This is the accessible text file for GAO report number GAO-05-434
entitled 'Critical Infrastructure Protection: Department of Homeland
Security Faces Challenges in Fulfilling Cybersecurity Responsibilities'
which was released on June 27, 2005.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to Congressional Requesters:
May 2005:
Critical Infrastructure Protection:
Department of Homeland Security Faces Challenges in Fulfilling
Cybersecurity Responsibilities:
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-05-434]
GAO Highlights:
Highlights of GAO-05-434, a report to congressional requesters:
Why GAO Did This Study:
Increasing computer inter-connectivity has revolutionized the way that
our government, our nation, and much of the world communicate and
conduct business. While the benefits have been enormous, this
widespread interconnectivity also poses significant risks to our
nation’s computer systems and, more importantly, to the critical
operations and infrastructures they support. The Homeland Security Act
of 2002 and federal policy established DHS as the focal point for
coordinating activities to protect the computer systems that support
our nation’s critical infrastructures. GAO was asked to determine (1)
DHS’s roles and responsibilities for cyber critical infrastructure
protection, (2) the status and adequacy of DHS’s efforts to fulfill
these responsibilities, and (3) the challenges DHS faces in fulfilling
its cybersecurity responsibilities.
What GAO Found:
As the focal point for critical infrastructure protection (CIP), the
Department of Homeland Security (DHS) has many cybersecurity-related
roles and responsibilities that we identified in law and policy (see
table below for 13 key responsibilities). DHS established the National
Cyber Security Division to take the lead in addressing the
cybersecurity of critical infrastructures.
While DHS has initiated multiple efforts to fulfill its
responsibilities, it has not fully addressed any of the 13
responsibilities, and much work remains ahead. For example, the
department established the United States Computer Emergency Readiness
Team as a public/private partnership to make cybersecurity a
coordinated national effort, and it established forums to build greater
trust and information sharing among federal officials with information
security responsibilities and law enforcement entities. However, DHS
has not yet developed national cyber threat and vulnerability
assessments or government/industry contingency recovery plans for
cybersecurity, including a plan for recovering key Internet functions.
DHS faces a number of challenges that have impeded its ability to
fulfill its cyber CIP responsibilities. These key challenges include
achieving organizational stability, gaining organizational authority,
overcoming hiring and contracting issues, increasing awareness about
cybersecurity roles and capabilities, establishing effective
partnerships with stakeholders, achieving two-way information sharing
with these stakeholders, and demonstrating the value DHS can provide.
In its strategic plan for cybersecurity, DHS identifies steps that can
begin to address the challenges. However, until it confronts and
resolves these underlying challenges and implements its plans, DHS will
have difficulty achieving significant results in strengthening the
cybersecurity of our critical infrastructures.
DHS’s Key Cybersecurity Responsibilities:
* Develop a national plan for critical infrastructure protection,
including cybersecurity.
* Develop partnerships and coordinate with other federal agencies,
state and local governments, and the private sector.
* Improve and enhance public/private information sharing involving
cyber attacks, threats, and vulnerabilities.
* Develop and enhance national cyber analysis and warning capabilities.
* Provide and coordinate incident response and recovery planning
efforts.
* Identify and assess cyber threats and vulnerabilities.
* Support efforts to reduce cyber threats and vulnerabilities.
* Promote and support research and development efforts to strengthen
cyberspace security.
* Promote awareness and outreach.
* Foster training and certification.
* Enhance federal, state, and local government cybersecurity.
* Strengthen international cyberspace security.
* Integrate cybersecurity with national security.
Source: GAO analysis of law and policy.
[End of table]
What GAO Recommends:
GAO is making recommendations to the Secretary of Homeland Security to
strengthen the department’s ability to implement key cybersecurity
responsibilities by completing critical activities and resolving
underlying challenges. In written comments on a draft of this report,
DHS agreed with our recommendation to engage stakeholders to prioritize
its responsibilities, but disagreed with and sought clarification on
recommendations to resolve its challenges.
www.gao.gov/cgi-bin/getrpt?GAO-05-434.
To view the full product, including the scope and methodology, click on
the link above. For more information, contact David Powner at (202) 512-
9286 or pownerd@gao.gov.
[End of section]
Contents:
Letter:
Results in Brief:
Background:
DHS's Roles and Responsibilities for Cybersecurity in Support of
Critical Infrastructure Protection Are Many and Varied:
DHS Has Initiated Efforts That Begin to Address Its Responsibilities,
but More Work Remains:
DHS Continues to Face Challenges in Establishing Itself as a National
Focal Point for Cyberspace Security:
Conclusions:
Recommendations for Executive Action:
Agency Comments and Our Evaluation:
Appendixes:
Appendix I: Objectives, Scope, and Methodology:
Appendix II: DHS Organizations with Cyber-Related Roles:
Appendix III: Comments from the Department of Homeland Security:
Appendix IV: GAO Contact and Staff Acknowledgments:
Tables:
Table 1: Sources of Emerging Cybersecurity Threats:
Table 2: Likely Sources of Cyber Attacks, According to Respondents to
the CSI/FBI 2003 Computer Crime and Security Survey:
Table 3: Types of Cyber Attacks:
Table 4: Federal Government Actions in Developing CIP Policy:
Table 5: Infrastructure Sectors Identified by the National Strategy for
Homeland Security and HSPD-7:
Table 6: Thirteen DHS Cybersecurity Responsibilities:
Table 7: DHS Partnership and Information-Sharing Initiatives:
Table 8: DHS Initiatives to Enhance Analytical Capabilities:
Table 9: Incident Response and Recovery Initiatives:
Table 10: DHS Cybersecurity Awareness and Outreach Initiatives:
Table 11: Key Initiatives in Cybersecurity Education:
Table 12: DHS's Intergovernmental Cybersecurity Initiatives:
Table 13: International Cybersecurity Initiatives:
Figures:
Figure 1: Security Vulnerabilities, 1995-2004:
Figure 2: NCSD Organization Chart:
Abbreviations:
CERT/CC: CERT® Coordination Center:
CIP: critical infrastructure protection:
DHS: Department of Homeland Security:
HSPD: Homeland Security Presidential Directive:
ISAC: information sharing and analysis center:
IT: information technology:
NCSD: National Cyber Security Division:
NIPP: National Infrastructure Protection Plan:
US-CERT: United States-Computer Emergency Response Team:
Letter May 26, 2005:
Congressional Requesters:
Since the early 1990s, increasing computer interconnectivity--most
notably growth in the use of the Internet--has revolutionized the way
that our government, our nation, and much of the world communicate and
conduct business. While the benefits have been enormous, this
widespread interconnectivity also poses significant risks to the
government's and our nation's computer systems and, more importantly,
to the critical operations and infrastructures they support. The speed
and accessibility that create the enormous benefits of the computer
age, if not properly controlled, allow unauthorized individuals and
organizations to inexpensively eavesdrop on or interfere with these
operations from remote locations for mischievous or malicious purposes,
including fraud or sabotage. Recent terrorist attacks and threats have
further underscored the need to manage and bolster the cybersecurity of
our nation's critical infrastructures.
Federal law and policy call for critical infrastructure protection
(CIP) activities that are intended to enhance the cyber and physical
security of both the public and private infrastructures that are
essential to national security, national economic security, and
national public health and safety.[Footnote 1] Federal policy
recognizes the importance of building public/private partnerships and
identifies several critical infrastructure sectors as well as federal
agencies to work with the sectors to coordinate efforts to strengthen
the security of the nation's public and private, computer-dependent
critical infrastructure. In addition, it establishes the Department of
Homeland Security (DHS) as the focal point for the security of
cyberspace--including analysis, warning, information sharing,
vulnerability reduction, mitigation, and recovery efforts for public
and private critical infrastructure information systems. To accomplish
this mission, DHS is to work with the federal agencies, state and local
governments, and the private sector.
In response to your request, we determined (1) DHS's roles and
responsibilities for cyber critical infrastructure protection and
national information security, as established in law and policy, and
the specific organizational structures DHS has created to fulfill them;
(2) the status of DHS's efforts to protect the computer systems that
support the nation's critical infrastructures and to strengthen
information security--both inside and outside the federal government--
and the extent to which such efforts adequately address its
responsibilities; and (3) the challenges DHS faces in fulfilling its
cybersecurity roles and responsibilities. To accomplish these
objectives, we reviewed relevant law, policy, directives, and documents
and interviewed officials from DHS, other federal agencies, and the
private sector who are involved in efforts to enhance the cybersecurity
of critical infrastructures. Appendix I provides further details on our
objectives, scope, and methodology. We performed our work from July
2004 to April 2005 in accordance with generally accepted government
auditing standards.
Results in Brief:
As the focal point for critical infrastructure protection, DHS has many
cybersecurity-related roles and responsibilities that are called for in
law and policy. These responsibilities include developing plans,
building partnerships, and improving information sharing, as well as
implementing activities related to the five priorities in the national
cyberspace strategy: (1) developing and enhancing national cyber
analysis and warning, (2) reducing cyberspace threats and
vulnerabilities, (3) promoting awareness of and training in security
issues, (4) securing governments' cyberspace, and (5) strengthening
national security and international cyberspace security cooperation. To
fulfill its cybersecurity role, in June 2003, DHS established the
National Cyber Security Division to serve as a national focal point for
addressing cybersecurity and coordinating the implementation of
cybersecurity efforts.
While DHS has initiated multiple efforts, it has not fully addressed
any of the 13 key cybersecurity-related responsibilities that we
identified in federal law and policy, and it has much work ahead in
order to be able to fully address them. For example, DHS (1) has
recently issued the Interim National Infrastructure Protection Plan,
which includes cybersecurity elements; (2) operates the United States
Computer Emergency Readiness Team to address the need for a national
analysis and warning capability; and (3) has established forums to
foster information sharing among federal officials with information
security responsibilities and among various law enforcement entities.
However, DHS has not yet developed national threat and vulnerability
assessments or developed and exercised government and
government/industry contingency recovery plans for cybersecurity,
including a plan for recovering key Internet functions. Further, DHS
continues to have difficulties in developing partnerships--as called
for in federal policy--with other federal agencies, state and local
governments, and the private sector.
DHS faces a number of challenges that have impeded its ability to
fulfill its cyber CIP responsibilities. Key challenges include
achieving organizational stability; gaining organizational authority;
overcoming hiring and contracting issues; increasing awareness about
cybersecurity roles and capabilities; establishing effective
partnerships with stakeholders (other federal agencies, state and local
governments, and the private sector); achieving two-way information
sharing with these stakeholders; and demonstrating the value DHS can
provide. In its strategic plan for cybersecurity, DHS has identified
steps that can begin to address these challenges. However, until it
effectively confronts and resolves these underlying challenges, DHS
will have difficulty achieving significant results in strengthening the
cybersecurity of our nation's critical infrastructures, and our nation
will lack the strong cybersecurity focal point envisioned in federal
law and policy.
We are making recommendations to the Secretary of Homeland Security to
strengthen the department's ability to implement key cybersecurity
responsibilities by completing critical activities and resolving
underlying challenges.
DHS provided written comments on a draft of this report (see app. III).
In brief, DHS agreed that strengthening cybersecurity is central to
protecting the nation's critical infrastructures and that much remains
to be done. In addition, DHS concurred with our recommendation to
engage stakeholders in prioritizing its key cybersecurity
responsibilities. However, DHS did not concur with our recommendations
to identify and prioritize initiatives to address the challenges it
faces, or to establish performance metrics and milestones for these
initiatives. Specifically, DHS reported that its strategic plan for
cybersecurity already provides a prioritized list, performance
measures, and milestones to guide and track its activities. The
department sought additional clarification of these recommendations.
While we agree with DHS that its plan identifies activities (along with
some performance measures and milestones) that will begin to address
the challenges, this plan does not include specific initiatives that
would ensure that the challenges are addressed in a prioritized and
comprehensive manner. For example, the strategic plan for cybersecurity
does not include initiatives to help stabilize and build authority for
the organization. Further, the strategic plan does not identify the
relative priority of its initiatives and does not consistently identify
performance measures for completing its initiatives. As DHS moves
forward in identifying initiatives to address the underlying challenges
it faces, it will be important to establish performance measures and
milestones for fulfilling these initiatives.
DHS officials (as well as others who were quoted in our report) also
provided detailed technical corrections, which we have incorporated in
this report as appropriate.
Background:
Critical Infrastructure Protection (CIP) involves activities that
enhance the cyber and physical security of the public and private
infrastructures that are critical to national security, national
economic security, and national public health and safety. Because a
large percentage of the nation's critical infrastructures is owned and
operated by the private sector, public/private partnerships are crucial
for successful critical infrastructure protection. Recent terrorist
attacks and threats have further underscored the need to encourage and
manage CIP activities. Vulnerabilities are being identified on a more
frequent basis and, if these vulnerabilities are exploited, several of
our nation's critical infrastructures could be disrupted or disabled.
Sources of Potential Cyber Attacks on Critical Infrastructures Are
Proliferating:
Several types of organizations and individuals are capable of
conducting attacks on our nation's critical infrastructures.
Historically, attacks on our infrastructures could be conducted only by
a relatively small number of entities. However, with critical
infrastructures' increasing reliance on computers and networks, more
organizations and individuals can cause harm using cyber attacks.
Further, U.S. authorities are becoming increasingly concerned about the
prospect of combined physical and cyber attacks, which could have
devastating consequences. Table 1 lists sources of threats that have
been identified by the U.S. intelligence community and others.
Table 1: Sources of Emerging Cybersecurity Threats:
Threat: Bot-network operators;
Description: Bot-network operators are hackers; however, instead of
breaking into systems for the challenge or bragging rights, they take
over multiple systems in order to coordinate attacks and to distribute
phishing[A] schemes, spam, and malwareb attacks. The services of these
networks are sometimes made available on underground markets (e.g.,
purchasing a denial-of-service attack, servers to relay spam or
phishing attacks, etc.)
Threat: Criminal groups;
Description: Criminal groups seek to attack systems for monetary gain.
Specifically, organized crime groups are using spam, phishing, and
spyware/malware to commit identity theft and online fraud.
International corporate spies and organized crime organizations also
pose a threat to the United States through their ability to conduct
industrial espionage and large-scale monetary theft and to hire or
develop hacker talent.
Threat: Foreign intelligence services;
Description: Foreign intelligence services use cyber tools as part of
their information- gathering and espionage activities. In addition,
several nations are aggressively working to develop information warfare
doctrine, programs, and capabilities. Such capabilities enable a single
entity to have a significant and serious impact by disrupting the
supply, communications, and economic infrastructures that support
military power--impacts that could affect the daily lives of U.S.
citizens across the country.
Threat: Hackers;
Description: Hackers break into networks for the thrill of the
challenge or for bragging rights in the hacker community. While remote
cracking once required a fair amount of skill or computer knowledge,
hackers can now download attack scripts and protocols from the Internet
and launch them against victim sites. Thus, while attack tools have
become more sophisticated, they have also become easier to use.
According to the Central Intelligence Agency, the large majority of
hackers do not have the requisite expertise to threaten difficult
targets such as critical U.S. networks. Nevertheless, the worldwide
population of hackers poses a relatively high threat of an isolated or
brief disruption causing serious damage.
Threat: Insiders;
Description: The disgruntled organization insider is a principal source
of computer crime. Insiders may not need a great deal of knowledge
about computer intrusions because their knowledge of a target system
often allows them to gain unrestricted access to cause damage to the
system or to steal system data. The insider threat also includes
outsourcing vendors as well as employees who accidentally introduce
malware into systems.
Threat: Phishers;
Description: Individuals, or small groups, that execute phishing
schemes in an attempt to steal identities or information for monetary
gain. Phishers may also use spam and spyware/malware to accomplish
their objectives.
Threat: Spammers;
Description: Individuals or organizations that distribute unsolicited e-
mail with hidden or false information in order to sell products,
conduct phishing schemes, distribute spyware/malware, or attack
organizations (i.e., denial of service).
Threat: Spyware/malware authors;
Description: Individuals or organizations with malicious intent carry
out attacks against users by producing and distributing spyware and
malware. Several destructive computer viruses and worms have harmed
files and hard drives, including the Melissa Macro Virus, the
Explore.Zip worm, the CIH (Chernobyl) Virus, Nimda, Code Red, Slammer,
and Blaster.
Threat: Terrorists;
Description: Terrorists seek to destroy, incapacitate, or exploit
critical infrastructures in order to threaten national security, cause
mass casualties, weaken the U.S. economy, and damage public morale and
confidence. Terrorists may use phishing schemes or spyware/malware in
order to generate funds or gather sensitive information.
Source: GAO analysis based on data from the Federal Bureau of
Investigation, Central Intelligence Agency, and the Software
Engineering Institute's CERT® Coordination Center.
[A] Phishing involves the creation and use of e-mails and Web sites
that are designed to look like those of well-known legitimate
businesses or government agencies, in order to deceive Internet users
into disclosing their personal data for criminal purposes, such as
identity theft and fraud.
[B] Malware is software designed with malicious intent, such as a
virus.
[End of table]
Government officials are increasingly concerned about attacks from
individuals and groups with malicious intent--such as crime, terrorism,
foreign intelligence gathering, and acts of war. For example, in
February 2005, the Federal Bureau of Investigation Director testified
before the Senate Select Committee on Intelligence about current
threats--including cyber threats--to the United States.[Footnote 2] He
stated that the cyber threat to the United States is serious, and the
number of actors with both the ability and the desire to use computers
for illegal and harmful purposes continues to rise. The Director added
that individuals or groups from foreign states, including foreign
governments, continue to pose threats to our national and economic
security because they have the resources to support advanced network
exploitation and attack. In addition, he stated that "terrorists show a
growing understanding of the critical role of information technology in
the day-to-day operations of our economy and national security and have
expanded their recruitment to include people studying math, computer
science and engineering." The Director further stated that although
individual hackers do not pose a great threat, hackers intent on
stealing information or motivated by money are a concern--adding that
"if this pool of talent is utilized by terrorists, foreign governments
or criminal organizations, the potential for a successful cyber attack
on our critical infrastructures is greatly increased."
Analyses by various organizations have also demonstrated the increasing
threats that are faced by critical infrastructure sectors in the United
States. For example, in May 2004, the E-Crime Watch™ survey of security
and law enforcement executives found that 43 percent of the respondents
reported "an increase in electronic crimes and intrusions over the
previous year and 70 percent reported at least one electronic crime or
intrusion being committed against their organization." Regarding the
source of the electronic crime or intrusion, 70 percent of respondents
reported that they knew the source. The respondents most frequently
identified hackers (40 percent), followed by current and former
employees and contractors (31 percent), as the greatest threats to
cybersecurity.[Footnote 3] Similarly, respondents to the 2003 Computer
Security Institute and Federal Bureau of Investigation Computer Crime
and Security Survey identified independent hackers as the most likely
source of cyber attacks, as shown in table 2.[Footnote 4]
Table 2: Likely Sources of Cyber Attacks, According to Respondents to
the CSI/FBI 2003 Computer Crime and Security Survey:
Potential source: Independent hackers;
Percentage of respondents: 82%.
Potential source: Disgruntled employees;
Percentage of respondents: 77%.
Potential source: U.S. competitors;
Percentage of respondents: 40%.
Potential source: Foreign governments;
Percentage of respondents: 28%.
Potential source: Foreign corporations;
Percentage of respondents: 25%.
Source: 2003 CSI/FBI Computer Crime and Security Survey.
[End of table]
As larger amounts of money are transferred through computer systems, as
more sensitive economic and commercial information is exchanged
electronically, and as the nation's defense and intelligence
communities increasingly rely on commercially available information
technology, the likelihood increases that information attacks will
threaten vital national interests.
Types of Attacks Are Expanding and Tools Are Readily Available:
According to the Federal Bureau of Investigation, terrorists,
transnational criminals, and intelligence services are quickly becoming
aware of and using tools such as computer viruses, Trojan horses,
worms, logic bombs, and eavesdropping programs ("sniffers") that can
deny access, degrade the integrity of, intercept, or destroy data (see
table 3).
Table 3: Types of Cyber Attacks:
Type of attack: Denial of service;
Description: A method of attack from a single source that denies system
access to legitimate users by overwhelming the target computer with
messages and blocking legitimate traffic. It can prevent a system from
being able to exchange data with other systems or use the Internet.
Type of attack: Distributed denial of service;
Description: A variant of the denial-of-service attack that uses a
coordinated attack from a distributed system of computers rather than
from a single source. It often makes use of worms to spread to multiple
computers that can then attack the target.
Type of attack: Exploit tools;
Description: Publicly available and sophisticated tools that intruders
of various skill levels can use to determine vulnerabilities and gain
entry into targeted systems.
Type of attack: Logic bombs;
Description: A form of sabotage in which a programmer inserts code that
causes the program to perform a destructive action when some triggering
event occurs, such as terminating the programmer's employment.
Type of attack: Phishing;
Description: The creation and use of e-mails and Web sites--designed to
look like those of well-known legitimate businesses, financial
institutions, and government agencies--in order to deceive Internet
users into disclosing their personal data, such as bank and financial
account information and passwords. The phishers then take that
information and use it for criminal purposes, such as identity theft
and fraud.
Type of attack: Sniffer;
Description: Synonymous with packet sniffer. A program that intercepts
routed data and examines each packet in search of specified
information, such as passwords transmitted in clear text.
Type of attack: Trojan horse;
Description: A computer program that conceals harmful code. A Trojan
horse usually masquerades as a useful program that a user would wish to
execute.
Type of attack: Virus;
Description: A program that infects computer files, usually executable
programs, by inserting a copy of itself into the file. These copies are
usually executed when the infected file is loaded into memory, allowing
the virus to infect other files. Unlike the computer worm, a virus
requires human involvement (usually unwitting) to propagate.
Type of attack: War dialing;
Description: Simple programs that dial consecutive telephone numbers
looking for modems.
Type of attack: War driving;
Description: A method of gaining entry into wireless computer networks
using a laptop, antennas, and a wireless network adaptor that involves
patrolling locations to gain unauthorized access.
Type of attack: Worm;
Description: An independent computer program that reproduces by copying
itself from one system to another across a network. Unlike computer
viruses, worms do not require human involvement to propagate.
Source: GAO analysis of reports by the Department of Justice and GAO.
[End of table]
Viruses and worms are commonly used to launch denial-of-service
attacks, which generally flood targeted networks and systems by
transmitting so much data that regular traffic is either slowed or
stopped. Such attacks have been used ever since the groundbreaking
Morris worm, which brought 10 percent of the systems connected to the
Internet to a halt in November 1988. In 2001, the Code Red worm used a
denial-of-service attack to affect millions of computer users by
shutting down Web sites, slowing Internet service and disrupting
business and government operations.[Footnote 5]
As the number of individuals with computer skills has increased,
intrusion tools have become more readily available and relatively easy
to use. Frequently, skilled hackers develop exploitation tools and post
them on Internet hacking sites. These tools are then readily available
for others to download, allowing even inexperienced programmers to
create a computer virus or to literally point and click to launch an
attack. According to the National Institute of Standards and
Technology, 30 to 40 new attack tools are posted on the Internet every
month.[Footnote 6] Experts also agree that there has been a steady
advance in the sophistication and effectiveness of attack technologies.
Intruders quickly develop attacks to exploit vulnerabilities that have
been discovered in products, use these attacks to compromise computers,
and share them with other attackers. In addition, they can combine
these attacks with other forms of technology to develop programs that
automatically scan the network for vulnerable systems, attack them,
compromise them, and use them to spread the attack even further.
Cyber Vulnerabilities Have Increased:
In addition to the growing threat from terrorists, transnational
criminals, foreign intelligence services, and hackers, there has been a
growing number of software vulnerabilities. Flaws in software code that
could cause a program to malfunction generally result from programming
errors that occur during software development. The increasing
complexity and size of software programs contribute to an increase in
software flaws. For example, Microsoft Windows 2000 reportedly contains
about 35 million lines of code, compared with about 15 million lines
for Windows 95. As reported by the National Institute of Science and
Technology, based on studies of code inspections, there can be as many
as 20 flaws per thousand lines of software code. While most flaws do
not create security vulnerabilities,[Footnote 7] the potential for
these errors reflects the difficulty and complexity of delivering
trustworthy code.[Footnote 8] By exploiting software vulnerabilities,
hackers and others who spread malicious code can cause significant
damage, ranging from defacing Web sites to taking control of entire
systems and thereby being able to read, modify, or delete sensitive
information; disrupt operations; launch attacks against other
organizations' systems; or destroy systems.
Between 1995 and 2004, the Software Engineering Institute's CERT®
Coordination Center (CERT/CC)[Footnote 9] reported that 16,726 security
vulnerabilities had resulted from software flaws. Figure 1 illustrates
the increase in security vulnerabilities over these years.
Figure 1: Security Vulnerabilities, 1995-2004:
[See PDF for image]
[End of figure]
Taking Advantage of Vulnerabilities, Attackers Are Able to Cause
Serious Consequences:
The growing number of known vulnerabilities increases the potential
number of attacks. As vulnerabilities are discovered, attackers attempt
to exploit them. Attacks can be launched against specific targets or
widely distributed through viruses and worms. The risks posed by this
increasing and evolving threat are demonstrated in media and other
reports of actual and potential attacks and disruptions, such as those
cited below.
* In March 2005, security consultants within the electric industry
reported that hackers were targeting the U.S. electric power grid and
had gained access to U.S. utilities' electronic control systems.
Computer security specialists reported that, in a few cases, these
intrusions had "caused an impact." While officials stated that hackers
had not caused serious damage to the systems that feed the nation's
power grid, the constant threat of intrusion has heightened concerns
that electric companies may not have adequately fortified their
defenses against a potential catastrophic strike.
* In January 2005, a major university reported that a hacker had broken
into a database containing 32,000 student and employee Social Security
numbers, potentially compromising their finances and identities. In
similar incidents during 2003 and 2004, it was reported that hackers
had attacked the systems of other universities, exposing the personal
information of over 1.8 million people.
* On August 11, 2003, the Blaster worm was launched, and it infected
more than 120,000 computers in its first 36 hours. The worm was
programmed to launch a denial-of-service attack against Microsoft's
Windows Update Web site, and it affected a wide range of systems and
caused slowdowns and disruptions in users' Internet services. For
example, the Maryland Motor Vehicle Administration was forced to shut
down its computer systems.
* In June 2003, the U.S. government issued a warning concerning a virus
that specifically targeted financial institutions. Experts said the
BugBear.b virus was programmed to determine whether a victim had used
an e-mail address for any of the roughly 1,300 financial institutions
listed in the virus's code. If a match was found, the software
attempted to collect and document user input by logging keystrokes and
then provide this information to a hacker, who could use it in attempts
to break into the banks' networks.
* In May 2004, we reported that according to a preliminary study
coordinated by the Cooperative Association for Internet Data Analysis,
on January 25, 2003, the SQL Slammer worm (also known as "Sapphire" and
"SQL Hell") infected more than 90 percent of vulnerable computers
worldwide within 10 minutes of its release on the Internet.[Footnote
10] As the study reports, exploiting a known vulnerability for which a
patch had been available since July 2002, Slammer doubled in size every
8.5 seconds and achieved its full scanning rate (55 million scans per
second) after about 3 minutes, causing considerable harm through
network outages. Further, the study emphasized that the effects would
likely have been more severe had Slammer carried a malicious payload,
exploited a more widespread vulnerability, or targeted a more popular
service. Despite its lack of malicious payload, Slammer caused
significant damage, exacting a toll on several large companies and
municipalities that found their internal networks deluged with data
from the virus. Major financial institutions reported problems; for
example, one reported that a majority of its automatic teller machines
were unable to process customer transactions for several hours. The
attack disrupted operations for several hours at a 911 call center that
served two suburban police departments and at least 14 fire
departments. A commercial airline had flights delayed or canceled
because of online ticketing and electronic check-in problems.
* In November 2002, a British computer administrator was indicted on
charges that he accessed and damaged 98 computers in 14 states between
March 2001 and March 2002, causing some $900,000 in damage. These
networks belonged to the Department of Defense, the National
Aeronautics and Space Administration, and private companies. The
indictment alleges that the attacker was able to gain administrative
privileges on military computers, copy password files, and delete
critical system files. The attacks rendered the networks of the Earle
Naval Weapons Station in New Jersey and the Military District of
Washington inoperable.
The CERT/CC has noted that attacks that once took weeks or months to
propagate over the Internet now take just hours--or even minutes--
because automated tools are now available. For instance, while Code Red
achieved an infection rate of over 20,000 systems within 10 minutes in
July 2001, about a year and a half later, in January 2003, the Slammer
worm successfully attacked at least 75,000 systems, infecting more than
90 percent of vulnerable systems within 10 minutes.
According to CERT/CC, due to the widespread use of automated tools that
have made attacks against Internet-connected systems so commonplace, it
no longer publishes the number of incidents that are reported. For
historical perspective, the number of computer security incidents
reported to CERT/CC rose from just under 10,000 in 1999 to over 52,000
in 2001, to about 82,000 in 2002, and to 137,529 in 2003--when CERT/CC
stopped reporting the number of incidents. Moreover, the Director of
the CERT Centers stated that he estimates that as much as 80 percent of
security incidents go unreported, in most cases because (1) the
organization was unable to recognize that its systems had been
penetrated or there were no indications of penetration or attack or (2)
the organization was reluctant to report.
Concerns Regarding the Impact of Cyber Threats on Infrastructure
Control Systems Are Growing:
Since September 11, 2001, the critical link between cyberspace and
physical space has been increasingly recognized. In July 2002, the
National Infrastructure Protection Center reported that the potential
for compound cyber and physical attacks, referred to as "swarming
attacks," is an emerging threat to our nation's critical
infrastructures. Swarming attacks can slow down or complicate the
response to a physical attack. For instance, a cyber attack that
disabled the water supply or the electrical system, in conjunction with
a physical attack, could deny emergency services the necessary
resources to manage the consequences of the physical attack--such as
controlling fires, coordinating actions, and generating light.
There is a general consensus--and increasing concern--among government
officials and experts on control systems, about potential cyber threats
to the control systems that govern our critical infrastructures. In his
November 2002 congressional testimony, the Director of the CERT Centers
at Carnegie Mellon University noted that supervisory control and data
acquisition systems and other forms of networked computer systems had
been used for years to control power grids, gas and oil distribution
pipelines, water treatment and distribution systems, hydroelectric and
flood control dams, oil and chemical refineries, and other physical
infrastructure systems.[Footnote 11] These control systems are
increasingly being connected to communications links and networks to
enhance performance and to reduce operational costs by supporting
remote maintenance, remote control, and remote update functions. They
are potential targets for individuals intent on causing massive
disruption and physical damage. The use of commercial-off-the-shelf
technologies for these systems--without adequate security enhancements--
can significantly limit available approaches to protection and may
increase the number of potential attackers.
As components of control systems increasingly make critical decisions
that were once made by humans, the potential effect of a cyber attack
becomes more devastating. For example, a failed control system was a
contributing factor in the widespread east coast electrical blackout of
August 2003. While investigations later found that this incident was
not the result of a deliberate attack, DHS officials stated that the
significant involvement of a control system highlighted the fact that a
physical system or location could be accessed through a cyber
connection. Another example occurred in August 2003; the Nuclear
Regulatory Commission confirmed that earlier that year the Slammer worm
had infected a private computer network at a nuclear power plant,
disabling a safety monitoring system for nearly 5 hours. The plant's
process computer failed, and it took about 6 hours for it to become
available again. The worm reportedly also affected communications on
the control networks of at least five other utilities by propagating so
quickly that control system traffic was blocked. Looking ahead, 66
percent of the technology experts and scholars who responded to a 2004
survey on the future of the Internet believe that at least one
devastating cyber attack will occur on the networked information
infrastructure or the country's power grid within the next 10
years.[Footnote 12]
In March 2004, we reported on the significant challenges of securing
controls systems, including technical limitations, perceived lack of
economic justification, and conflicting organizational
priorities.[Footnote 13] We recommended that the Secretary of DHS
develop and implement a strategy for coordinating with the private
sector and other government agencies to improve the security of control
systems. This strategy was issued in December 2004.
Critical Infrastructure Protection Policy Has Continued to Evolve Since
the Mid-1990s:
Over the years, the federal government and critical infrastructure
representatives have sponsored working groups, written reports, issued
policies, and created organizations to address CIP. To provide a
historical perspective, table 4 summarizes the key developments in
federal CIP policy since 1997.
Table 4: Federal Government Actions in Developing CIP Policy:
Policy action: Critical Foundations: Protecting America's
Infrastructures[A]; Date: Oct. 1997;
Description: Described the potentially devastating effects of poor
information security on the nation and recommended measures to achieve
a higher level of CIP that included industry cooperation and
information sharing, a national organizational structure, a revised
program of research and development, a broad program of awareness and
education, and a reconsideration of related laws.
Policy action: Presidential Decision Directive 63;
Date: May 1998;
Description: Established CIP as a national goal and presented a
strategy for cooperative efforts by government and the private sector
to protect the physical and cyber-based systems essential to the
minimum operations of the economy and the government; Established
government agencies to coordinate and support CIP efforts; Identified
lead federal agencies to work with coordinators in eight infrastructure
sectors and five special functions; Encouraged the development of
information-sharing and analysis centers; Required every federal
department and agency to be responsible for protecting its own critical
infrastructures, including both cyber-based and physical assets;
Superseded by HSPD-7 (see details on HSPD-7 below).
Policy action: National Plan for Information Systems Protection[B];
Date: Jan. 2000;
Description: Provided a vision and framework for the federal government
to prevent, detect, and respond to attacks on the nation's critical
cyber-based infrastructure and to reduce existing vulnerabilities by
complementing and focusing existing federal computer security and
information technology requirements.
Policy action: Executive Order 13228;
Date: Oct. 2001;
Description: Established the Office of Homeland Security, within the
Executive Office of the President, to develop and coordinate the
implementation of a comprehensive national strategy to secure the
United States from terrorist threats or attacks; Established the
Homeland Security Council to advise and assist the President with all
aspects of homeland security and to ensure coordination among executive
departments and agencies.
Policy action: Executive Order 13231;
Date: Oct. 2001;
Description: Established the President's Critical Infrastructure
Protection Board to coordinate cyber-related federal efforts and
programs associated with protecting our nation's critical
infrastructures and to recommend policies and coordinating programs for
protecting CIP-related information systems.
Policy action: National Strategy for Homeland Security[C];
Date: July 2002;
Description: Identified the protection of critical infrastructures and
key assets as a critical mission area for homeland security; Expanded
the number of critical infrastructures from the 8 identified in
Presidential Decision Directive 63 to 13 and identified lead federal
agencies for each.
Policy action: Homeland Security Act of 2002[D];
Date: Nov. 2002;
Description: Created the Department of Homeland Security and assigned
it the following CIP responsibilities: (1) developing a comprehensive
national plan for securing the key resources and critical
infrastructures of the United States; (2) recommending measures to
protect the key resources and critical infrastructures of the United
States in coordination with other groups; and (3) disseminating, as
appropriate, information to assist in the deterrence, prevention, and
preemption of or response to terrorist attacks.
Policy action: The National Strategy to Secure Cyberspace[E];
Date: Feb. 2003;
Description: Provided the initial framework for both organizing and
prioritizing efforts to protect our nation's cyberspace; Provided
direction to federal departments and agencies that have roles in
cyberspace security and identified steps that state and local
governments, private companies and organizations, and individual
Americans can take to improve our collective cybersecurity.
Policy action: The National Strategy for the Physical Protection of
Critical Infrastructures and Key Assets[F];
Date: Feb. 2003;
Description: Provided a statement of national policy to remain
committed to protecting critical infrastructures and key assets from
physical attacks; Built on Presidential Decision Directive 63 with its
sector-based approach and called for expanding the capabilities of
information sharing and analysis centers; Outlined three key
objectives: (1) identifying and assuring the protection of the most
critical assets, systems, and functions; (2) assuring the protection of
infrastructures that face an imminent threat; and (3) pursuing
collaborative measures and initiatives to assure the protection of
other potential targets.
Policy action: Executive Order 13286;
Date: Feb. 2003;
Description: Superseded Executive Order 13231 but maintained the same
national policy statement regarding the protection against disruption
of information systems for critical infrastructures; Dissolved the
President's Critical Infrastructure Protection Board and eliminated the
board's chair, the Special Advisor to the President for Cyberspace
Security; Designated the National Infrastructure Advisory Council to
continue to provide the President with advice on the security of
information systems for critical infrastructures supporting other
sectors of the economy through the Secretary of Homeland Security.
Policy action: Homeland Security Presidential Directive 7;
Date: Dec. 2003;
Description: Superseded Presidential Decision Directive 63 and
established a national policy for federal departments and agencies to
identify and prioritize U.S. critical infrastructure and key resources
and to protect them from terrorist attack; Defined roles and
responsibilities for the Department of Homeland Security and sector-
specific agencies to work with sectors to coordinate CIP activities;
Established a CIP Policy Coordinating Committee to advise the Homeland
Security Council on interagency CIP issues.
Source: GAO analysis of documents listed above.
[A] President's Commission on Critical Infrastructure Protection,
Critical Foundations: Protecting America's Infrastructures (Washington,
D.C.: October 1997).
[B] The White House, Defending America's Cyberspace: National Plan for
Information Systems Protection: Version 1.0: An Invitation to Dialogue
(Washington, D.C.: January 2000).
[C] The White House, Office of Homeland Security, National Strategy for
Homeland Security.
[D] Homeland Security Act of 2002, Public Law 107-296 (November 25,
2002).
[E] The White House, The National Strategy to Secure Cyberspace
(Washington, D.C.: February 2003).
[F] The White House, The National Strategy for the Physical Protection
of Critical Infrastructures and Key Assets.
[End of table]
DHS's Roles and Responsibilities for Cybersecurity in Support of
Critical Infrastructure Protection Are Many and Varied:
While policies and strategies for protecting our nation's critical
infrastructures have evolved over recent years, three key documents (a
law, a national policy, and a national strategy) currently guide
federal and nonfederal cybersecurity-related CIP efforts. The law
establishes DHS's responsibilities for critical infrastructure
protection, a role that includes strengthening the security of our
nation's information infrastructure. The policy and strategy are
consistent with the law, and reinforce and expand on it. Together, the
three guiding documents contain numerous and varied requirements levied
on DHS, of which 13 key responsibilities address cybersecurity. To
fulfill its cybersecurity roles and responsibilities, DHS has
established the National Cyber Security Division (NCSD).
Federal Law and Policies Guide Critical Infrastructure Protection and
Cybersecurity:
Federal law and policies establish CIP as a national goal and describe
a strategy for cooperative efforts by government and the private sector
to protect the physical and cyber-based systems that are essential to
the minimum operations of the economy and the government. These include
(1) the Homeland Security Act of 2002, (2) Homeland Security
Presidential Directive-7 (HSPD-7), and (3) the National Strategy to
Secure Cyberspace. A discussion of each follows.
The Homeland Security Act of 2002 Created the Department of Homeland
Security:
The Homeland Security Act of 2002, signed by the President on November
25, 2002, established DHS and gave it lead responsibility for
preventing terrorist attacks in the United States, reducing the
vulnerability of the United States to terrorist attacks, and minimizing
the damage and assisting in recovery from attacks that do occur. To
help DHS accomplish its mission, the act establishes, among other
entities, five under secretaries with responsibility over directorates
for management, science and technology, information analysis and
infrastructure protection, border and transportation security, and
emergency preparedness and response.
The act also assigns the department a number of CIP responsibilities,
including (1) developing a comprehensive national plan for securing the
key resources and critical infrastructure of the United States; (2)
recommending measures to protect the key resources and critical
infrastructure of the United States in coordination with other federal
agencies and in cooperation with state and local government agencies
and authorities, the private sector, and other entities; and (3)
disseminating, as appropriate, information analyzed by the department-
-both within the department and to other federal, state, and local
government agencies and private-sector entities--to assist in the
deterrence, prevention, preemption of, or response to terrorist
attacks.
Homeland Security Presidential Directive 7 Defines Federal CIP
Responsibilities:
In December 2003, the President issued HSPD-7, which superseded
Presidential Decision Directive-63 and established a national policy
for federal departments and agencies to identify and prioritize
critical infrastructures and key resources and to protect them from
terrorist attack. HSPD-7 defines responsibilities for DHS, sector-
specific federal agencies that are responsible for addressing specific
critical infrastructure sectors, and other departments and agencies.
These responsibilities are briefly discussed below.
DHS--HSPD-7 requires, among other things, that the Secretary of
Homeland Security:
* coordinate the national effort to enhance CIP;
* identify, prioritize, and coordinate the protection of critical
infrastructure, emphasizing protection against catastrophic health
effects or mass casualties;
* establish uniform policies, approaches, guidelines, and methodologies
for integrating federal infrastructure protection and risk management
activities within and across sectors;
* serve as the focal point for securing cyberspace, including analysis,
warning, information sharing, vulnerability reduction, mitigation, and
recovery efforts for critical infrastructure information systems; and:
* produce a comprehensive and integrated national plan for critical
infrastructure and key resources protection that outlines national
goals, objectives, milestones, and key initiatives.
Sector-specific agencies--HSPD-7 designated certain federal agencies as
lead federal points of contact for the critical infrastructure sectors
identified in the National Strategy for Homeland Security (see table
5). These agencies are responsible for infrastructure protection
activities in their assigned sectors and are to coordinate and
collaborate with relevant federal agencies, state, and local
governments, and the private sector to carry out related
responsibilities.
Table 5: Infrastructure Sectors Identified by the National Strategy for
Homeland Security and HSPD-7:
Sector: Agriculture;
Description: Provides for the fundamental need for food. The
infrastructure includes supply chains for feed and crop production;
Lead agency: Department of Agriculture.
Sector: Banking and finance;
Description: Provides the financial infrastructure of the nation. This
sector consists of commercial banks, insurance companies, mutual funds,
government-sponsored enterprises, pension funds, and other financial
institutions that carry out transactions, including clearing and
settlement;
Lead agency: Department of the Treasury.
Sector: Chemicals and hazardous materials;
Description: Transforms natural raw materials into commonly used
products benefiting society's health, safety, and productivity. The
chemical industry produces more than 70,000 products that are essential
to automobiles, pharmaceuticals, food supply, electronics, water
treatment, health, construction, and other necessities;
Lead agency: Department of Homeland Security.
Sector: Commercial facilities;
Description: Includes prominent commercial centers, office buildings,
sports stadiums, theme parks, and other sites where large numbers of
people congregate to pursue business activities, conduct personal
commercial transactions, or enjoy recreational pastimes;
Lead agency: Department of Homeland Security.
Sector: Dams;
Description: Comprises approximately 80,000 dam facilities, including
larger and nationally symbolic dams that are major components of other
critical infrastructures that provide electricity and water;
Lead agency: Department of Homeland Security.
Sector: Defense industrial base;
Description: Supplies the military with the means to protect the nation
by producing weapons, aircraft, and ships and providing essential
services, including information technology and supply and maintenance;
Lead agency: Department of Defense.
Sector: Drinking water and water treatment systems;
Description: Sanitizes the water supply with the use of about 170,000
public water systems. These systems depend on reservoirs, dams, wells,
treatment facilities, pumping stations, and transmission lines;
Lead agency: Environmental Protection Agency.
Sector: Emergency services;
Description: Saves lives and property from accidents and disaster. This
sector includes fire, rescue, emergency medical services, and law
enforcement organizations;
Lead agency: Department of Homeland Security.
Sector: Energy;
Description: Provides the electric power used by all sectors, including
critical infrastructures, and the refining, storage, and distribution
of oil and gas. The sector is divided into electricity and oil and
natural gas;
Lead agency: Department of Energy.
Sector: Food;
Description: Carries out the post-harvesting of the food supply,
including processing and retail sales;
Lead agency: Department of Agriculture and Department of Health and
Human Services.
Sector: Government;
Description: Ensures national security and freedom and administers key
public functions;
Lead agency: Department of Homeland Security.
Sector: Government facilities;
Description: Includes the buildings owned and leased by the federal
government for use by federal entities;
Lead agency: Department of Homeland Security.
Sector: Information technology and telecommunications;
Description: Provides communications and processes to meet the needs of
businesses and government;
Lead agency: Department of Homeland Security.
Sector: National monuments and icons;
Description: Includes key assets that are symbolically equated with
traditional American values and institutions or U.S. political and
economic power;
Lead agency: Department of the Interior.
Sector: Nuclear reactors, materials, and waste;
Description: Includes 104 commercial nuclear reactors; research and
test nuclear reactors; nuclear materials; and the transportation,
storage, and disposal of nuclear materials and waste;
Lead agency: Department of Homeland Security working with the Nuclear
Regulatory Agency and Department of Energy.
Sector: Postal and shipping;
Description: Delivers private and commercial letters, packages, and
bulk assets. The U.S. Postal Service and other carriers provide the
services of this sector;
Lead agency: Department of Homeland Security.
Sector: Public health and healthcare;
Description: Mitigates the risk of disasters and attacks and also
provides recovery assistance if an attack occurs. The sector consists
of health departments, clinics, and hospitals;
Lead agency: Department of Health and Human Services.
Sector: Transportation systems;
Description: Enables movement of people and assets that are vital to
our economy, mobility, and security with the use of aviation, ships,
rail, pipelines, highways, trucks, buses, and mass transit;
Lead agency: Department of Homeland Security in collaboration with the
Department of Transportation.
Source: GAO analysis based on the President's National Strategy
documents and HSPD-7.
[End of table]
Other federal agencies--HSPD-7 instructs all federal departments and
agencies to identify, prioritize, and coordinate the protection of
their own critical infrastructures in order to prevent, deter, and
mitigate the effects of attacks. In addition, this national policy
recognizes that certain other federal entities have special functions
related to critical infrastructure and key resources protection, such
as the Department of Justice's law enforcement function, the State
Department's foreign affairs function, and the Executive Office of the
President's Office of Science and Technology's research and development
policy-setting function.
The National Strategy to Secure Cyberspace Provides an Initial
Framework for Cybersecurity:
The National Strategy to Secure Cyberspace (cyberspace strategy), a
national policy issued in February 2003, provides a framework for both
organizing and prioritizing efforts to protect our nation's cyberspace.
It also provides direction to federal departments and agencies that
have roles in cyberspace security and identifies steps that state and
local governments, private companies and organizations, and individual
Americans can take to improve our collective cybersecurity. In
addition, the cyberspace strategy identifies DHS as the central
coordinator for cyberspace security efforts. As such, DHS is
responsible for coordinating and working with other federal and
nonfederal entities that are involved in cybersecurity.
The cyberspace strategy is organized according to five national
priorities, and it identifies major actions and initiatives for each.
The five priorities are (1) providing national cyber analysis, warning,
and incident response; (2) reducing cyberspace threats and
vulnerabilities; (3) promoting awareness and training; (4) securing
governments' cyberspace; and (5) strengthening national security and
international cyberspace security cooperation.
DHS Has 13 Key Cybersecurity Responsibilities:
Among the many CIP roles and responsibilities established for DHS
identified in federal law and policy are 13 key cybersecurity-related
responsibilities. These include general CIP responsibilities that have
a cyber element (such as developing national plans, building
partnerships, and improving information sharing) as well as
responsibilities that relate to the five priorities established by the
cyberspace strategy. Table 6 provides a description of each
responsibility.
Table 6: Thirteen DHS Cybersecurity Responsibilities:
DHS cybersecurity responsibilities: General CIP responsibilities with a
cyber element: Develop a national plan for critical infrastructure
protection that includes cybersecurity;
Description: Developing a comprehensive national plan for securing the
key resources and critical infrastructure of the United States,
including information technology and telecommunications systems
(including satellites) and the physical and technological assets that
support such systems. This plan is to outline national strategies,
activities, and milestones for protecting critical infrastructures.
DHS cybersecurity responsibilities: General CIP responsibilities with a
cyber element: Develop partnerships and coordinate with other federal
agencies, state and local governments, and the private sector;
Description: Fostering and developing public/private partnerships with
and among other federal agencies, state and local governments, the
private sector, and others. DHS is to serve as the "focal point for the
security of cyberspace.".
DHS cybersecurity responsibilities: General CIP responsibilities with a
cyber element: Improve and enhance public/private information sharing
involving cyber attacks, threats, and vulnerabilities;
Description: Improving and enhancing information sharing with and among
other federal agencies, state and local governments, the private
sector, and others through improved partnerships and collaboration,
including encouraging information sharing and analysis mechanisms. DHS
is to improve sharing of information on cyber attacks, threats, and
vulnerabilities.
DHS cybersecurity responsibilities: Responsibilities related to the
cyberspace strategy's five priorities: Develop and enhance national
cyber analysis and warning capabilities;
Description: Providing cyber analysis and warnings, enhancing
analytical capabilities, and developing a national indications and
warnings architecture to identify precursors to attacks.
DHS cybersecurity responsibilities: Responsibilities related to the
cyberspace strategy's five priorities: Provide and coordinate incident
response and recovery planning efforts;
Description: Providing crisis management in response to threats to or
attacks on critical information systems. This entails coordinating
efforts for incident response, recovery planning, exercising
cybersecurity continuity plans for federal systems, planning for
recovery of Internet functions, and assisting infrastructure
stakeholders with cyber- related emergency recovery plans.
DHS cybersecurity responsibilities: Responsibilities related to the
cyberspace strategy's five priorities: Identify and assess cyber
threats and vulnerabilities;
Description: Leading efforts by the public and private sector to
conduct a national cyber threat assessment, to conduct or facilitate
vulnerability assessments of sectors, and to identify cross-sector
interdependencies.
DHS cybersecurity responsibilities: General CIP responsibilities with a
cyber element: Support efforts to reduce cyber threats and
vulnerabilities;
Description: Leading and supporting efforts by the public and private
sector to reduce threats and vulnerabilities. Threat reduction involves
working with the law enforcement community to investigate and prosecute
cyberspace threats. Vulnerability reduction involves identifying and
remediating vulnerabilities in existing software and systems.
DHS cybersecurity responsibilities: General CIP responsibilities with a
cyber element: Promote and support research and development efforts to
strengthen cyberspace security;
Description: Collaborating and coordinating with members of academia,
industry, and government to optimize cybersecurity related research and
development efforts to reduce vulnerabilities through the adoption of
more secure technologies.
DHS cybersecurity responsibilities: General CIP responsibilities with a
cyber element: Promote awareness and outreach;
Description: Establishing a comprehensive national awareness program to
promote efforts to strengthen cybersecurity throughout government and
the private sector, including the home user.
DHS cybersecurity responsibilities: General CIP responsibilities with a
cyber element: Foster training and certification;
Description: Improving cybersecurity-related education, training, and
certification opportunities.
DHS cybersecurity responsibilities: General CIP responsibilities with a
cyber element: Enhance federal, state, and local government
cybersecurity;
Description: Partnering with federal, state, and local governments in
efforts to strengthen the cybersecurity of the nation's critical
information infrastructure to assist in the deterrence, prevention,
preemption of, and response to terrorist attacks against the United
States.
DHS cybersecurity responsibilities: General CIP responsibilities with a
cyber element: Strengthen international cyberspace security;
Description: Working in conjunction with other federal agencies,
international organizations, and industry in efforts to promote
strengthened cybersecurity on a global basis.
DHS cybersecurity responsibilities: General CIP responsibilities with a
cyber element: Integrate cybersecurity with national security;
Description: Coordinating and integrating applicable national
preparedness goals with its National Infrastructure Protection Plan.
Source: GAO analysis of the Homeland Security Act of 2002, the Homeland
Security Presidential Directive-7, and the National Strategy to Secure
Cyberspace.
[End of table]
DHS Has Established an Organizational Structure to Fulfill Its
Cybersecurity Requirements:
In June 2003, DHS established the National Cyber Security Division
(NCSD), under its Information Analysis and Infrastructure Protection
Directorate, to serve as a national focal point for addressing
cybersecurity issues and to coordinate implementation of the
cybersecurity strategy. NCSD also serves as the government lead on a
public/private partnership supporting the U.S. Computer Emergency
Response Team (US-CERT) and as the lead for federal government incident
response.
NCSD is headed by the Office of the Director and includes a
cybersecurity partnership program as well as four branches: US-CERT
Operations, Law Enforcement and Intelligence, Outreach and Awareness,
and Strategic Initiatives. Table 7 displays the NCSD organization chart
and the major functions of each organization; it is followed by a brief
description of each organization's roles and responsibilities.
Figure 2: NCSD Organization Chart:
[See PDF for image]
[End of figure]
NCSD/US-CERT Director:
The NCSD/US-CERT Director is responsible for issues related to the
operation of the NCSD, such as human resources, policy, and budget, as
well as international coordination efforts. The director is responsible
for managing US-CERT--which is a partnership between NCSD and the
public and private sectors to make cybersecurity a coordinated,
national effort; increase public awareness of cyber threats and
vulnerabilities; and improve computer security preparedness and
response to cyber threats.
DHS Cyber Security Partnership Program:
This program is to foster effective public/private partnership among
and between industry, government, and academia. It is intended to
facilitate and leverage stakeholder collaboration to drive measurable
progress in addressing cybersecurity issues and mitigating cyber
vulnerabilities. Under the auspices of the partnership program, DHS
works jointly with software developers, academic institutions,
researchers, and communities of interest--including the information
sharing and analysis centers (ISAC)--as well as with DHS's federal,
state, local, and international government counterparts.
US-CERT Operations Branch:
NCSD's US-CERT Operations branch focuses on situational awareness,
analytical cells, and federal coordination. It is to provide
capabilities to US-CERT and coordinate all cyber incident warnings and
responses across both the government and the private sector through US-
CERT. A key component of US-CERT is the National Cyber Security
Response System (Response System), which provides a nationwide, real-
time collaborative information-sharing network to enable communication
and collaboration among DHS and federal, state, local, and
international government and law enforcement entities. Components of
the Response System include the following:
* The US-CERT Operations Center serves as a 24-hour-a-day/7-day-a-week,
real-time focal point for cybersecurity, conducting daily conference
calls with U.S.-based watch and warning centers to share classified and
unclassified security information.
* The US-CERT Portal provides a Web-based collaborative system that
allows US-CERT to share sensitive cyber-related information with
members of government and industry.
* The US-CERT Control Systems Security Center serves as an operational
and strategic component of US-CERT's capability to address the complex
security issues associated with the use of control systems.
* The US-CERT public Web site provides government, the private sector,
and the public with information they need to improve their ability to
protect their information systems and infrastructures.
* The National Cyber Alert System is to deliver targeted, timely, and
actionable information to Americans to allow them to secure their
computer systems.
* The National Cyber Response Coordination Group brings together
officials from federal agencies to coordinate public/private cyber
preparedness and incident response.[Footnote 14]
* The Government Forum of Incident Response and Security Teams is a
community of government response teams that are responsible for
securing government information technology systems. This forum works to
understand and handle computer security incidents and to encourage
proactive and preventative security practices.
Law Enforcement and Intelligence Branch:
The Law Enforcement and Intelligence branch of NCSD has two primary
responsibilities: managing the National Cyber Response Coordinating
Group and facilitating the coordination of law enforcement and
intelligence cyber-related efforts for NCSD. This branch provides a
mechanism for information sharing among the components concerned with
cyber issues of law enforcement, intelligence, and the private sector.
This information sharing includes all levels of information
(classified, law enforcement sensitive, and unclassified). The branch
coordinates clearing classified information of its sensitive content
and shares it with private sector partners.
Outreach and Awareness Branch:
NCSD's Outreach and Awareness branch is responsible for outreach,
awareness, and messaging. The branch promotes cybersecurity awareness
among the general public and within key communities, maintains
relationships with governmental cybersecurity professionals to
coordinate and share information about cybersecurity initiatives, and
develops partnerships to promote public/private coordination and
collaboration on cybersecurity issues.
The branch is organized into three functional areas: Stakeholder
Outreach, Communications and Messaging, and Coordination. The
Stakeholder Outreach team serves to build and maintain relationships
among and between industry, government, and academia in order to raise
cybersecurity awareness and secure cyberspace. The Communications and
Messaging team focuses on coordination of internal and external
communications. The Coordination team works to ensure collaboration on
events and activities across NCSD and with other DHS entities,
including the public affairs, legislative affairs, and private-sector
offices and others, as appropriate. In addition, the team works to
foster the department's role as a focal point and coordinator for
securing cyberspace and implementing the National Strategy to Secure
Cyberspace.
Strategic Initiatives Branch:
NCSD's Strategic Initiatives branch is organized into six teams with
different responsibilities, as follows:
* The CIP Cybersecurity team is jointly responsible (with DHS's
National Communications System) for developing a CIP plan for the
Information Technology (IT) Sector, including the Internet, that will
identify critical assets and vulnerabilities, map interdependencies,
and promote cyber awareness throughout other federal sector plans.
* The Control Systems team is responsible for facilitating control
system incident management and security awareness, establishing an
assessment capability for vulnerability reduction and incident
response, creating a self-sustaining security culture within the
control systems community, focusing attention on the protection of
legacy control systems, and making strategic recommendations for the
future of control systems and security products.
* The Software Assurance initiative presents a framework for promoting
and coordinating efforts to improve the security, reliability, and
safety of software.
* The Training and Education team is responsible for promoting the
development of an adequate number of effective cybersecurity
professionals, enhancing cybersecurity capability within the federal
workforce by identifying the skills and abilities necessary for
specific job tasks, and working with other organizations to develop
content standards for training products and for certifications.
* The Exercise Plans and Programs team is charged with improving the
nation's ability to respond to cyber incidents by creating, sponsoring,
and learning from international, national, regional, and interagency
exercises. The team is responsible for planning and coordinating
cybersecurity exercises with internal and external DHS stakeholders.
* The Standards and Best Practices/Research and Development
Coordination team works to encourage technology innovation efforts. The
team is responsible for identifying cybersecurity research and
development requirements and cybersecurity standards issues and for
assembling and distributing information on best practices.
NCSD Collaborates with Other DHS Entities to Accomplish Its Mission:
DHS has additional directorates, branches, and offices with CIP
responsibilities. In its role as the cybersecurity focal point, NCSD
collaborates with these other DHS entities, including the
Infrastructure Coordination Division, which runs the Protected Critical
Infrastructure Information program to encourage sharing of sensitive
information (including cybersecurity-related information), and the
National Communications System, a federal interagency group, which is
responsible for, among other things, improving the effectiveness of the
management and use of national telecommunications resources to support
the federal government during emergencies. In appendix II, we discuss
other DHS entities with responsibilities for CIP-related activities
that impact cybersecurity.
DHS Has Initiated Efforts That Begin to Address Its Responsibilities,
but More Work Remains:
DHS has initiated efforts that begin to address each of its 13 key
responsibilities for cybersecurity; however, the extent of progress
varies among these responsibilities, and more work remains to be done
on each. For example, DHS (1) has recently issued an interim plan for
infrastructure protection that includes cybersecurity plans, (2) is
supporting a national cyber analysis and warning capability through its
role in US-CERT, and (3) has established forums to build greater trust
and to encourage information sharing among federal officials with
information security responsibilities and among various law enforcement
entities. However, DHS has not yet developed national cyber threat and
vulnerability assessments or developed and exercised government and
government/industry contingency recovery plans for cybersecurity,
including a plan for recovering key Internet functions. The department
also continues to have difficulties in developing partnerships, as
called for in federal policy, with other federal agencies, state and
local governments, and the private sector. Without such partnerships,
it is difficult to develop the trusted, two-way information sharing
that is essential to improving homeland security.
We discuss below the steps that DHS has taken related to each of the
department's 13 key responsibilities and the steps that remain.
DHS Recently Issued National Plan For Improving Critical Infrastructure
Protection That Includes Cybersecurity, but This Plan Is Not Yet
Comprehensive and Complete:
In February 2005, DHS issued a national plan for critical
infrastructure protection that includes cybersecurity-related
initiatives. This plan, the Interim National Infrastructure Protection
Plan (Interim NIPP), addresses many of the requirements identified in
federal law and policy, but it does not yet comprise a comprehensive
and complete plan.
Specifically, the Interim NIPP provides a strategy for protecting
critical infrastructures by integrating physical security and
cybersecurity in its goals, objectives, and planned actions. Key
actions include developing and implementing sector-specific and cross-
sector protection plans; conducting cross-sector interdependency
analysis; conducting and updating vulnerability assessments at the
asset, sector, and cross-sector levels; and establishing performance
metrics. In addition, the Interim NIPP establishes a national
organizational structure to provide effective partnerships,
communications, and coordination between DHS and infrastructure
stakeholders.
However, the plan does not yet comprise the comprehensive national plan
envisioned in federal law and policy, for several reasons, including
the following.
* The Interim NIPP lacks sector-specific cybersecurity plans. This plan
does not yet include detailed plans for addressing cybersecurity in the
infrastructure sectors. Agency officials acknowledge that many of the
detailed plans for addressing cybersecurity will be included in the
sector-specific annexes that are to be provided in the next version of
the plan. To ensure that cybersecurity will be appropriately and
consistently addressed in the next version of the plan, NCSD has
provided guidance to sector-specific agencies regarding the inclusion
of cybersecurity issues in their respective sector-specific plans. In
addition, NCSD continues to review and provide feedback on the sector-
specific plans, which will become annexes to the next NIPP.
* The Interim NIPP is not yet a final plan. The development of this
plan is an ongoing, evolving process that requires the participation of
key stakeholders, including other federal agencies, state and local
governments, the private sector, foreign countries, and international
organizations. DHS expects to obtain and incorporate stakeholder
comments and to issue a more complete NIPP in November 2005.
* The Interim NIPP lacks required milestones. Specifically, this plan
does not include any national-level milestones for completing efforts
to enhance the security of the nation's critical infrastructures.
According to a DHS official, these milestones will be incorporated in
the sector-specific plans.
DHS acknowledges the need to address these issues with the Interim NIPP
and plans to do so in subsequent versions. According to DHS officials,
as the NIPP evolves and as the sector-specific plans are developed, the
level of specificity will increase to include key initiatives and
milestones.
DHS Has Taken Positive Steps Toward Building Partnerships and Improving
Information Sharing, but Additional Work Is Needed:
DHS has undertaken numerous initiatives to foster partnerships and
enhance information sharing with other federal agencies, state and
local governments, and the private sector about cyber attacks, threats,
and vulnerabilities; but more work is needed to address underlying
barriers to sharing information.
DHS and NCSD have multiple initiatives under way to enhance
partnerships and information sharing. Descriptions of selected
initiatives are provided in table 7.
Table 7: DHS Partnership and Information-Sharing Initiatives:
Initiative: National Cyber Response and Coordination Group;
Description:
* Facilitates coordination of intragovernmental and public/private
preparedness and operations in order to respond to and recover from
incidents that have significant cyber consequences;
* Brings together officials from national security, law enforcement,
defense, intelligence, and other government agencies that maintain
significant cybersecurity responsibilities and capabilities.
Initiative: National Cyber Security Response System;
Description:
* Provides a nationwide, real-time, collaborative information-sharing
network that enables state and local government officials, federal
agencies, the private sector, international counterparts, and law
enforcement entities to communicate and collaborate with DHS and each
other about cyber issues;
* Includes a number of different mechanisms for sharing information
between and among federal and nonfederal entities, including the US-
CERT operations center, the US-CERT portal, the US-CERT Control Systems
Security Center, the US-CERT public Web site, and the National Cyber
Alert System.
Initiative: Expanded use of Cyber Warning Information Network;
Description:
* Expands DHS's use of the Cyber Warning Information Network, a private
communications network (voice and data) with no logical dependency on
the Internet or the public switched network in order to provide a
backup mechanism for information sharing.
Initiative: Government Forum of Incident Response and Security Teams;
Description:
* Brings together technical and tactical practitioners from government
agency security response teams. Forum members work together to
understand and handle computer security incidents reported by federal
agencies and to encourage proactive and preventative security
practices;
* Shares specific technical details regarding incidents within a
trusted U.S. government environment on an agency-to- peer level.
Initiative: Chief Information Security Officers Forum;
Description:
* Brings together federal officials responsible for the information
security of their respective agencies and provides a trusted venue for
them to collaborate; leverage each other's experiences, capabilities
and programs, and lessons learned; and address and discuss particularly
problematic or challenging areas.
Initiative: DHS Cyber Security Partnership Program;
Description:
* Develops and enhances strategic partnerships with 32 industry
associations and hundreds of small, medium, and large enterprises,
establishing an outreach channel of over 1 million constituents;
* Facilitates improved information sharing, including the interchange
of lessons learned and best practices.
Initiative: ISAC partnerships;
Description:
* Enhances partnerships with the ISACs--including the ISACs for
electricity, telecommunications, and states, and with information
technology vendors. DHS officials reported that all of the critical
infrastructure sectors' ISACs are part of the US-CERT portal and that
they participate in information sharing exercises--including regularly
scheduled daily or biweekly meetings.
Initiative: US-CERT Control Systems Security Center Outreach;
Description:
* Fosters public/private collaboration to improve the security of
critical infrastructure control systems. NCSD reports that it has
established relationships with more than 25 potential partners for
future participation in the center.
Initiative: Internal DHS collaboration;
Description:
* Entails NCSD collaborating with the Protected Critical Infrastructure
Information program office to establish procedures for the private
sector to electronically submit critical infrastructure information.
These offices have developed a process for companies and other entities
to use to facilitate sharing protected information on a continual
basis.
Source: GAO analysis based on DHS information.
[End of table]
Although NCSD has taken steps to develop partnerships and information-
sharing mechanisms, the organization has not effectively leveraged its
partnerships to increase the sharing of information. For example,
although the Multi-State ISAC and US-CERT have established an effective
working relationship, according to officials from both organizations,
their ability to share classified information has been hindered by ISAC
members' lack of security clearances. Further, DHS officials reported
that only limited information has been shared by the private sector
under the Protected Critical Infrastructure Information
program[Footnote 15] because of private sector concerns about what
information DHS would share with other federal agencies.
Additionally, key stakeholders in NCSD partnerships have expressed
concerns about information sharing. For example, while officials from
several CIP-related federal agencies found the Chief Information
Security Officers forum to be valuable, officials from one agency
stated that it had been largely ineffective in improving communications
among federal agencies. Regarding NCSD's efforts with the private
sector, one ISAC reported publicly that its information sharing with
DHS was disintegrating. Further, a representative from that ISAC stated
that DHS had abruptly stopped sending notices to ISAC managers and no
longer called the ISAC about new terrorism activity. Further, an ISAC
official stated that when the ISAC recently contacted DHS's Homeland
Security Operations Center about rumors of a dirty bomb during a
national event, ISAC officials were told to obtain the information from
the media.
Issues related to the development of partnerships and of appropriate
information-sharing relationships are not new. In July 2004, we
recommended actions to improve the effectiveness of DHS's information-
sharing efforts.[Footnote 16] We recommended that officials within the
Information Analysis and Infrastructure Protection Directorate (1)
proceed with and establish milestones for developing an information-
sharing plan and (2) develop appropriate DHS policies and procedures
for interacting with ISACs, sector coordinators (groups or individuals
designated to represent their respective infrastructure sectors' CIP
activities), and sector-specific agencies and for coordination and
information sharing within the Information Analysis and Infrastructure
Protection Directorate and other DHS components. Moreover, we recently
designated establishing appropriate and effective information-sharing
mechanisms to improve homeland security as a new high-risk
area.[Footnote 17] We reported that the ability to share security-
related information can unify the efforts of federal, state, and local
government agencies and the private sector in preventing or minimizing
terrorist attacks.
In its strategic plan for cybersecurity, DHS acknowledges the need to
build better partnerships and information-sharing relationships. Among
the actions that DHS identified are enhancing the US-CERT Operations
Center's capabilities and increasing participation in information-
sharing mechanisms such as the National Cyber Alert System. For the
nonfederal sector, DHS's strategic plan for cybersecurity includes
actions to develop effective public/private partnerships through
associations, ISACs, Internet service providers, and improved
international partnerships. For federal agency information security,
the strategic plan identifies efforts to improve government mechanisms,
such as the National Cyber Response Coordination Group and the
Government Forum of Incident Response and Security Teams. In addition,
the Interim NIPP acknowledges as a goal, the importance of building
partnerships among stakeholders to implement critical infrastructure
protection programs and identifies related objectives, including
establishing mechanisms for coordination and information exchange among
partners.
DHS Provides National Cyber Analysis and Warning Capabilities but Has
Not Yet Developed an Architecture to Support Strategic Capabilities,
and Analytical Tools Require Further Maturity:
DHS has collaborated on, developed, and is working to enhance tools and
communication mechanisms for providing analysis and warning of
occurring and potential cyber incidents, but it has not yet developed
the indications and warning architecture required by HSPD-7, and
important analytical tools are not yet mature.
Through NCSD's involvement in US-CERT, DHS provides cyber analysis and
warning capabilities by providing continuous operational support in
monitoring the status of systems and networks. When a new vulnerability
or exploit is identified, US-CERT evaluates its severity; determines
what actions should be taken and what message should be disseminated;
and provides information through NCSD's multiple communications
channels, including its daily telephone call with other U.S.-based
watch and warning centers, the US-CERT portal, the US-CERT public Web
site, and the National Cyber Alert System. It produces the following
types of warnings:
* Technical cybersecurity alerts--provide real-time information about
current security issues, vulnerabilities, and exploits.
* Cybersecurity bulletins--provide technical audiences with weekly
summaries of security issues and new vulnerabilities.
* Cybersecurity alerts--provide nontechnical audiences with real-time
information about current issues, vulnerabilities, and exploits and
include steps and actions that nontechnical users can take.
* Cybersecurity tips--describe common security issues and offer advice
for nontechnical users.
* Vulnerability notes--provide warnings about vulnerabilities that do
not meet the severity threshold required to issue an alert.
Additionally, when a situation warrants direct contact with a federal
agency, an infrastructure sector, or a nonfederal entity, NCSD contacts
the entity and provides relevant information prior to making public
announcements about the situation. This includes collaborating with
relevant software vendors on a particular vulnerability or exploit.
DHS is also involved in several initiatives to enhance cyber analytical
capabilities. Key initiatives are identified in table 8.
Table 8: DHS Initiatives to Enhance Analytical Capabilities:
Initiative: Intelligence sharing;
Description: US-CERT serves as a conduit for sharing information from
the intelligence and law enforcement communities to the civilian
federal and nonfederal communities. According to an NCSD official, its
law enforcement and intelligence branch works to share declassified
information about threats, malicious activities, or vulnerabilities
with US-CERT members. In addition, US-CERT can share information with
the law enforcement and intelligence communities that might not reach
these groups by other means.
Initiative: Situational awareness tools;
Description: NCSD's US-CERT Einstein Program, which is currently in
pilot testing at the Department of Transportation, is to obtain network
flow data from federal agencies and analyze the traffic patterns and
behavior. This information is to be combined with other relevant data
to (1) detect potential deviations and identify how Internet activities
are likely to affect federal agencies and (2) provide insight into the
health of the Internet and suspicious activities.
Initiative: Malicious Code Analysis Program;
Description: This program includes (1) a laboratory for analyzing
malicious code and developing countermeasures and (2) a common
vulnerabilities and exposures dictionary system to correlate
information across vendor products.
Initiative: Cyber-incident repository;
Description: NCSD officials are collaborating with multiple partners
(including the Department of Defense, the intelligence community, law
enforcement, academia, private industry, and the public) to develop a
repository for cyber-related intelligence data.
Source: GAO analysis based on DHS information.
[End of table]
Despite its progress in providing analysis and warning capabilities,
DHS has not yet developed or deployed a national indications and
warning architecture for infrastructure protection that would identify
the precursors to a cyber attack, and NCSD's analytical capabilities
are still evolving and are not yet robust. For example, the US-CERT
Einstein program, identified in table 8, is in the early stages of
deployment and is currently being pilot tested at one agency. In
addition, NCSD officials acknowledge that the program's current
analytical capabilities are not expected to provide national-level
indicators and precursors to a cyber attack, as called for in HSPD-7's
requirement that DHS provide an indications and warning architecture.
DHS is still facing the same challenges in developing strategic
analysis and warning capabilities that we reported on 4 years ago
during a review of NCSD's predecessor, the National Infrastructure
Protection Center. In 2001, we reported on the analysis and warnings
efforts within the center and identified several challenges that were
impeding development of an effective strategic analysis and warning
capability.[Footnote 18] We reported that a generally accepted
methodology for analyzing strategic cyber-based threats did not exist.
Specifically, there was no standard terminology, no standard set of
factors to consider, and no established thresholds for determining the
sophistication of attack techniques. We also reported that the Center
did not have the industry-specific data on factors such as critical
systems components, known vulnerabilities, and interdependencies.
We therefore recommended that the responsible executive-branch
officials and agencies establish a capability for strategic analysis of
computer-based threats, including developing a methodology, acquiring
expertise, and obtaining infrastructure data. However, officials have
taken little action to establish this capability, and therefore our
recommendations remain open today.
In its strategic plan for cybersecurity, DHS acknowledges that it has
more to do to enhance its analytical capability and to leverage
existing capabilities. Specifically, it establishes objectives and
activities to:
* enhance the US-CERT Operations Center capability,
* expand the US-CERT Einstein Program pilot to a total of six agencies,
* promote consistency across federal civilian incident-response teams,
* develop a vulnerability assessment methodology and compile
vulnerability information, and:
* improve its coordinated cyber intelligence capability.
DHS Has Improved Its Ability to Coordinate Incident Response, but More
Recovery Planning and Exercises Are Needed:
DHS has improved its ability to coordinate a response to cyber attacks
with federal, state, and local governments and private-sector entities
through the communications capabilities that it has developed for US-
CERT, the continued expansion of backup communication capabilities, and
the establishment of collaboration mechanisms. However, DHS's plans and
exercises for recovering from attacks are not yet complete and
comprehensive.
As a partnership between DHS and the public and private sectors to make
cybersecurity a coordinated national effort, US-CERT is an essential
mechanism for coordinating information and activity on a real-time
basis. US-CERT's Operations Center, secure portal, public Web site, and
National Cyber Alert System not only provide means for disseminating
alerts and warnings--as discussed above--but they also support incident
response and recovery efforts.
Additionally, DHS is expanding its incident response and recovery
capabilities through the use of the Critical Infrastructure Warning
Information Network, a survivable communications network that does not
rely on public telecommunications networks or the Internet. DHS has
installed these network terminals in key government network operations
centers, in several private industry network operations centers, and in
the United Kingdom's National Infrastructure Security Coordination
Centre. In addition, it is considering placing additional network nodes
at critical government agencies, companies, and trusted foreign
partners.
Additional initiatives to expand incident response and recovery
capabilities, including mechanisms for collaboration, are identified in
table 9.
Table 9: Incident Response and Recovery Initiatives:
Initiative: National Cyber Response Coordination Group;
Description: The National Cyber Response Coordination Group was
formalized in the Cyber Annex of the National Response Plan and is
cochaired by NCSD, the Department of Justice's Computer Crime and
Intellectual Property Section, and the Department of Defense. In the
event of a significant incident (including cyber incidents and physical
incidents that affect cyber networks), this group would play a major
role in coordinating responses and recovery planning. Specifically, it
is expected to develop and provide a strategic assessment of the impact
on the information infrastructure and a coordinated response, through
its close association with others in private industry, academia, and
international and local governments; The National Cyber Response
Coordination Group brings together officials from all agencies that
have a statutory responsibility for cybersecurity and the sector-
specific agencies identified in HSPD-7. The group meets monthly and is
developing cyber preparedness and response plans that will help it
support the overarching mission of the DHS Interagency Incident
Management Group. To date, the group has conducted two exercises to
test its concept of operations and communications mechanisms and has
held a workshop to analyze the thresholds for convening the group.
Initiative: National Exercise Program Office;
Description: DHS established the National Exercise Program Office to
improve response planning and coordination between public and private
incident response and recovery capabilities by having them undertake
exercises; To date, NCSD has sponsored several exercises that test
cyber readiness in various geographic locations and critical
infrastructure sectors across the nation. In September and October
2004, regional exercises were held in Seattle and New Orleans. Both
exercises highlighted dependencies between cyber and physical
infrastructures and interdependencies among critical infrastructures.
These exercises also identified and tested the coordination and
cooperation among federal, state, and local governments and the private
sector that would be necessary in the case of attacks (both physical
and cyber) on the critical infrastructures in those regions of the
United States. According to NCSD officials, these regional exercises
have pointed out the importance of regional response capabilities and
have spurred activity in both regions to develop working groups to
improve response capabilities within those regions; NCSD, along with
DHS's Office of Domestic Preparedness, sponsored two cyber-focused
tabletop exercises[A] in Connecticut and New Jersey. According to NCSD
officials, these tabletop exercises offered an opportunity for key
state agencies, including information technology, emergency
preparedness, and law enforcement, to address cybersecurity issues and
increase coordination within their state governments as well as with
the federal government. In addition, NCSD prepared the cyber- related
portion for the Top Officials 3 exercise, referred to as TOPOFF 3, that
occurred in March and April 2005. This exercise tested not only
response to attacks, but also continuity of government and operations;
emergency response at the state, regional, and local levels; and
containment and mitigation of chemical, nuclear, and other attacks;
Further, according to NCSD officials, the NCSD Exercise Team is working
closely with the National Cyber Response Coordination Group to sponsor
a series of four tabletop exercises in fiscal year 2005 that are
intended to mature and refine the interagency body's Concept of
Operations and to accelerate the development of detailed procedures
under the Cyber Annex to the National Response Plan; The lessons
learned from these and other exercises will form the building blocks
for an NCSD-sponsored National Cyber Exercise, CYBER STORM, planned for
November 2005, which is expected to include private-sector, as well as
state government, participation.
Initiative: US-CERT Control Systems Security Center;
Description: NCSD established the US-CERT Control Systems Security
Center to reduce vulnerabilities and to respond to threats to control
systems. The center compiled a list of the control system technologies
in use, including the underlying platforms, so that the US-CERT could
rapidly identify the impact of cyber vulnerabilities on control
systems.
Initiative: Internet Disruption Working Group;
Description: In order to coordinate cybersecurity contingency plans,
including a plan for recovering key Internet functions, DHS formed the
Internet Disruption Working Group. Among other things, this group is to
determine the operational dependency of critical infrastructure sectors
on the Internet, assess the consequences of the loss of Internet
functionality, and work with stakeholders to identify and prioritize
short-term protective measures and reconstitution measures to be used
in the event of a major disruption.
Source: GAO analysis of DHS information.
[A] A tabletop exercise is a focused practice activity that places the
participants in a simulated situation requiring them to function in the
capacity that would be expected of them in a real event. Its purpose is
to promote preparedness by testing policies and plans and by training
personnel.
[End of table]
While DHS has made clear progress in planning for incident response,
key steps remain to be taken in order to fulfill requirements for
exercising continuity plans for federal systems and for coordinating
the development of government/industry contingency recovery plans for
cybersecurity--as recommended in the cyberspace strategy. Specifically,
DHS does not yet have plans (or associated performance measures or
milestones) for testing federal continuity plans, for recovering key
Internet functions, or for providing technical assistance to both
private-sector and other government entities as they develop their own
emergency recovery plans. Without continuity planning exercises,
federal agencies will not be able to coordinate efforts to ensure that
the critical functions provided by federal systems would continue
during a significant event and that recovery from such an event would
occur in an effective and timely manner. In addition, without plans to
address the recovery of key Internet functions, it is unclear how
recovery would be performed and how federal capabilities could be used
to assist with recovery.
In commenting on a draft of this report, NCSD officials stated that
although the division is not currently sponsoring any exercises to test
other department and agencies' continuity plans or plans for recovering
key Internet functions, they are participating in and offering
cybersecurity expertise to already existing department and agency
exercises that test continuity of operations and plans for recovery.
DHS Has Begun Efforts to Identify and Assess Threats and
Vulnerabilities, but Much Remains to Be Done to Complete These
Assessments:
DHS has participated in national efforts to identify and assess cyber
threats and has begun taking steps to facilitate sector-specific
vulnerability assessments, but it has not yet completed the
comprehensive cyber threat and vulnerability assessments--or the
identification of cross-sector interdependencies--that are called for
in the cyberspace strategy.
In late 2003 and early 2004, DHS assisted in coordinating the cyber-
related issues for the National Intelligence Estimate of Cyber Threats
to the U.S. Information Infrastructure. The resulting classified
document issued in February 2004 details actors (nation-states,
terrorist groups, organized criminal groups, hackers, etc.),
capabilities, and, where known, associated intent. National
intelligence estimates provide America's highest integrated national
threat assessment and are used throughout the defense, intelligence,
and homeland security communities.
Regarding ongoing threat identification, DHS's Infrastructure
Protection Office, Information Analysis Office, and NCSD coordinate
efforts on a daily basis. For example, NCSD works closely with the
Information Analysis Office to coordinate the exchange of threat
information, discussions of the potential threat to critical
infrastructures based on reported information, and the creation of
cyber-based intelligence requirements to gather additional information.
In addition, as discussed earlier, information is shared between the
private sector and the intelligence community through US- CERT.
According to NCSD officials, because there are restrictions on the
ability of some parts of the intelligence communities to collect
information within the United States, information properly shared
through US-CERT could help the intelligence community to develop better
situational awareness.
DHS has also taken a number of foundational steps toward developing the
comprehensive vulnerability assessment mandated by HSPD-7. Three key
initiatives are discussed below:
* Development of a Baseline Methodology for Vulnerability Assessment--
As the designated entity for fulfilling DHS's responsibility as the
sector-specific agency for the IT infrastructure sector, NCSD is
currently identifying the IT sector's critical assets and developing a
baseline methodology for performing vulnerability assessments within
the sector. To do so, NCSD is studying existing vulnerability
assessment methodologies with the idea of developing a flexible
baseline methodology that can be used by members of the IT sector who
do not yet have established methodologies. An NCSD official stated that
a secondary use for this methodology would be as baseline guidance for
cyber assessments across the other critical infrastructures, to be
carried out by the sector-specific agencies and their sectors.
* Development of a Cyber Assessment Template--NCSD is assisting DHS's
Information Analysis and Infrastructure Protection Directorate's
Protective Security Division by developing a cyber assessment template
for their "site assistance visits" to be used to assess the security of
critical infrastructure facilities. The cyber-related segment of these
visits includes an assessment of process control systems, including
supervisory control and data acquisition, and business information
technology. According to NCSD officials, they have developed the
process control template and are currently developing the business
information technology template.
* Development of Sector Guidance--As the subject matter expert for the
cyber aspects of the National Infrastructure Protection Plan and
associated sector-specific plans, NCSD has developed and distributed
guidance to assist sector-specific agencies in addressing the cyber
components of their sectors.
While NCSD's plans are focused on important issues, it has not yet
completed the national cyber threat assessment and the sector
vulnerability assessments--or the identification of cross-sector
interdependencies--that are called for in the cyberspace strategy.
Further, its assessment efforts are still in early stages. For example,
according to an NCSD official, efforts to develop a vulnerability
assessment methodology for the IT Sector are in early development. As
part of its next steps, NCSD plans to involve the private sector in
completing the methodology and then give a larger group of stakeholders
in the IT Sector an opportunity to review and comment on it. NCSD also
plans to assist the IT sector in conducting its cybersecurity-related
vulnerability assessment. Once these assessments are complete, NCSD
plans to coordinate a thorough analysis of the impact that
interdependencies have on sectors and entities within the sectors.
The Interim NIPP and DHS's strategic plan for cybersecurity acknowledge
that much remains to be done in the areas of threat and vulnerability
assessment. The Interim NIPP recognizes that DHS is responsible for
analyzing specific threats, providing threat warnings, and conducting
general threat assessments. It also reports that the Information
Analysis and Infrastructure Protection Directorate's Office of
Infrastructure Protection will conduct vulnerability assessments for a
number of purposes, including investigating interdependencies, filling
selected gaps, and testing new methodologies. Additionally, one of
NCSD's strategic goals is to work with the public and private sectors
to reduce vulnerabilities and to minimize the severity of cyber
attacks. As part of this goal, NCSD plans to define and execute
methodologies to identify critical assets and to identify and assess
vulnerabilities. It established a milestone of developing a
vulnerability assessment methodology for the IT Sector by the third
quarter of fiscal year 2005. However, neither DHS nor NCSD has defined
plans, performance measures, or milestones for completing the required
national cyber-related threat and sector vulnerability assessments, or
for identifying cross-sector interdependencies.
In commenting on a draft of this report, NCSD officials noted that
because of the IT sector's recent formation and its complexity, NCSD
has not set strict milestones or performance measures for completing
plans. NCSD officials noted, however, that milestones have been set for
(1) defining the sector, (2) creating a public/private collaboration
mechanism, and (3) developing methodologies for identifying assets and
vulnerability assessments. NCSD officials stated that these steps must
be fulfilled in order to ensure accurate assessments and to identify
cross-sector interdependences.
Performing infrastructure sector-level vulnerability assessments and
developing related remedial plans have been long-standing issues that
were identified as requirements in Presidential Decision Directive 63
in 1998. From a planning perspective, it is important to perform
comprehensive vulnerability assessments of all of our nation's critical
infrastructures because such assessments can enable authorities to
evaluate the potential effects of an attack on a given sector and then
invest accordingly to protect that sector. Without a vulnerability
assessment and remedial plan, it will be difficult to know with any
certainty that those vulnerabilities that could cause the greatest
harm--or are most likely to be exploited--have been addressed. In
September 2001, we reported that substantive, comprehensive analysis of
infrastructure sector vulnerabilities and the development of remedial
plans had not yet been performed because sector coordinators were still
establishing the necessary relationships, identifying critical assets
and entities, and researching and identifying appropriate
methodologies.[Footnote 19] In May 2004, we reported that some sectors
had taken steps to perform sector-wide vulnerability assessments or to
require individual entities to perform vulnerability assessments for
their facilities and operations.[Footnote 20] However, others--
including the IT sector--still have not taken such actions. Until a
comprehensive threat assessment and sector-specific vulnerability
assessments are completed and cross-sector dependencies are identified,
DHS cannot ensure that all threats and vulnerabilities have been
identified and addressed.
In commenting on a draft of this report, NCSD officials stated that
because of the IT sector's recent formation and its complexity, NCSD
and the sector face challenges in defining the sector, developing
effective partnerships, and identifying critical assets. The officials
also stated that significant progress has been made in developing
methodologies to identify assets and assess vulnerabilities in the IT
sector; however, continued collaborative efforts are necessary to
ensure that all threats and vulnerabilities are identified and
addressed.
DHS Has Several Threat and Vulnerability Reduction Efforts Under Way,
but More Action Is Needed:
DHS has initiated efforts to reduce threats by enhancing its
collaboration with the law enforcement community and to reduce
vulnerabilities by shoring up guidance on software and system security,
but much remains to be done.
To support efforts to reduce cyber threats, NCSD has restructured its
organization to improve its coordination with the law enforcement
community and has initiated numerous outreach initiatives.
Specifically, NCSD restructured its organization to establish a law
enforcement and intelligence branch. It currently has representatives
from the cyber components of five different agencies: the National
Security Agency, U.S. Immigration and Customs Enforcement, U.S. Secret
Service, Federal Bureau of Investigation, and Central Intelligence
Agency. This branch provides an information-sharing mechanism among the
intelligence, law enforcement, and network security communities. For
example, there have been at least two instances where the intelligence
community had discovered cyber-related issues that it wanted to report
to the public, but it was unable to do so because it would potentially
reveal sources and methods, according to an NCSD official. In those
cases, NCSD and the intelligence community collaborated to develop and
release a public alert that conveyed the threat without revealing
sensitive information. In addition, the law enforcement and
intelligence branch has provided information from the law enforcement
community to the intelligence community. For example, according to an
NCSD official, in August 2004, the organization received information
about a potential software vulnerability from a law enforcement partner
that it shared with the intelligence community.
Additionally, NSCD's law enforcement and intelligence branch has taken
steps to improve its domestic and international outreach efforts to
support threat reduction; and, according to an NCSD official, the
interaction and coordination among the branch and other agencies on
cyber-related issues have been effective. Key outreach initiatives
include the following:
* Within the federal government, NCSD's law enforcement and
intelligence branch has developed a relationship with other law
enforcement entities, including entities within the Departments of
Energy and Defense and the federal inspector general community.
* DHS supports the Cybercop Portal, which is a secure, internet-based
information-sharing mechanism that allows members of local, state, and
federal government law enforcement organizations to discuss issues
related to electronic/cyber crime and threat reduction. At the time of
our review, according to an NCSD official, there were over 6,000
members from the 50 states, most government agencies, and over 40
countries.
* According to an NCSD official, NCSD has entered into a partnership
with the Department of Justice's Bureau of Justice Statistics to
conduct a joint survey to study the amount and scope of cyber crime in
the United States. The survey will be distributed to 36,000 businesses,
including small businesses covering all critical infrastructure
sectors.
* NCSD is reviewing the possibility of enhancing the U.S. computer
crime statute (18 U.S.C. 1030). Specifically, according to NCSD
officials, it is trying to determine the effect of criminalizing the
development and possession (with criminal intent) of malicious computer
code, such a change would provide law enforcement with a proactive
mechanism to address certain cyber crimes. NCSD has entered into
preliminary discussions with the Department of Justice's Computer
Crimes and Intellectual Property Section and with other federal, state,
and local law enforcement agencies. In addition, NCSD has solicited
opinions from the private sector and from academia.
To reduce vulnerabilities, NCSD is encouraging the development of
better quality and more secure software. It has established a plan
targeting four areas: (1) people (including software developers and
users), (2) processes (including best practices and practical software
development guidelines), (3) software evaluation tools, and (4)
acquisition--creating software security improvements through
acquisition specifications and guidelines. To accomplish its plans,
NCSD has undertaken the following initiatives:
* NCSD has hosted and cohosted various forums and workshops that
focused on topics such as developing a common body of knowledge for
software assurance and improving the quality, reliability, and
dependability of software. For example:
* NCSD has hosted three workshops, with subject matter experts from
academia and the private sector, to begin the process of developing a
common body of knowledge on software assurance that could be used by
educators across the country to develop curricula for academic programs
in software engineering, information assurance, and various other
disciplines.
* DHS and the Department of Defense have cosponsored two Software
Assurance Forums to bring together representatives from industry,
government, and academia to address the challenges in software security
and quality.
* NCSD is inventorying existing software assurance-related efforts in
public and private industry to develop and publish practical guidance,
reference materials, and best practices for training software
developers.
* NCSD is conducting a software assurance security tools evaluation to
support and promote the development of technological advances in
software assurance. In coordination with the National Institute of
Science and Technology, NCSD has created a set of studies and
experiments to measure the effectiveness of various tools and classes
of tools.
* NCSD is working with the Department of Defense and other government
agencies to examine successful models and to develop and publish best
practices for acquisition language and evaluation. NCSD also is working
to develop and publish common or sample statement of work/procurement
language, which includes provisions on liability, for federal
acquisition managers.
* According to an NCSD official, the organization has also formed a
working group to address the issue of preventing a major disruption on
the Internet. The working group is composed of federal agencies with an
interest in preventing a major interruption on the Internet. These
agencies are the Department of the Treasury, the Department of Defense,
the National Communication System, and NCSD (including US-CERT and
CERT/CC). The working group has also tried to include key private-
sector individuals. The group's initiatives include efforts to (1)
create various scenarios for disruptions in order to determine whom to
work with to solve the problem, how to respond and what to do, and what
protective measures should be put in place; and (2) determine what
infrastructure sectors are functionally dependent on the Internet.
While NCSD has many efforts under way to coordinate threat reduction
activities, it is limited in what it can do on vulnerability reduction
until the cyber-related vulnerability assessments (discussed in the
previous section) are completed. Since DHS is now planning a
methodology for conducting vulnerability assessments, it will likely be
some time before stakeholders can conduct the assessments--and even
longer before they are able to develop a comprehensive plan for
reducing vulnerabilities.
In its strategic plan for cybersecurity, DHS acknowledges that there is
more to do to coordinate both threat and vulnerability reduction
efforts. Specifically, NCSD has established a strategic goal to
coordinate with the intelligence and law enforcement communities to
identify and reduce threats to cyberspace. As part of this goal, NCSD
identified a number of actions to improve the available information on
cyber incidents, publish the results of the planned cyber incident
survey, improve the Cybercop Portal, and reach out to other law
enforcement entities. Regarding vulnerability reduction, NCSD has
established a goal to reduce vulnerabilities and a list of action
items, including actions to improve the security within the IT
infrastructure sector; to address cybersecurity issues for control
systems; to improve software assurance efforts; and to promote
cybersecurity standards and best practices.
DHS Is Collaborating on Cybersecurity Research and Development, but a
Comprehensive Plan and Associated Milestones are Not Yet in Place:
DHS is collaborating with the Executive Office of the President's
Office of Science and Technology Policy and with many other federal
departments and agencies, including the Departments of Agriculture,
Commerce, Defense, and Energy, to develop a national research and
development plan for CIP, including cybersecurity. However, a complete
plan is not yet in place, and the milestones for key activities under
this plan have not yet been developed.
NCSD coordinates with DHS's Science and Technology Directorate to
develop (1) the Cyber Security Research and Development Portfolio and
(2) the CIP Portfolio that targets process control system security and
includes some research and development projects. Research programs
include efforts to develop operational analysis tools to enhance the
security of domain name systems, establish secure routing protocols,
and improve Internet security. In addition, NCSD participates in the
Critical Information Infrastructure Protection Interagency Working
Group, which is cochaired by the Executive Office of the President's
Office of Science and Technology Policy and DHS's Science and
Technology Directorate, to identify critical cyber research and
development requirements for inclusion in the federal research and
development effort. As part of this requirement identification process,
NCSD determines where the private sector has already done research and
development, in order to minimize overlap and wasted effort. An NCSD
official reports that requirements come from software developers and
from the agency's work with industry, academia, and other government
agencies.
Although DHS is working to identify cyber research requirements and to
support and coordinate cybersecurity-related research and development
projects, the working group cochaired by DHS and the Executive Office
of the President's Office of Science and Technology Policy that was
required to lead the effort to issue a national research and
development plan for CIP (including cybersecurity) has not yet
developed a comprehensive plan. Also, while the Interim NIPP
acknowledges the importance of research and development to a variety of
cybersecurity initiatives--including improving Internet security
protocols and developing a next generation security architecture
featuring autonomic, self-aware, and self-healing systems--it does not
identify goals or milestones associated with developing a prioritized
plan for these initiatives.
In commenting on a draft of this report, DHS Science and Technology
Directorate officials stated that the first public version of the
national research and development plan supporting CIP had recently been
released.[Footnote 21] They acknowledged, however, that this is a
baseline plan and does not include an investment plan and road map that
are to be added next year. In addition, these officials commented that
milestones have not yet been established because planning activities
are in progress.
DHS Has Made Progress in Implementing an Awareness and Outreach
Strategy, but More Remains to Be Done:
DHS has made progress in increasing cybersecurity awareness by
implementing numerous awareness and outreach initiatives, but the
effectiveness of its activities is unclear because many CIP
stakeholders are still uncertain of DHS's cybersecurity roles. Table 10
identifies key DHS awareness and outreach initiatives.
Table 10: DHS Cybersecurity Awareness and Outreach Initiatives:
Initiative: National Cyber Alert System;
Description: DHS established the National Cyber Alert System (NCAS) to
deliver targeted, timely, and actionable information to the public on
how to secure computer systems. Information provided by the alert
system is designed to be understandable by all computer users, both
technical and nontechnical. More than 270,000 users have subscribed to
the system and are receiving regular alerts and updates that enhance
their ability to prepare for, mitigate, and respond to adverse cyber
events. To date, NCAS has issued several alerts as well as "best
practices" and "how-to" guidance messages. In addition, its "cyber
tips" help to educate home users on basic security practices and
increase overall awareness.
Initiative: US-CERT public Web site;
Description: DHS manages the US- CERT public Web site, which provides
information on cyber incidents and cybersecurity. According to NCSD
officials, it receives about 3.5 million hits per month.
Initiative: National Cyber Security Awareness Month;
Description: DHS partnered with the public and private sector to
establish October as the National Cyber Security Awareness Month and
participated in activities to raise awareness of cybersecurity
nationwide.
Initiative: Webcasts;
Description: In partnership with the Multi-State ISAC, NCSD has hosted
a series of national Webcasts that examine critical and timely
cybersecurity issues. The Chair of the Multi-State ISAC stated that the
recent Webcasts have been viewed by over 3,000 individuals from nine
countries.
Initiative: National Cyber Security Alliance/StaySafeOnline Program;
Description: DHS, along with other federal and private sector
organizations, sponsors the National Cyber Security Alliance, a
public/private partnership to promote cybersecurity and safe behavior
online. It provides tools and resources through the StaySafeOnline
program, a Web site for home users, small businesses, and educational
institutions.
Initiative: Cybersecurity awareness brochures;
Description: NCSD is developing informational materials to promote
cybersecurity awareness, including brochures, fact sheets, and an
electronic newsletter.
Source: GAO analysis of DHS information.
[End of table]
Although DHS has an active awareness and outreach program under way,
more remains to be done to expand awareness of the department's roles,
responsibilities, and capabilities. Multiple CIP stakeholders have
reported that they were unaware of DHS's cybersecurity
responsibilities. For example, officials from one federal agency
indicated they have not independently interacted with NCSD about their
sector's cybersecurity efforts. In addition, at a recent regional
security exercise, state and local government officials were not clear
on DHS's role in cybersecurity. NCSD acknowledges that it has more to
do to expand awareness of its cybersecurity roles and capabilities and
to increase its outreach efforts. In its strategic plan for
cybersecurity, DHS has outlined goals, objectives, activities, and
milestones for improving in these areas.
DHS Has Made Progress in Its Efforts to Encourage Cybersecurity
Education but Lags in Developing Certification Standards:
DHS has initiated multiple efforts to improve the education of future
cybersecurity analysts, but much work remains to be done to develop
certification standards. Key DHS cyber education initiatives are listed
in table 11.
Table 11: Key Initiatives in Cybersecurity Education:
Initiative: National Centers of Academic Excellence in Information
Assurance;
Description: DHS and the National Security Agency cosponsor the
National Centers of Academic Excellence in Information Assurance
Program to reduce vulnerabilities in our national information
infrastructure by promoting higher education in information assurance
and producing a growing number of professionals with information
assurance expertise in various disciplines. Under this program, 4-year
colleges and graduate-level universities are eligible to apply to be
designated as a National Center of Academic Excellence in Information
Assurance Education. Colleges and universities that achieve this
designation receive formal recognition from the U.S. government and are
eligible to apply for scholarships and grants through the Department of
Defense Information Assurance Scholarship Program and the Federal Cyber
Service Scholarship for Service Program.
Initiative: Scholarship for Service program;
Description: DHS and the National Science Foundation cosponsor the
Scholarship for Service program, which is also known as the Cyber Corps
program. This program provides scholarship grant money to selected
universities to fund the final 2 years of student bachelors, masters,
or doctoral study in information assurance.
Initiative: Job Fair;
Description: In January 2005, DHS, the National Science Foundation, the
federal Chief Information Officers Council, and the Office of Personnel
Management cosponsored the first annual winter job fair for Scholarship
for Service students in Washington, D.C. Approximately 300 students
attended the job fair, representing all 26 of the colleges and
universities within the Scholarship for Service program. Twenty-nine
federal agencies and national laboratories, including DHS's Information
Analysis and Infrastructure Protection Directorate and the Office of
the Chief Information Officer, the Central Intelligence Agency, the
Department of Agriculture, the National Aeronautics and Space
Administration, and the Idaho National Engineering and Environmental
Laboratory, attended the job fair and interviewed students.
Source: GAO analysis of DHS information.
[End of table]
While DHS has made progress in expanding education and training in
cybersecurity, it has more to do to develop baseline standards for
cybersecurity certification. According to NCSD's progress report, each
cyber-related industry certification currently is based on a different
notion of what tasks information assurance employees perform. This
leads to confusion on the part of employers when they attempt to assess
what skill set they are getting when they hire a certified
professional. DHS acknowledges this issue and has begun to take steps
to address it. Specifically, DHS has partnered with the Department of
Defense on an initiative to create a national-level job task analysis
and information assurance professional skill standards. The job task
analysis and skill standards are expected to identify the knowledge,
skills, and abilities associated with information assurance jobs across
all sectors, and to provide a clear baseline for comparing and
evaluating existing industry certifications and developing future
certifications. The final goal is to produce a job task analysis and
skill standard that reflects all sectors, is national in scope, and can
be used to compare existing professional certifications and provide for
future certifications.
In addition, in its strategic plan for cybersecurity, DHS identifies a
number of actions and milestones for making progress in cybersecurity
education, including promoting the creation of widely recognized,
industry-led, vendor-neutral cybersecurity professional certifications
based on a nationally recognized skill baseline.
DHS Interacts with Other Entities to Enhance Intergovernmental
Cybersecurity, but Concerns Exist about the Scope and Effectiveness of
These Efforts:
DHS supports multiple interagency groups' efforts to improve government
cybersecurity through communication and collaboration, but state and
local government stakeholders have expressed concerns about the scope
of these efforts.
DHS participates in numerous initiatives to enhance intergovernmental
coordination. Key initiatives are listed in table 12.
Table 12: DHS's Intergovernmental Cybersecurity Initiatives:
Initiative: Chief Information Security Officers Forum;
Description: NCSD created the Chief Information Security Officers Forum
to "bring together federal officials responsible for the information
security of their respective agencies" and provide a "trusted venue for
them to collaborate, leverage one another's experiences, capabilities
and programs, lessons learned, and address and discuss particularly
problematic or challenging areas." This forum has established working
groups to study and draft best practices for specific areas of concern,
such as patch management.
Initiative: National Cyber Response Coordination Group (NCRCG);
Description: The National Cyber Response Coordination Group was
formalized in the Cyber Annex of the National Response Plan and is
cochaired by NCSD, the Department of Justice's Computer Crime and
Intellectual Property Section, and the Department of Defense. It brings
together agency management for response purposes during a significant
national incident. The group coordinates intragovernmental and
public/private preparedness and response to and recovery from national
level cyber incidents and physical attacks that have significant cyber
consequences. During such an incident, the NCRCG's senior level
membership is responsible for ensuring that the full-range of federal
capabilities are deployed in a coordinated and effective fashion. NCRCG
includes members from national security, law enforcement, defense,
intelligence, and other government agencies.
Initiative: Government Forum of Incident Response and Security Teams
(GFIRST);
Description: GFIRST is a group of technical and tactical practitioners
of government agency security response teams responsible for securing
government information technology systems.
Initiative: Federal Information Notice;
Description: NCSD established Federal Information Notices to
disseminate information to relevant federal authorities, such as
federal chief information officers, federal chief information security
officers, information system security managers and officers, system
administrators, and other federal employees and contractors. The
notices are to help keep federal agencies and departments aware of
emerging threats and vulnerabilities, as well as to provide them with
the information needed to mitigate, respond to, and recover from cyber
attacks. DHS reports that the notices provide warnings of Internet
security problems and offer explanations of potential problems that
have not yet become serious enough to warrant public alert.
Initiative: Office of Management and Budget's Security Line of Business
Group;
Description: NCSD is the cochair of the Office of Management and
Budget's recently formed security line of business effort. It is an
effort to raise the level of cybersecurity posture of federal agencies
and save funds by coming up with common security solutions across the
government.
Initiative: Coordination with states;
Description: DHS interacts with state governments through the Multi-
State ISAC. Formed in 2003, this ISAC provides a central resource for
gathering information on cyber threats to critical infrastructure from
the states and providing two- way sharing of information between and
among the states and ultimately with local government. The Multi-State
ISAC also analyzes information and intelligence to support readiness
and response efforts by federal, state, and local first responders and
law enforcement. DHS, including NCSD, DHS's Office of State and Local
Government Coordination, and US- CERT, are included in this ISAC's
monthly conference calls. The ISAC also partners with NCSD on a
national Webcast for increased awareness and education. Multi-State
ISAC officials reported that DHS provides information that is useful
and actionable for the state government sector; In addition, NCSD
cosponsored a State of the State Conference with the National White
Collar Crime Center that brought together state cyber enforcement
officials to discuss (1) cyber activities in their respective states,
(2) successful and unsuccessful mechanisms used to address cyber
activities, and (3) ways that NCSD can assist states in their
cybersecurity activities.
Initiative: Incident support;
Description: DHS supports individual government entities, providing
resources and expertise during major incidents. For example, according
to NCSD officials, the organization recently provided direct support to
a state that had suffered a serious cybersecurity incident. NCSD's
support included sending a team of experts to provide on-site
resources, coordinating with federal law enforcement and intelligence
communities, and providing advice for security practice improvements.
In addition, NCSD officials stated that they had provided similar
support to federal agencies.
Source: GAO analysis of DHS information.
[End of table]
While DHS has made concerted efforts to form and support
intergovernmental partnerships, several governmental entities have
expressed concerns about the scope of these efforts and their
effectiveness. For example, officials representing a state government
organization noted that DHS has not provided adequate attention to the
states regarding cybersecurity and has not included local government IT
officials in cybersecurity-related discussions. State officials also
noted that DHS's focus on cybersecurity has been secondary to its
physical security efforts; for example, there have been only limited
grants to assist states with cybersecurity. As a result, these
representatives have reported that there is a "fundamental lack of
appreciation" for cybersecurity by state and local governments.
The Interim NIPP and DHS's strategic plan for cybersecurity acknowledge
the importance of continually enhancing the security of federal, state,
and local government systems through partnerships and information
sharing. For example, the Interim NIPP includes a goal to build
partnerships with federal, state, local, tribal, international, and
private-sector stakeholders to implement CIP programs. In addition,
DHS's strategic plan for cybersecurity establishes goals, objectives,
and actions that involve securing governments' cyberspace through
collaboration with key stakeholders in other federal, state, and local
governments and in the private sector.
DHS Has Initiated Efforts in the International Community, but More
Remains to Be Done:
DHS is working in conjunction with other governments to promote a
global culture of security but acknowledges that more remains to be
done to accomplish its goals.
In recent years, NCSD has participated with its international
counterparts in several initiatives to improve interaction and
coordination. Table 13 lists key international cybersecurity
initiatives, including multilateral and bilateral efforts.
Table 13: International Cybersecurity Initiatives:
Multilateral initiatives:
Cybersecurity Collaboration with Close Allies;
Description: NCSD established and chaired three international
information sharing conference calls with government cybersecurity
policymakers and emergency response operations representatives from
United States, United Kingdom, Australia, Canada, and New Zealand. The
purpose of these calls was to share information and to establish
cooperation to help participants prepare for and manage cyber incidents
globally, improve overall situational awareness, and foster
collaborative efforts on common strategic initiatives. According to
NCSD officials, these calls led to the five countries agreeing to
undertake a collaborative effort on cybersecurity/critical information
infrastructure protection.
Asia Pacific Economic Committee;
Description: NCSD actively participates in the Committee's
Telecommunications Working Group, which has engaged in (1) an outreach
program to educate member countries about computer emergency response
teams and (2) a capacity-building program to provide training to member
countries as they develop their own computer emergency response teams.
G-8 High Tech Crime Working Group;
Description: NCSD participates in the G-8 High Tech Crime Working
Group. For example, it sent representatives as part of the U.S.
delegation to the G-8 sponsored International Exercise in New Orleans
in May 2005.
Organization of American States;
Description: NCSD participates in the Organization of American States'
work program on cybersecurity, including a cybersecurity practitioners'
workshop that was held in March 2005. The program is working toward
building computer emergency response capabilities and an information
sharing and watch and warning framework in the hemisphere.
International Watch and Warning Framework/Multilateral Conference;
Description: NCSD developed and organized a multilateral conference in
Berlin, Germany, which was cohosted by DHS and the German Ministry of
Interior in October 2004. The conference brought together cybersecurity
policy, operations, and law enforcement representatives from 15
countries[A] to discuss vision, challenges, and watch and warning
models and to consider establishing an international watch and warning
framework. The conference included interactive discussions and a cyber
tabletop exercise, and resulted in a set of intermediate agreements for
information sharing and future work toward a more mature framework. As
a follow up, a working group of the participating countries met in
Paris in March 2005 to pursue the action plan from the conference and
to take steps to build an International Watch and Warning Network.
Bilateral initiatives:
Canada and Mexico;
Description: NCSD has partnered with counterpart agencies in Canada and
Mexico to launch new Cyber Security Working Groups to address critical
information infrastructure issues of mutual concern, under the CIP
Framework for Cooperation efforts with both Canada and Mexico, which
are known as the Smart Border Action Plan and Border Partnership Action
Plan, respectively.
US-India Cyber Security Forum;
Description: NCSD participates in the U.S.-India Cyber Security Forum,
established in 2002. In addition, the forum created a new Watch,
Warning, and Emergency Response Working Group to reflect collaboration
between US-CERT and the newly established CERT-India. According to NCSD
officials, the working group's action plan includes information-sharing
objectives to improve situational awareness and incident response
abilities between the United States and India, and to share experience
and expertise on computer emergency response.
U.S.-United Kingdom Joint Contact Group;
Description: NCSD participates in the U.S.-United Kingdom Joint Contact
Group, established between DHS and the United Kingdom's Home Office.
According to NCSD officials, its action plan for cybersecurity includes
information sharing and collaboration on watch and warning, threat
analysis, incident response, exercise, and outreach efforts.
Source: GAO analysis of DHS information.
[A] Participating countries included Australia, Canada, Finland,
France, Germany, Hungary, Italy, Japan, Netherlands, New Zealand,
Norway, Sweden, Switzerland, United Kingdom, and the United States.
[End of table]
While NCSD has initiated numerous outreach and coordination efforts
with the international community, important actions remain ahead. DHS's
strategic plan for cybersecurity includes two objectives related to
national security and international cyberspace security cooperation, to
(1) create and pursue an international strategy to secure cyberspace
and (2) promote collaboration, coordination, and information sharing
with international communities. In addition, NCSD's January 2005
progress report described plans to work with its counterparts in
Australia, Canada, New Zealand and the United Kingdom "to formulate a
framework for on-going policy and operational cooperation and
collaboration" that will "incorporate shared efforts on key strategic
issues to address cybersecurity over the long term, including software
assurance, research and development, attribution, control systems, and
others." This framework is expected to enhance the allies' current
information-sharing and incident-response efforts and to foster
collaboration in other international activities.
In commenting on a draft of this report, DHS Science and Technology
Directorate officials stated that the directorate had entered into
international agreements with Canada and the United Kingdom for
collaborative science and technology activities and had engaged in
bilateral meetings with those countries on the topic of cybersecurity
research and development.
NCSD Is Working to Integrate Cybersecurity with National Security, but
Important Testing Remains to Be Done:
DHS formed the National Cyber Response Coordination Group to coordinate
the federal response to cyber incidents of national significance. It is
a forum of national security, law enforcement, defense, intelligence,
and other government agencies that coordinates intragovernmental and
public/private preparedness and response to and recovery from national-
level cyber incidents and physical attacks that have significant cyber
consequences. During a significant national incident, the coordinating
group's senior level membership is responsible for ensuring that the
full range of federal capabilities are deployed in a coordinated and
effective fashion. However, at the time of our review, there had not
been a cyber incident of national significance to activate these
procedures, and, according to NCSD officials, early tests of this
coordination identified some lessons and showed the need to make
improvements. For example, officials learned that they need to improve
communication protocols and mechanisms.
DHS Continues to Face Challenges in Establishing Itself as a National
Focal Point for Cyberspace Security:
DHS faces a number of challenges that have impeded its ability to
fulfill its cyber CIP responsibilities. Key challenges include
achieving organizational stability; gaining organizational authority;
overcoming hiring and contracting issues; increasing awareness about
cybersecurity roles and capabilities; establishing effective
partnerships with stakeholders (other federal, state, and local
governments and the private sector); achieving two-way information
sharing with these stakeholders; and providing and demonstrating the
value DHS can provide.
Organizational stability: Over the last year, multiple senior DHS
cybersecurity officials--including the NCSD Director, the Deputy
Director responsible for Outreach and Awareness, and the Director of
the US-CERT Control Systems Security Center, the Under Secretary for
the Information Analysis and Infrastructure Protection Directorate and
the Assistant Secretary responsible for the Information Protection
Office--have left the department. Infrastructure sector officials
stated that the lack of stable leadership has diminished NCSD's ability
to maintain trusted relationships with its infrastructure partners and
has hindered its ability to adequately plan and execute activities.
According to one private-sector representative, the importance of
organizational stability in fostering strong partnerships cannot be
over emphasized.
Organizational authority: NCSD does not have the organizational
authority it needs to effectively serve as a national focal point for
cybersecurity. Accordingly, NCSD officials lack the authority to
represent and commit DHS to efforts with the private sector.
Infrastructure and cybersecurity officials, including the chairman of
the sector coordinators and representatives of the cybersecurity
industry, have expressed concern that the NCSD's relatively low
position within the DHS organization hinders its ability to accomplish
cybersecurity-related goals. NCSD's lack of authority has led to some
missteps, including DHS canceling an important cyber event without
explanation and taking almost a year to issue formal responses to
private sector recommendations resulting from selected National Cyber
Security Summit task forces--even though responses were drafted within
months.
A congressional subcommittee also expressed concern that DHS's
cybersecurity office lacks the authority to effectively fulfill its
role. In 2004, the subcommittee proposed legislation to elevate the
head of the cybersecurity office to an assistant secretary position.
Among other benefits, the subcommittee reported that such a change
could:
* provide more focus and authority for DHS's cybersecurity mission,
* allow higher level input into national policy decisions, and:
* provide a single visible point of contact within the federal
government to improve interactions with the private sector.
Hiring and contracting: Ineffective DHS management processes have
impeded the department's ability to hire employees and maintain
contracts. We recently reported that since its inception, DHS's
leadership has provided a foundation for maintaining critical
operations while undergoing transformation.[Footnote 22] However, in
managing its transformation, we noted that DHS still needed to overcome
a number of significant challenges, including addressing systemic
problems in human capital and acquisition systems. Federal and
nonfederal officials expressed concerns with DHS's hiring and
contracting processes. For example, an NCSD official reported that the
division has had difficulty in hiring personnel to fill vacant
positions. These officials stated that once they found qualified
candidates, some candidates decided not to apply and another withdrew
his acceptance because they felt that the DHS hiring process took too
long. In addition, an NCSD official stated that there had been times
when DHS did not renew NCSD contracts in a timely manner, requiring
that key contractors work without pay until approvals could be
completed and payments could be made. In other cases, NCSD was denied
services from a vendor, because DHS had repeatedly failed to pay for
its services. External stakeholders, including an ISAC representative,
also noted that NCSD is hampered by how long it takes DHS to award a
contract.
Awareness of DHS roles and capabilities: Many infrastructure
stakeholders are not yet aware of DHS's cybersecurity roles and
capabilities. Department of Energy critical infrastructure officials
stated that the roles and responsibilities of DHS and the sector-
specific agencies need to be better clarified in order to improve
coordination. In addition, during a regional cyber exercise, private-
sector and state and local government officials reported that the
mission of NCSD and the capabilities that DHS could provide during a
serious cyber-threat were not clear to them. NCSD's manager of cyber
analysis and warning operations acknowledged that the organization has
not done an adequate job in reaching out to the private sector
regarding DHS's role and capabilities.
Effective partnerships: NCSD is responsible for leveraging the assets
of key stakeholders, including other federal, state, and local
governments and the private sector, in order to facilitate effective
protection of cyber assets. The ability to develop partnerships greatly
enhances the agency's ability to identify, assess, and reduce cyber
threats and vulnerabilities, establish strategic analytical
capabilities, provide incident response, enhance government
cybersecurity, and improve international efforts. According to one
infrastructure sector representative, effective partnerships require
building relationships with mutually developed goals, shared benefits
and responsibilities, and tangible, measurable results. However, this
individual reported that DHS has not typically adopted these principles
in pursuing partnerships with the private sector, which dramatically
diminishes cybersecurity gains that government and industry could
otherwise achieve. For example, DHS has often informed the
infrastructure sectors about government initiatives or sought input
after most key decisions have been made. Also, DHS has not demonstrated
that it recognizes the value of leveraging existing private sector
mechanisms, such as information-sharing entities and processes already
in place and working. In addition, the instability of NCSD's leadership
positions to date has led to problems in developing partnerships.
Representatives from two ISACs reported that turnover at NCSD has
hindered partnership efforts. Additionally, IT sector representatives
stated that NCSD needs continuity of leadership, regular
communications, and trusted policies and procedures in order to build
the partnerships that will allow the private sector to share
information.
Information sharing: We recently identified information sharing in
support of homeland security as a high-risk area, and we noted that
establishing an effective two-way exchange of information to help
detect, prevent, and mitigate potential terrorist attacks requires an
extraordinary level of cooperation and perseverance among federal,
state, and local governments and the private sector.[Footnote 23]
However, such effective communications are not yet in place in support
of our nation's cybersecurity. Representatives from critical
infrastructure sectors stated that entities within their respective
sectors still do not openly share cybersecurity information with DHS.
As we have reported in the past, much of the concern is that the
potential release of sensitive information could increase the threat to
an entity. In addition, sector representatives stated that when
information is shared, it is not clear whether the information will be
shared with other entities, such as other federal entities, state and
local entities, law enforcement, or various regulators, or how it will
be used or protected from disclosure. Representatives from the banking
and finance sector stated that the protection provided by the Critical
Infrastructure Information Act and the subsequently established
Protected Critical Infrastructure Information Program is not clear and
has not overcome the trust barrier. Alternatively, sector
representatives have expressed concerns that DHS is not effectively
communicating information with them. According to one infrastructure
representative, DHS has not matched private sector efforts to share
valuable information with a corresponding level of trusted information
sharing. An official from the water sector noted that when
representatives called DHS to inquire about a potential terrorist
threat, they were told that DHS could not share any information and
that they should "watch the news."
Providing value: According to sector representatives, even when
organizations within their sectors have shared information with NCSD,
the entities do not consistently receive useful information in return.
They noted that without a clear benefit, they are unlikely to pursue
further information sharing with DHS. Federal officials also noted
problems in identifying the value that DHS provides. According to
Department of Energy officials, DHS does not always provide analysis or
reports based on the information that agencies provide. Federal and
nonfederal officials also stated that most of US-CERT's alerts have not
been useful because the alerts lack essential details or have been
based on already available information. Further, Treasury officials
stated that US-CERT needed to provide relevant and timely feedback
regarding the incidents reported to it.
Clearly, these challenges are not mutually exclusive. That is,
addressing challenges in organizational stability and authority will
help NCSD build the credibility it needs in order to establish
effective partnerships and achieve two-way information sharing.
Similarly, effective partnerships and ongoing information sharing with
its stakeholders will allow DHS to better demonstrate the value it can
add.
DHS has identified steps in its strategic plan for cybersecurity that
can begin to address these challenges. Specifically, DHS has
established goals and plans for improving human capital management,
which should help stabilize the organization. Further, DHS has
developed plans for communicating with stakeholders, which are intended
to increase awareness of its roles and capabilities and to encourage
information sharing. Also, DHS has established plans for developing
effective partnerships and improving analytical and watch and warning
capabilities, which could help build partnerships and begin to
demonstrate added value. However, until it begins to address these
underlying challenges, DHS cannot achieve significant results in
coordinating cybersecurity activities and our nation will lack the
effective focal point it needs to better ensure the security of
cyberspace for public and private critical infrastructure systems.
Conclusions:
As our nation has become increasingly dependent on timely, reliable
information, it has also become increasingly vulnerable to attacks on
the information infrastructure that supports the nation's critical
infrastructures (including the energy, banking and finance,
transportation, telecommunications, and drinking water
infrastructures). Federal law and policy acknowledge this by
establishing DHS as the focal point for coordinating cybersecurity
plans and initiatives with other federal agencies, state and local
governments, and private industry. DHS has made progress in planning
and coordinating efforts to enhance cybersecurity, but much more work
remains to be done to fulfill its basic responsibilities--including
conducting important threat and vulnerability assessments and recovery
plans.
As DHS strives to fulfill its mission, it faces key challenges in
building its credibility as a stable, authoritative, and capable
organization and in leveraging private/public assets and information in
order to clearly demonstrate the value it can provide. Until it
overcomes the many challenges it faces and completes critical
activities, DHS cannot effectively function as the cybersecurity focal
point intended by law and national policy. As such, there is increased
risk that large portions of our national infrastructure are either
unaware of key areas of cybersecurity risks or unprepared to
effectively address cyber emergencies.
Recommendations for Executive Action:
In order to improve DHS's ability to fulfill its mission as an
effective focal point for cybersecurity, we recommend that the
Secretary of Homeland Security implement the following three steps:
* engage appropriate stakeholders to prioritize key cybersecurity
responsibilities so that the most important activities are addressed
first, including responsibilities that are not detailed in the
cybersecurity strategic plan: (1) perform a national cyber threat
assessment; (2) facilitate sector cyber vulnerability assessments--to
include identification of cross-sector interdependencies; and (3)
establish contingency plans for cybersecurity, including recovery plans
for key Internet functions;
* require NCSD to develop a prioritized list of key activities for
addressing the underlying challenges that are impeding execution of its
responsibilities; and:
* identify performance measures and milestones for fulfilling its
prioritized responsibilities and for performing activities to address
its challenges, and track organizational progress against these
measures and milestones.
We are not making new recommendations regarding cyber-related analysis
and warning and cybersecurity information sharing at this time because
our previous recommendations in these areas have not yet been fully
implemented.
Agency Comments and Our Evaluation:
We received written comments on a draft of this report from DHS (see
app. III). In DHS's response, the Director of the Departmental GAO/OIG
Liaison Office stated that DHS agrees that strengthening cybersecurity
is central to protecting the nation's critical infrastructures and that
much remains to be done. In addition, DHS concurred with our
recommendation to engage stakeholders in prioritizing its key
cybersecurity responsibilities. The director stated that continued and
expanded stakeholder involvement is critical and identified some of
NCSD's significant activities--many of which are discussed in the body
of this report. However, the director noted that DHS does not agree
that the challenges it has experienced have prevented it from achieving
significant results in improving the nation's cybersecurity posture. In
addition, DHS did not concur with our recommendations to (1) develop a
prioritized list of key activities for addressing the underlying
challenges and (2) identify performance measures and milestones for
fulfilling its prioritized responsibilities and for performing
activities to address its challenges and track organizational progress.
Specifically, the director reported that DHS already uses a prioritized
list, performance measures, and milestones to guide and track its
activities and sought additional clarification of these
recommendations. The director also noted that our report makes a
reference to previous recommendations involving cyber-related
information sharing and strategic analysis and warning capabilities
that have not been fully implemented, but he disagreed that there were
any valid outstanding recommendations.
Because most of the nation's information infrastructure is owned by the
private-sector, developing trusted partnerships and information-sharing
relationships between the federal government and the private sector are
critical. We agree that DHS has initiated many efforts as a focal point
for the nation's efforts to secure cyberspace and have acknowledged
these in our report, but the challenges it faces-
-including achieving organizational stability, achieving two-way
information sharing with stakeholders, and demonstrating value--have
hindered its progress to date. This view was reiterated by the federal
and nonfederal stakeholders we interviewed.
Regarding our recommendations, while we agree with DHS that its
strategic plan for cybersecurity identifies a number of activities
(along with some performance metrics and milestones) that will begin to
address the challenges, this plan does not include specific initiatives
that would ensure that the challenges are addressed in a prioritized
and comprehensive manner. For example, the strategic plan for
cybersecurity does not include initiatives to help stabilize and build
authority for the organization. Further, the strategic plan does not
identify the relative priority of its initiatives and does not
consistently identify performance measure for completing its
initiatives. As DHS moves forward in identifying initiatives to address
the underlying challenges it faces, it will be important to establish
performance metrics and milestones for fulfilling these initiatives. In
fact, in its strategic plan for cybersecurity, DHS acknowledges that it
needs to establish performance measures and milestones and to collect
performance data for its key initiatives.
Regarding our previous recommendations related to information sharing,
DHS identified plans for fulfilling our recommendations but did not
provide any evidence that these efforts were completed. For example, in
November 2004, DHS reported that by June 2005, it planned to develop an
information-sharing plan including the elements we recommended;
however, DHS has not yet completed this plan and has not provided any
evidence that this plan will include the key elements we had
recommended. In addition, in regard to our recommendation that DHS
develop appropriate policies and procedures for information sharing and
coordination within DHS and with other federal and nonfederal entities,
DHS reported that it has many information sharing initiatives and high-
level documents. However, DHS did not specify any DHS-level policies or
procedures for information sharing. NCSD procedures, including the US-
CERT Concept of Operations and Standard Operating Procedure, were still
in draft at the time of our review. Thus, these recommendations remain
open.
As for our previous recommendations to develop a strategic analysis and
warning capability, we reported that DHS is still facing the same
challenges in developing strategic analysis and warning capabilities
that we reported on 4 years ago during a review of NCSD's predecessor.
In 2001, we reported that a generally accepted methodology for
analyzing strategic cyber-based threats did not exist. We also reported
that the center did not have the industry-specific data on factors such
as critical systems components, known vulnerabilities, and
interdependencies. Therefore, we recommended that responsible executive-
branch officials and agencies establish a capability for strategic
analysis of computer-based threats, including developing a methodology
and obtaining infrastructure data. In response to specific questions on
these topics in April 2005, NCSD officials acknowledged that work
remains to be done in developing cyber-related strategic analysis and
warning capabilities. They stated that there is still no generally
accepted methodology for analyzing strategic cyber-based threats and
that NCSD is in the process of developing industry-specific data. In
addition, these officials discussed a number of ongoing initiatives to
address various aspects of the methodology. Because these efforts are
incomplete, our recommendations remain open.
DHS officials as well as others who were quoted in our report also
provided technical corrections, which we have incorporated in this
report as appropriate.
We are sending copies of this report to interested congressional
committees, the Secretary of Homeland Security, and other interested
parties. In addition, this report will be available at no charge on
GAO's Web site at [Hyperlink, http://www.gao.gov].
If you have any questions on matters discussed in this report, please
contact me at (202) 512-9286, or by e-mail at [Hyperlink,
pownerd@gao.gov]. Contact points for our Offices of Congressional
Relations and Public Affairs may be found on the last page of this
report. GAO staff who made major contributions to this report are
listed in appendix IV.
Signed by:
David A. Powner:
Director, Information Technology Management Issues:
List of Congressional Requesters:
The Honorable Joseph I. Lieberman:
Ranking Member:
Committee on Homeland Security and Governmental Affairs:
United States Senate:
The Honorable Christopher Cox:
Chairman:
The Honorable Bennie G. Thompson:
Ranking Member:
Committee on Homeland Security:
House of Representatives:
The Honorable Daniel E. Lungren:
Chairman:
The Honorable Loretta Sanchez:
Ranking Member:
Subcommittee on Economic Security, Infrastructure Protection, and
Cybersecurity:
Committee on Homeland Security:
House of Representatives:
The Honorable Tom Davis:
Chairman:
Committee on Government Reform:
House of Representatives:
The Honorable Mac Thornberry:
House of Representatives:
The Honorable Zoe Lofgren:
House of Representatives:
[End of section]
Appendixes:
Appendix I: Objectives, Scope, and Methodology:
Our objectives were to determine (1) the Department of Homeland
Security's (DHS) roles and responsibilities for cyber critical
infrastructure protection (CIP) and national information security, as
established in law and policy, and determine the specific
organizational structures DHS has created to fulfill them; (2) the
status of DHS's efforts to protect the computer systems supporting the
nation's critical infrastructures and to strengthen information
security both inside and outside the federal government and the extent
to which such efforts and DHS's organizational structures adequately
address its responsibilities; and (3) the challenges DHS faces in
fulfilling its cybersecurity roles and responsibilities.
To determine DHS's cyber roles and responsibilities supporting CIP, we
analyzed relevant law and policy, including the Homeland Security Act
of 2002, Homeland Security Presidential Directive (HSPD) 7, and the
National Strategy to Secure Cyberspace. Because many of the roles and
responsibilities in the law and policies are overlapping, we focused on
identifying responsibilities related to cybersecurity that could be
used to gauge DHS's progress and grouped them into 13 key
responsibilities. We shared the 13 key responsibilities with DHS
officials responsible for cybersecurity, and the officials concurred
that these are important responsibilities. We also compared the key
responsibilities with the activities that DHS identified in its
cybersecurity plans and progress reports, to ensure that no key
responsibilities were missed. To identify DHS's organizational
structure for fulfilling its responsibilities, we analyzed DHS and
National Cyber Security Division (NCSD) organizational charts and
interviewed DHS officials.
To determine the status and adequacy of DHS's efforts, we analyzed key
documents, including the Interim National Infrastructure Protection
Plan, NCSD's cyber strategies and plans, and NCSD's policies and
procedures, and we interviewed key DHS and NCSD officials. We compared
DHS's efforts and plans with the 13 responsibilities to identify what
has been accomplished and what more needs to be done. In addition, we
gathered documents and performed structured interviews with officials
from other federal agencies with established CIP roles. We included
officials responsible for each agency's efforts to enhance CIP and the
officials responsible for their respective agency's information
security efforts. We spoke with officials from the Departments of
Agriculture; Energy; Health and Human Services (including the Food and
Drug Administration); Justice (including the Federal Bureau of
Investigation); the Treasury; and the Environmental Protection Agency.
We also interviewed representatives from the following infrastructure
sectors: banking and finance, electricity, water, and information
technology. In addition, we interviewed representatives from the
Information Sharing and Analysis Center (ISAC) council. We also
interviewed officials from entities representing state governments,
including the Multi-State ISAC and the National Association of State
Chief Information Officers.
To identify the challenges facing DHS and NCSD as they attempt to
fulfill their cybersecurity responsibilities, we analyzed our prior
work on CIP as well as reports by the cybersecurity industry that
offered recommendations for improving cybersecurity and CIP. We also
interviewed DHS and NCSD officials, representatives from other federal
agencies with CIP roles, infrastructure sector officials, and officials
of an organization representing state governments. We also observed a
regional infrastructure security tabletop exercise focusing on
cybersecurity and identified challenges in achieving effective
collaboration among public/private partners from discussions by the
participants of this exercise. We performed our work from July 2004 to
April 2005 in accordance with generally accepted government auditing
standards.
[End of section]
Appendix II: DHS Organizations with Cyber-Related Roles:
DHS established NCSD as the primary organization with responsibility
for cybersecurity. However, multiple other organizations have roles and
responsibilities that impact cybersecurity and require close
coordination with NCSD. These include the following offices and
suboffices:
* Information Analysis Office--which is to provide actionable
intelligence essential for preventing acts of terrorism and, with
timely and thorough analysis and dissemination of information about
terrorists and their activities, improve the federal government's
ability to disrupt and prevent terrorist acts and to provide useful
warning to state and local governments, the private sector, and our
citizens.
* Homeland Security Operations Center--which provides real-time
situational awareness and monitoring of the homeland, coordinates
incidents and response activities and, in conjunction with the DHS
Office of Information Analysis, issues advisories and bulletins
concerning threats to homeland security, as well as specific protective
measures.
* Infrastructure Protection Office--which is to coordinate national
efforts to secure America's critical infrastructure, including
vulnerability assessments, strategic planning efforts, and exercises.
* Infrastructure Protection Office's Infrastructure Coordination
Division--which plays a key role in coordinating with sector
coordinating mechanisms (e.g., sector coordinating councils and
government coordinating councils) concerning information sharing. In
addition, it operates the National Infrastructure Coordination Center.
* Infrastructure Coordination Division's Protected Critical
Infrastructure Information Program Office--which was established to
encourage private industry and others with knowledge about the nation's
critical infrastructure to share sensitive and proprietary business
information about this critical infrastructure with the government in
accordance with the Critical Infrastructure Information Act of 2002
(CII Act). Protected CII is designed so that members of the private
sector can voluntarily submit sensitive information regarding the
nation's critical infrastructure to DHS with the assurance that the
information will be protected from public disclosure as long as it
satisfies the requirements of the CII Act.
* Infrastructure Protection Office's Protective Security Division--
which is to coordinate strategies for protecting the nation's critical
physical infrastructure.
* Infrastructure Protection Office's National Communications System--
which was established by executive order in 1982 as a federal
interagency group responsible for national security and emergency
preparedness telecommunications and was transferred to DHS by the
Homeland Security Act of 2002. Its responsibilities include planning
for, developing, and implementing enhancements to the national
telecommunications infrastructure, which includes the Internet, to
achieve effectiveness in managing and using national telecommunication
resources to support the federal government during any emergency. In
addition, through the National Coordinating Center for
Telecommunications,[Footnote 24] the National Communications System
sponsors the Telecommunications Information Sharing and Analysis
Center. The National Communications System is also jointly responsible
with NCSD for developing the IT infrastructure sector plan.
* DHS's Science and Technology Directorate--which serves as the primary
research and development arm of DHS. It uses our nation's scientific
and technological resources to provide federal, state, and local
officials with the technology and capabilities to protect the homeland.
It focuses on catastrophic terrorism--threats to the security of our
homeland that could result in large-scale loss of life and major
economic impact.
* Office of State and Local Coordination--which was established to
serve as a single point of contact for facilitation and coordination of
departmental programs that impact state, local, territorial, and tribal
governments.
* Private Sector Office--which works directly with individual
businesses, trade associations, and other professional and
nongovernmental organizations to share department information,
programs, and partnership opportunities.
[End of section]
Appendix III: Comments from the Department of Homeland Security:
[U.S. Department of Homeland Security:
Washington, DC 20528:
May 3, 2005:
Mr. David A. Powner:
Director, Information Technology Management Issues:
Government Accountability Office:
Washington, DC 20548:
Dear Mr. Powner:
Re: Draft Report GAO-05-434, Critical Infrastructure Protection:
Department of Homeland Security Faces Challenges in Fulfilling
Cybersecurity Responsibilities.
Thank you for the opportunity to review the draft report. We agree that
strengthening cybersecurity is central to protecting the nation's
critical infrastructures and concur that much remains to be done. We do
not, however, agree with the report's implication that the challenges
experienced to date have prevented us from achieving significant
results in improving the nation's cybersecurity posture. The recent
(January 2005) National Cyber Security Division Progress Report
detailed the significant progress that has been made across the broad
spectrum of our cybersecurity responsibilities. Nevertheless, we
welcome GAO's review and comments on our initial efforts. We note the
report also makes a reference to "previous recommendations in these
areas." We do not agree that there are any valid, outstanding
recommendations in this area. The following represents the Departmental
response to the recommendations contained in the draft report.
Recommendation:
Engage with appropriate stakeholders to prioritize key cybersecurity
responsibilities so that the most important activities are addressed
fast, including responsibilities that are not detailed in the
cybersecurity strategic plan: (1) perform a national cyber threat
assessment, (2) facilitate sector cyber vulnerability assessments-to
include identification of cross-sector interdependencies, and (3)
establish contingency plans for cybersecurity, including recovery plans
for key Internet functions.
Response: Concur. While stakeholder input has already been a
contributing factor in the establishment of National Cyber Security
Division's (NCSD) priorities, continued and expanded stakeholder
involvement is critical in reviewing and revising these priorities in
the future. Some of the significant NCSD activities in this area are
noted below:
NCSD has made significant progress toward completing comprehensive
threat assessments and sector specific vulnerability assessments, but
we agree that more must be done. Establishing and formalizing the 1T
Sector, as the Sector Specific Agency/Responsibility (SSA/R) under the
National Infrastructure Protection Plan (NIPP), has been challenging,
given its breadth, complexity, and relative maturity. It is important
to recognize the nature of these challenges, as it helps to understand
the considerable progress made to date. The challenges include defining
the boundaries of the Sector, developing effective partnerships, and
identifying critical IT assets. This work is charting new territory in
government and private sector collaboration. Because most of the IT
Sector is privately owned, the government must ensure that the
collaboration includes all the principal actors and that the
collaboration is maintained and strengthened over time.
It is important that the work of the IT Sector be deliberate and
comprehensive. Failing to identify and address all threats and
vulnerabilities can have serious consequences. However, significant
progress has been made, specifically in the development of appropriate
IT Sector asset identification and vulnerability assessment
methodologies, in establishing the IT Sector Government Coordinating
Council (IT-GCC), and assisting the IT Sector in its efforts to
establish the IT Sector Coordinating Council (IT-SCC).
For cross-sector interdependencies, NCSD has worked with the Sector
Specific Agencies (SSA) to ensure the thoroughness of the cyber aspects
of their Sector Specific Plans (SSP), and is improving the IT Sector
asset identification and vulnerability assessment methodologies to
address SSA cross-sector cyber efforts. NCSD is working with each SSA
to ensure the quality and effectiveness of its cyber planning, and to
ensure cross-sector consistency. In addition, NCSD has been fully
engaged with OMB, as subject matter expert, to ensure the quality,
consistency, and effectiveness of the federal agency Critical
Infrastructure Protection plans. Lastly, NCSD has established a Control
Systems Security program to identify control systems in critical
infrastructure across all sectors, to understand their vulnerabilities
and interdependencies, and develop and recommend effective near-term
protective measures for legacy systems.
With respect to recovery, the Office of Infrastructure Protection (IP)
has formed a strategic partnership in the form of the Internet
Disruption Working Group (IDWG) that will leverage past efforts of the
federal government and the private sector while combining resources and
avoiding duplication and conflict. Currently, IDWG is building on past
efforts of IP, reaching out to key Internet companies in the private
sector, and drawing on US Computer Emergency Readiness Team (US-CERT)
resources to determine: (1) the degree of critical infrastructure
sectors' business and operational dependency on the Internet; (2) which
private sector companies the government needs to work with to prevent a
major disruption; and (3) what surge capabilities would be needed to
assist the National Cyber Response Coordination Group (NCRCG) in
managing a crisis and reconstituting service in the event of a
significant disruption. These efforts contribute to and will measure
progress through the Interagency Security Planning Effort for FY 2005,
within the Risk Management/Protective Measures Working Group of the
National Infrastructure Protection Plan Senior Leadership Council.
Recommendation:
Develop a prioritized list of key activities for addressing the
underlying challenges that are impeding NCSD's execution of its
responsibilities.
Response: Non-concur. NCSD's strategic plan already provides a
prioritized list of key activities that are reviewed, updated, and
revised on a quarterly basis. Through regular communication with the
Assistant Secretary for Infrastructure Protection, obstacles are
already being identified and prioritized. This recommendation, as
written, does not explain why these efforts are insufficient or what
specific additional actions GAO would like to see accomplished. Pending
further definition of GAO's intent, we non-concur with this
recommendation.
Recommendation:
Identify performance measures and milestones for fulfilling its
prioritized responsibilities and for performing activities to address
its challenges, and track organizational progress against these
measures and milestones.
Response: Non-concur. Performance measures and milestones are already
identified in NCSD's strategic plan. Unlike organizations that have
been in place for a significant period of time, the milestones facing
NCSD are primarily the development of new programs and establishment of
a system for monitoring the success of these programs. In its initial
strategic plan, NCSD has defined milestones that are measurable,
although often not in quantitative terms. That is, the initial
milestones direct the implementation of programs within a specified
period of time, or the implementation of stages in program development
in a specified time. The initial measure of success is whether or not
the programs got off the ground in a timely manner and are moving ahead
on schedule. As the programs become more established, performance
measures will increasingly shift towards quantitative measures to
evaluate the relative success of the program.
In addition to already having identified its performance measures and
milestones in its strategic plan, NCSD has already implemented
procedures to systematically track organizational progress. Early in
each quarter NCSD program managers are reminded of impending deadlines
at the end of the quarter. Action is taken at the start of each quarter
to ensure that a milestone is met or that obstacles to success are
addressed and overcome.
This recommendation, as written, does not explain why these efforts are
insufficient or what specific additional actions GAO would like to see
accomplished. Pending further definition of GAO's intent, we non-concur
with this recommendation.
We thank you again for the opportunity to review the report and provide
comments.
Sincerely,
Signed by:
Steven J. Pecinovsky:
Director:
Departmental GAO/OIG Liaison Office:
[End of section]
Appendix IV: GAO Contact and Staff Acknowledgments:
GAO Contact:
David A. Powner, (202) 512-9286 or [Hyperlink, pownerd@gao.gov].
Staff Acknowledgments:
In addition to those named above, Joanne Fiorino, Michael Gilmore,
Barbarol James, Colleen M. Phillips, and Nik Rapelje made key
contributions to this report.
(310543):
FOOTNOTES
[1] This includes the Homeland Security Act of 2002, Homeland Security
Presidential Directive 7, and the National Strategy to Secure
Cyberspace.
[2] Testimony of Robert S. Mueller, III, Director, Federal Bureau of
Investigation, before the Senate Select Committee on Intelligence (Feb.
16, 2005).
[3] CSO magazine, "2004 E-Crime Watch--Survey Shows Significant
Increase in Electronic Crime" (Framingham, MA: May 25, 2004).
[4] Computer Security Institute, 2003 CSI/FBI Computer Crime and
Security Survey (2003).
[5] GAO, Information Security: Code Red, Code Red II, and SirCam
Attacks Highlight Need for Proactive Measures, GAO-01-1073T
(Washington, D.C.: Aug. 29, 2001).
[6] GAO, Information Security: Weaknesses Place Commerce Data and
Operations at Serious Risk, GAO-01-751 (Washington, D.C.: Aug. 13,
2001).
[7] A vulnerability is a flaw or weakness in hardware or software that
can be exploited, resulting in a violation of an implicit or explicit
security policy.
[8] National Institute for Standards and Technology, Procedures for
Handling Security Patches: Recommendations of the National Institute of
Standards and Technology, National Institute of Science and Technology
Special Publication 800-40 (Gaithersburg, MD: August 2002).
[9] The CERT/CC is a center of Internet security expertise at the
Software Engineering Institute, a federally funded research and
development center operated by the Carnegie Mellon University. CERT and
CERT® Coordination Center are registered in the U.S. Patent and
Trademark Office by Carnegie Mellon University.
[10] GAO, Technology Assessment: Cybersecurity for Critical
Infrastructure Protection, GAO-04-321 (Washington, D.C.: May 28, 2004).
[11] Testimony of Richard D. Pethia, Director, CERT Centers, Software
Engineering Institute, Carnegie Mellon University, before the House
Committee on Government Reform, Subcommittee on Government Efficiency,
Financial Management and Intergovernmental Relations (November 19,
2002).
[12] Pew Internet and American Life Project, "The Future of the
Internet: In a survey, technology experts and scholars evaluate where
the network is headed in the next 10 years." (Washington, D.C.: January
9, 2005)
[13] GAO, Critical Infrastructure Protection: Challenges and Efforts to
Secure Control Systems, GAO-04-354 (Washington, D.C.: March 15, 2004).
[14] This group, operating under the authority granted by the Cyber
Annex to the National Response Plan, is a forum of national security,
law enforcement, defense, intelligence, and other government agencies
that coordinates intragovernment and public/private preparedness and
response to and recovery from national level cyber incidents and
physical attacks that have significant cyber consequences.
[15] The Protected Critical Infrastructure Information program was
established to encourage private industry to share sensitive and
proprietary business information about its critical infrastructures
with the government with the assurance that the information would be
protected from public disclosure, in accordance with the Critical
Infrastructure Information Act of 2002.
[16] GAO, Critical Infrastructure Protection: Improving Information
Sharing with Infrastructure Sectors, GAO-04-780 (Washington, D.C.: July
9, 2004).
[17] GAO, High-Risk Series: An Update, GAO-05-207 (Washington, D.C.:
January 2005).
[18] GAO, Critical Infrastructure Protection: Significant Challenges in
Developing National Capabilities, GAO-01-323 (Washington, D.C.: Apr.
25, 2001).
[19] GAO, Combating Terrorism: Selected Challenges and Related
Recommendations, GAO-01-822 (Washington, D.C.: Sept. 20, 2001).
[20] GAO-04-321.
[21] The Executive Office of the President, Office of Science and
Technology Policy and The Department of Homeland Security Science and
Technology Directorate, The National Plan for Research and Development
In Support of Critical Infrastructure Protection, 2004 (Washington,
D.C.: Apr. 8, 2005).
[22] GAO-05-207.
[23] GAO-05-207.
[24] The National Coordinating Center for Telecommunications is open to
companies that provide telecommunications or network services,
equipment, or software to the communications and information sector;
select, competitive local exchange carriers; Internet service
providers; vendors; software providers; telecommunications professional
organizations and associations; or companies with participation or
presence in the communications and information sector. Membership is
also allowed for National Coordinating Center member federal
departments and agencies, and for national security/emergency
preparedness users.
GAO's Mission:
The Government Accountability Office, the investigative arm of
Congress, exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order
GAO Products" heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office
441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director,
NelliganJ@gao.gov
(202) 512-4800
U.S. Government Accountability Office,
441 G Street NW, Room 7149
Washington, D.C. 20548: