Report Finds
Government Information Systems Vulnerable to Attack
Federal Government Lacks Coordinated Approach to
Critical Infrastructure Protection
Monday,
July 22, 2002
WASHINGTON - Critical infrastructure protection of
the federal government’s information systems lacks a
coordinated and comprehensive approach, leaving the systems
vulnerable to cyber-attack, according to a General
Accounting Office (GAO) report released Friday by
Governmental Affairs Committee Chairman Joe Lieberman, D-Conn.,
and Senator Robert Bennett, R-Utah.
Without a coordinating strategy, systems are
susceptible to attacks from potential adversaries including
cyber-terrorist groups, nation-states, criminal
organizations, or disgruntled insiders, the report said.
The report found that current
protection efforts are not addressing all key infrastructure
areas and their respective federal agencies, including
sectors such as chemical manufacturing and food safety.
Organizations have failed to establish consistent
relationships with other protection agencies that share
similar responsibilities.
Further, none of the organizations reviewed by the
GAO appropriated funds specifically for cyber protection
programs making it impossible to track efforts being made to
remedy these vulnerabilities.
Lieberman’s bill addresses
these issues by establishing a directorate of critical
infrastructure protection, charged with tracking
vulnerabilities in information systems, sharing information
pertaining to cyber-security risks, and establishing a clear
organizational structure to provide leadership on
cyber-security issues.
“We have learned from the
tragedy on September 11th that our enemies will
increasingly strike where they believe we are vulnerable,
Lieberman said. “As
this report shows, our cyberspace infrastructure is ripe for
attack today.”
“If our critical
infrastructure is to be fortified against attack, the
government must lead by example in a substantial, direct
coordination effort,” Bennett said. “But because 90
percent of our infrastructure is privately owned, it is
essential that this government analysis and coordination
extends to the private sector. This report reaffirms our
call for information sharing and I hope will encourage the
related federal agencies to conduct the necessary assessment
and strengthening of their systems.”
Last September, Bennett
introduced S. 1456, the Critical Infrastructure Information
Security Act of 2001. The
Bennett bill, designed to increase information sharing and
improve threat analysis for critical infrastructures, would
establish an element in the Executive Branch to receive and
share information on potential threats to critical
infrastructure.
In 1998, President Clinton
issued Decision Directive 63 calling for the federal
government to improve cyber-security efforts by establishing
a partnership with the private sector and improving the
nation’s ability to respond to cyber-attacks.
To further coordinate cyber-security efforts,
Executive Order 13231, issued in October 2001, created the
President’s Critical Infrastructure Protection Board.
GAO’s report concluded that
coordination and protection efforts are greatly hindered by
the absence of a comprehensive cyber-protection strategy,
which is still being developed by the President’s Critical
Infrastructure Board. The
report recommends that the final strategy