Summary

Pursuant to a congressional request, GAO provided information on fiscal years 1998 through 2000 appropriations and obligations for four major computer security initiatives, including: (1) the Federal Bureau of Investigation's National Infrastructure Protection Center (NIPC); (2) the Department of Defense's (DOD) Joint Task Force on Computer Network Defense (JTF-CND); (3) the General Services Administration's (GSA) Federal Computer Incident Response Capability (FedCIRC); and (4) GSA's Federal Intrusion Detection Network (FIDNet).

GAO noted that: (1) more than any nation, the United States depends on interconnected computer systems--including the Internet--to support critical operations and services both in the public and private sectors; (2) while beneficial, this reliance has increased the risks of computer-based fraud, inappropriate disclosure of sensitive data, and disruption of critical computer-supported operations and services; (3) to better safeguard against computer disruptions within critical sectors of the nation's economy, in January 2000, the President issued the National Plan for Information Systems Protection; (4) the National Plan calls for the government and the private sector to work together in a partnership to achieve computer security objectives; (5) as specified in the plan: (a) NIPC is to serve as the focal point for gathering information on threats to the critical infrastructures as well as facilitating and coordinating the government's response to such incidents; (b) JTF-CND is to monitor incidents and threats relating to national security and coordinate its assessments both within the DOD and externally with appropriate agencies, counterintelligence organizations, law enforcement agencies, the private sector, and allies; (c) FedCIRC is to supplement these efforts by coordinating computer incident and response data and providing technical information, tools, and assistance, primarily to civilian agencies; and (d) FIDNet, through a network of intrusion detection devices, is to provide a centrally managed operational structure for processing and disseminating computer attack warnings to federal agencies; (6) the information GAO obtained presents only a partial picture of the total funding because most of the programs are supported by related activities whose appropriations and obligations were not captured by GAO's review; (7) also, in order to obtain needed expertise, NIPC, JTF-CND, and FIDNet rely on staff detailees from other federal agencies or Defense components; (8) the salaries for these individuals are not reflected in summary figures obtained; and (9) GAO did not compile data on appropriations and obligations for related activities or determine the salaries of detailees that were attributable to the programs GAO focused on because such information was not readily available and developing it was beyond the scope of this review.