Critical Infrastructure Protection: Comments on the National Plan for
Information Systems Protection (Statement/Record, 02/01/2000,
GAO/T-AIMD-00-72).

Pursuant to a congressional request, GAO discussed the National Plan for
Information Systems Protection, focusing on: (1) a detailed overview of
the plan; (2) opportunities for sharpening the plan's proposals for
improving the federal government's security programs; and (3) the
challenges facing the government in building the public-private
partnerships necessary for comprehensive infrastructure protections.

GAO noted that: (1) the National Plan for Information Systems Protection
is intended as a first major element of a more comprehensive effort to
protect the nation's information systems and critical assets from future
attacks; (2) this preliminary version focuses largely on federal efforts
being undertaken to protect the nation's critical cyber-based
infrastructures; (3) subsequent versions are to address a broader range
of concerns, including the specific role industry and state and local
governments will play in protecting physical and cyber-based
infrastructures from deliberate attack as well as international aspects
of critical infrastructure protection; (4) the end goal of this process
is to develop a comprehensive national strategy for infrastructure
assurance as envisioned by Presidential Decision Directive 63; (5)
making the federal government a model of good information security is
essential to the plan's success; (6) recent audits conducted by GAO and
agency inspectors general show that 22 of the largest federal agencies
have significant computer security weaknesses, ranging from poor
controls over access to sensitive systems and data, to poor control over
software development and changes, and nonexistent or weak continuity of
service plans; (7) agencies have not established security management
programs to ensure that controls, once implemented properly, are
effective on an ongoing basis; (8) GAO also observed that other
crosscutting actions--ranging from clarifying the roles and
responsibilities of the many entities involved in information security
to strengthening oversight, to securing adequate technical expertise and
funding--were needed in seven key areas to provide greater assurance
that critical infrastructure objectives can be met; (9) the second facet
of the plan focuses on developing a public-private partnership to
protect the nation's infrastructure; and (10) in doing so, the plan
proposes developing mechanisms and improving incentives for the private
sector to cooperate voluntarily with the federal government, as well as
with state and local governments, to work together to provide for the
common defense of the infrastructure.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  T-AIMD-00-72
     TITLE:  Critical Infrastructure Protection: Comments on the
	     National Plan for Information Systems Protection
      DATE:  02/01/2000
   SUBJECT:  Internal controls
	     Computer networks
	     Data integrity
	     Information resources management
	     Information systems
	     Computer security
	     Strategic information systems planning
	     Joint ventures
IDENTIFIER:  National Plan for Information Systems Protection

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Testimony.                                               **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************

   * For Release at
   * 10 a.m.
   * Tuesday,
   * February 1, 2000

GAO/T-AIMD-00-72

critical infrastructure protection

Comments on the National Plan for Information Systems Protection

        Statement for the Record by

Jack L. Brock, Jr., Director

Governmentwide and Defense Information Systems

Accounting and Information Management Division

Testimony

Before the Subcommittee on Technology, Terrorism and Government Information,
Committee on the Judiciary, U.S. Senate

United States General Accounting Office

GAO

Mr. Chairman and Members of the Subcommittee:

I am pleased to be here today to discuss the National Plan for Information
Systems Protection. This plan calls for new initiatives to strengthen the
nation's defenses against threats to public and private sector information
systems that are critical to the country's economic and social welfare,
particularly those supporting public utilities, telecommunications, finance,
emergency services, and government operations. As a "preliminary" document,
it is intended to begin a dialogue on its proposals and lead to the
development of plans for protecting other elements of the nation's
infrastructure, including those pertaining to the physical infrastructure
and specific roles and responsibilities for state and local governments and
the private sector.

Beginning this dialogue is vital. As I stressed at this Subcommittee's
October 1999 hearing on critical infrastructure protection, our nation's
computer-based infrastructures are at increasing risk of severe disruption.
The dramatic increase of computer interconnectivity-while facilitating
communications, business processes, and access to information-has increased
the risk that problems affecting one system will also affect other
interconnected systems. Massive computer networks provide pathways among
systems that, if not properly secured, can be used to gain unauthorized
access to data and operations from remote locations. While the threats or
sources of these problems can include natural disasters, such as
earthquakes, and system-induced problems, government officials are
increasingly concerned about attacks from individuals and groups with
malicious intentions, such as terrorists and nations engaging in information
warfare.

This plan is an important and positive step forward toward building the
cyber defense necessary to protect critical information assets and
infrastructures.

   * It identifies risks associated with our nation's dependence on
     computers and computer networks for critical services.
   * It recognizes the need for the federal government to take the lead in
     addressing critical infrastructure risks and to serve as a model for
     information security.
   * It outlines key concepts and general initiatives to assist in achieving
     these goals.

In doing this, the plan addresses many of the same points we raised at last
October's hearing, including the need for improved standards, strengthened
evaluations and oversight of agency performance, increased technical
expertise, adequate funding, and improved incident detection and response
capabilities.

However, there are opportunities for improvement as the plan is further
developed as well as significant challenges that must be addressed to build
the public-private partnerships necessary for infrastructure protection. In
particular, we believe the plan should place more emphasis on providing
agencies the incentives and tools to implement the management controls
necessary to assure comprehensive computer security programs, as opposed to
its current strong emphasis on implementing intrusion detection
capabilities. In addition, the plan relies heavily on legislation and
requirements already in place that, as a whole, are outmoded and inadequate
as well as poorly implemented by the agencies.

Mr. Chairman, my testimony today will provide a more detailed overview of
the plan, identify opportunities for sharpening the plan's proposals for
improving the federal government's security programs, and outline the
challenges facing the government in building the public-private partnerships
necessary for comprehensive infrastructure protections.

Overview of the National Plan for Information Systems Protection

The plan proposes achieving its twin goals of making the U.S. government a
model of information security and developing a public-private partnership to
defend our national infrastructure through the following 10 programs which
are intended to serve three crosscutting infrastructure protection
objectives.

Table 1: Infrastructure Protection Objectives and Programs
 Crosscutting Objective                    Program
             The steps necessary to
             minimize the possibility of
             significant and successful    Identify critical infrastructure
 Prepare and attack on our critical        assets and shared
 Prevent     information networks, and     interdependencies and address
             build an infrastructure that  vulnerabilities.
             remains effective in the face
             of such attacks.
                                           Detect attacks and unauthorized
                                           intrusions.

             The actions required to       Develop intelligence and law
             identify                      enforcement capabilities to
             and assess an attack in a     protect critical information
 Detect and  timely way, and then to       systems.
 Respond     contain the attack, quickly
             recover from it, and          Share attack warning and
             reconstitute affected         information in a timely manner.
             systems.
                                           Create capabilities for
                                           response, reconstitution, and
                                           recovery.
                                           Enhance research and
                                           development.

                                           Train and employ adequate
                                           numbers of information security
             The steps needed to create    specialists.
             and nourish the people,
             organizations, laws, and      Outreach to make Americans aware
                                           of the need for improved cyber
 Build Strongtraditions that will make us  security.
 Foundations better able to prepare for
             and prevent, detect, and
             respond to attacks on our     Adopt legislation and
             critical information          appropriations to support
             networks.                     infrastructure protections.
                                           Ensure the full protection of
                                           American citizen's civil
                                           liberties, their rights to
                                           privacy, and their rights to the
                                           protection of proprietary data.

Making the Federal Government a Model

Making the federal government a model of good information security is
essential to the plan's success. However, the gap between expectations and
actual agency performance is significant. As we testified last October and
in subsequent written responses to your questions, our government is not
adequately protecting critical federal operations and assets from
computer-based attacks. In particular, recent audits conducted by GAO and
agency inspectors general show that 22 of the largest federal agencies have
significant computer security weaknesses, ranging from poor controls over
access to sensitive systems and data, to poor control over software
development and changes, and nonexistent or weak continuity of service
plans.

Importantly, our audits have repeatedly identified serious deficiencies in
the most basic controls over access to federal systems. For example,
managers often provided overly broad access privileges to very large groups
of users, affording far more individuals than necessary the ability to
browse, and sometimes, modify or delete sensitive or critical information.
In addition, access was often not appropriately authorized or documented;
users often shared accounts and passwords or posted passwords in plain view;
software access controls were improperly implemented; and user activity was
not adequately monitored to deter and identify inappropriate actions.

While a number of factors have contributed to weak federal information
security, such as insufficient understanding of risks, technical staff
shortages, and a lack of system and security architectures, the fundamental
underlying problem is poor security program management. As we reported in
1996 and, again, in 1998, agencies have not established security management
programs to ensure that controls, once implemented properly, are effective
on an ongoing basis. This framework of effective access controls and
management oversight is fundamental to any good computer security program.

At last October's hearing, we also observed that other crosscutting
actions-ranging from clarifying the roles and responsibilities of the many
entities involved in information security, to strengthening oversight, to
securing adequate technical expertise and funding-were needed in seven key
areas to provide greater assurance that critical infrastructure objectives
can be met. I would like to discuss how the plan addresses each of these
areas and what additional actions need to be taken.

Clearly Defined Roles and Responsibilities

The plan takes some positive steps to resolve this problem. For example, it
discusses in very general terms how tasks associated with accomplishing the
plan's objectives relate to computer security responsibilities outlined in
existing laws and related guidance. These include the federal computer
security and information resource management responsibilities of OMB, agency
Chief Information Officers, Chief Financial Officers as well as the CIO
Council. It describes OMB's core responsibility for managing federal
computer security and information technology. And it generally defines the
roles of the major entities created by PDD 63, including the National
Coordinator for Security, Infrastructure Protection and Counter-Terrorism,
the Critical Infrastructure Assurance Office, and the National
Infrastructure Protection Center.

In this regard, the plan makes a start at better defining the critical
infrastructure protection responsibilities of the many federal entities
involved. The plan also introduces or formalizes a number of new entities,
interagency working groups, and projects that will have to be integrated
into the existing framework of computer security activities. Examples of
these new entities and efforts include an Expert Review Team for evaluating
agency infrastructure protection plans, a Federal Intrusion Detection
Network, and an interagency working group on system security practices.
Because of the number of entities involved (some established by law, some by
executive order, and others with less formal mandates), strong and effective
leadership will be essential to ensure that their efforts are coordinated
and adequately communicated to individual agency personnel and that critical
infrastructure protection efforts are appropriately linked with broader
computer security efforts.

Risk-Based Standards

Currently, agencies have wide discretion in deciding (1) what computer
controls to implement and (2) the level of rigor with which to enforce these
controls. In theory, this is appropriate since, as OMB and NIST guidance
states, the level of protection provided should be commensurate with the
related risk to operations and assets. In security, one size does not fit
all. The risks associated with different types of data and operations vary,
depending on their sensitivity and criticality. For example, for undercover
law enforcement operations, data confidentiality must be protected at all
cost, while for other types of data, such as current information on
financial markets, data integrity is the uppermost concern.

Our audit work has shown that agencies have generally done a very poor job
of evaluating their information security risks and implementing appropriate
controls. As a result, we believe that more specific guidance on what types
of controls are appropriate for specific types of systems and data and the
ways in which these controls should be implemented would be helpful.
Specifically, a more prescriptive set of control standards, supported by a
range of data classifications and related minimum requirements, would help
clarify expectations for information protection, provide a framework for
assessing information security risk, and help ensure that similar types of
data and shared data are provided the same level of protection from one
agency to another. In essence, risk-based standards would assist agencies in
ensuring that their most critical operations and assets are protected at the
highest levels, while providing agencies the flexibility to apply less
rigorous (and often less expensive and less cumbersome) controls to
lower-risk operations and assets.

Routine Evaluations of Agency Performance

The plan takes some constructive steps in this regard. Particularly, it
calls on federal agencies to put in place programs to carry out several
types of vulnerability testing and analysis, including routine automated
system configuration/integrity/vulnerability testing using
commercial-off-the-shelf tools, regular internal self-assessments, and
independent external critical reviews. At an agency's request, NSA and NIST
are to perform independent analyses of critical federal information
infrastructure and provide independent reports of their results to the
agency's CIO. And, as mentioned earlier, the plan anticipates establishing a
permanent Expert Review Team at NIST to assist governmentwide agencies in
adhering to federal computer security requirements.

Nevertheless, we believe that the plan's provisions for testing agency
controls may not be rigorous enough. Tests initiated by agency officials are
essential because they provide information needed to fulfill their ongoing
responsibility for managing security programs. However, routine in-depth
tests and evaluations initiated by independent auditors, such as agency
inspectors general, are also critical because they serve as an independent
check on management evaluations and provide reliable information on actual
control effectiveness for congressional and executive branch oversight.

Our audits at individual agencies and our best practices work have shown
that a continuous cycle of testing, reassessment of risk, and adjustments to
policies and controls is needed to ensure that efforts to protect
information remain appropriate and effective on an ongoing basis.
Establishing such a cycle of activity will require a significant commitment
by agency management, the federal audit community, and federal centers of
technical expertise, such as NSA and NIST. It will be important for any new
audit requirements, including those associated with the Expert Review Team,
to be conducted in this context.

Executive Branch and Congressional Oversight

The administration's call to action through this plan's development and
increased congressional interest indicates a heightened concern over cyber
security and provides a basis for increased oversight. As noted in the
previous section, initial oversight must provide a heavy focus on agency
management's fulfillment of its obligations to set and evaluate meaningful
controls over its information environment.

Adequate Technical Expertise

The plan does a good job of addressing this issue. It describes a program to
develop a cadre of highly skilled computer science and information security
personnel. This program, if implemented, would include estimating personnel
and training needs; establishing centers for information technology
excellence that will provide web-based and classroom information security
training to federal employees, college and high school students; initiating
a scholarship program under which recipients would agree to a pre-determined
commitment to federal government service; and establishing a high school and
secondary school outreach program.

Adequate Funding

In releasing the plan on January 7, the President announced that he was
proposing a 16 percent increase in funding for critical infrastructure
protection in his fiscal year 2001 budget proposal. To jumpstart fiscal year
01 initiatives, the President also proposed $9 million in supplemental
funding for this spring.

We have not had the opportunity to examine this proposal in detail. However,
as this plan evolves, it will be important to secure OMB and congressional
oversight of spending in order to ensure that expenditures are targeted
toward reducing the most significant risks and that controls implemented are
effective. Our audits have shown that, in the past, agencies have expended
resources on controls that, when tested, proved to be ineffective. In
addition, they have often addressed identified weaknesses in an ad hoc,
piecemeal fashion that resulted in limited improvement. It will be important
for future security budgets to be based primarily on risk-based needs and
for expenditures be evaluated, to the extent possible, in terms of actual
risk reduction.

Incident Detection and Response

The plan proposes to strengthen incident detection and response by
developing mechanisms for regular sharing of federal threats, vulnerability,
and warning data; and sponsoring conferences to further the coordination and
development of common operating systems. In particular, it calls for a
governmentwide system for analyzing and correlating attack data consisting
of three elements: one for the Department of Defense and national security
communities (the Joint Task Force-Computer Network Defense, which is already
deployed), a second for non-Defense federal departments and agencies (the
Federal Intrusion Detection Network, or FIDNet which will build on existing
DOD and other security technology expertise), and a third that provides
information to both systems (the National Security Incident Response Center,
or NSIRC, which has already been deployed to provide expert assistance to
the national security community in isolating, containing, and resolving
incidents threatening national security systems).

We agree that developing improved intrusion detection and response
capabilities is important. However, available tools and methods for
analyzing network traffic and detecting intrusions are still evolving and
cannot yet be relied on to serve as an effective "burglar alarm," as
envisioned by the plan. While holding promise for the future, such tools and
methods currently raise many questions regarding technical feasibility,
cost-effectiveness, and the appropriate extent of centralized federal
oversight. Accordingly, these efforts merit close congressional oversight.

Legislative Framework

At present, there is legislation pending in both Houses that seeks to
correct some of these underlying deficiencies. Among other things, these
proposals call for a more comprehensive framework for establishing and
ensuring the effectiveness of controls over information resources that
support federal operations and assets; recognize the highly networked nature
of the federal computing environment; and provide better oversight
mechanisms. Such efforts could play an integral role in further
strengthening the plan.

Engaging Public-Private Partnerships

For instance, the plan seeks to establish a Partnership for Critical
Infrastructure Security and a National Infrastructure Assurance Council to
increase corporate and government communications about shared threats to
critical information systems. It also proposes establishing Information
Sharing and Analysis Centers to facilitate public-private sector information
sharing about actual threats and vulnerabilities in individual
infrastructure sectors. These, as well as other proposals, however, are
presented in broad terms, with the intent that future versions of the plan
will describe a full spectrum of specific actions and programs that have
been jointly agreed upon by industry and all levels of government.

We believe this approach is reasonable given the formidable challenges
involved in developing effective partnerships with the private sector. The
plan itself recognizes some of these challenges. For example, it
acknowledges that critical infrastructure protection is not exclusively,
even largely, within the province of the federal government, and, as a
result, the federal government is limited in what it can do to protect
critical infrastructures. It also recognizes that while the nature of the
threat to our national infrastructure has changed, the true extent of that
threat, our vulnerability to it, and possible means of defense are not
entirely clear. Furthermore, the plan appreciates that solutions to critical
infrastructure protection must be tailored sector by sector, through
consultation about vulnerabilities, threats, and possible response
strategies.

At the same time the plan recognizes such challenges, it proposes several
initiatives that may have a significant impact on the private sector and
affected interest groups. For example, the plan raises the possibility of
reviewing laws for possible amendments to remove barriers that discourage
private sector companies from sharing information with government agencies
about infrastructure protection issues. Specifically, it raises the idea of
more explicit confidentiality protections (so that federal law enforcement
or defense agencies could assure private companies that such information
would not be accessible through the Freedom of Information Act) as well as
changes to antitrust or tort liability laws. Because such changes could
involve important tradeoffs among significant policy concerns as well as
affected interest groups, it will be important to proceed carefully in
addressing the concerns of affected parties while at the same time providing
the incentives needed to garner private sector cooperation.

The plan also suggests increasing employer rights to monitor employees. This
would provide one means of protecting organizations from the "insiders," who
as a practical matter, probably pose a greater threat to organizational
security than do external threats. Again, the challenge will lie in
balancing individual privacy concerns with the need to protect sensitive
assets and the common welfare.

These are just two examples of possible changes that may have the potential
of improving the public-private partnership for information protection, but
that will require extensive public dialogue before they could or should be
implemented.

Mr. Chairman, this concludes my statement. The plan fulfills the commitment
made on its title page: it does invite a meaningful dialogue. The plan is an
engaging step forward in improving the nation's cyber infrastructure. As
noted in the statement, much more needs to be done to strengthen the plan's
ambitious goal of making the government a model. And serious consideration
of changes in the computer security legislative framework is necessary to
better assure agency compliance with good practice and process. Finally, the
challenges facing the establishment of a meaningful public-private
partnership require a level of continuous, long-term commitment on all sides
that will be difficult to sustain but that are certainly achievable.

(511693)
  
*** End of document. ***