Report Finds Government Information Systems Vulnerable to Attack
Federal Government Lacks Coordinated Approach to
Critical Infrastructure Protection

Monday, July 22, 2002

                WASHINGTON - Critical infrastructure protection of the federal government’s information systems lacks a coordinated and comprehensive approach, leaving the systems vulnerable to cyber-attack, according to a General Accounting Office (GAO) report released Friday by Governmental Affairs Committee Chairman Joe Lieberman, D-Conn., and Senator Robert Bennett, R-Utah. 

                Without a coordinating strategy, systems are susceptible to attacks from potential adversaries including cyber-terrorist groups, nation-states, criminal organizations, or disgruntled insiders, the report said.

                The report found that current protection efforts are not addressing all key infrastructure areas and their respective federal agencies, including sectors such as chemical manufacturing and food safety.  Organizations have failed to establish consistent relationships with other protection agencies that share similar responsibilities.  Further, none of the organizations reviewed by the GAO appropriated funds specifically for cyber protection programs making it impossible to track efforts being made to remedy these vulnerabilities.

                Lieberman’s bill addresses these issues by establishing a directorate of critical infrastructure protection, charged with tracking vulnerabilities in information systems, sharing information pertaining to cyber-security risks, and establishing a clear organizational structure to provide leadership on cyber-security issues.

                “We have learned from the tragedy on September 11^th that our enemies will increasingly strike where they believe we are vulnerable, Lieberman said.  “As this report shows, our cyberspace infrastructure is ripe for attack today.”

                “If our critical infrastructure is to be fortified against attack, the government must lead by example in a substantial, direct coordination effort,” Bennett said. “But because 90 percent of our infrastructure is privately owned, it is essential that this government analysis and coordination extends to the private sector. This report reaffirms our call for information sharing and I hope will encourage the related federal agencies to conduct the necessary assessment and strengthening of their systems.”

                Last September, Bennett introduced S. 1456, the Critical Infrastructure Information Security Act of 2001.  The Bennett bill, designed to increase information sharing and improve threat analysis for critical infrastructures, would establish an element in the Executive Branch to receive and share information on potential threats to critical infrastructure.

                In 1998, President Clinton issued Decision Directive 63 calling for the federal government to improve cyber-security efforts by establishing a partnership with the private sector and improving the nation’s ability to respond to cyber-attacks.  To further coordinate cyber-security efforts, Executive Order 13231, issued in October 2001, created the President’s Critical Infrastructure Protection Board.

                GAO’s report concluded that coordination and protection efforts are greatly hindered by the absence of a comprehensive cyber-protection strategy, which is still being developed by the President’s Critical Infrastructure Board.  The report recommends that the final strategy

•                      include all relevant cyber-security sectors and their federal agencies, such as food safety and delivery services

•                      clearly define the roles and responsibilities of the agencies associated with each of these cyber-security areas

•                      define the relationships between cyber-security organizations.