C., July 2001). 

[11] National Security Telecommunications Advisory Committee, Next 
Generation Networks Task Force Report. 

[12] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-672]. 

[13] Industry Telecommunication and IT Sector Representatives, 
Government Tiger Team Report and Recommendations for a Cyber Security 
and Communications Joint Operations Center (Washington D.C., September 
2007). 

[14] While officials from the telecommunications sector serve on the 
NCC and private sector IT firms have relationships with US-CERT, the 
tiger team task force recommended expanding membership of the new joint 
operations center to include officials from the other 16 critical 
infrastructure sectors. 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 

policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office: 
441 G Street NW, Room LM: 
Washington, D.C. 20548: 

To order by Phone: 
Voice: (202) 512-6000: 
TDD: (202) 512-2537: 
Fax: (202) 512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: [email protected]: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, [email protected]: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, [email protected]: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: 

*** End of document. ***