Posthearing Questions from the September 17, 2003, Hearing on Implications of Power Blackouts for the Nation's Cybersecurity and Critical Infrastructure Protection:
The Electric Grid, Critical Interdependencies, Vulnerabilities, and Readiness"
GAO-04-300R: Published: Dec 8, 2003. Publicly Released: Dec 8, 2003.
As requested in a letter of November 5, 2003, this letter provides our responses for the record to the questions posed to GAO. At the subject hearing, we discussed the challenges that the Department of Homeland Security (DHS) faces in integrating its information gathering and sharing functions, particularly as they relate to fulfilling the department's responsibilities for critical infrastructure protection (CIP).
In our August 2003 report on information sharing, we identified initiatives that had been undertaken to improve the sharing of information to prevent terrorist attacks and surveyed federal, state, and city government officials to obtain their perceptions on how the current information-sharing process was working. Our survey showed that none of the three levels of government perceived the current information-sharing process to be effective when it involved the sharing of information with federal agencies. Our June 2003 report focused on describing the information that is collected, used, and shared by key federal agencies--such as the Federal Energy Regulatory Commission and the Energy Information Administration within the Department of Energy--and the effect of restructuring on these agencies' collection, use, and sharing of this information. In the aftermath of electricity price spikes and other efforts to manipulate electricity markets in California, our work focused on the oversight of restructured electricity markets--not the physical security of the system's components. With this focus, we did not include DHS in the scope of our work. Although improvements have been made, further efforts are needed to address the following critical CIP challenges. The Homeland Security Act of 2002 includes provisions that restrict federal, state, and local governments' use and disclosure of critical infrastructure information that has been voluntarily submitted to DHS. These restrictions include exemption from disclosure under the Freedom of Information Act, a general limitation on use to CIP purposes, and limitations on use in civil actions and by state or local governments. The act also provides penalties for any federal employee who improperly discloses any protected critical infrastructure information. Much of our work on federal CIP has focused on cybersecurity and the overall threats and risks to critical infrastructure sectors. This work did not include assessments of specific sectors that would enable us to identify or rank which of the sectors pose the greatest national security concern or greatest risk. We have made numerous recommendations over the last several years related to information-sharing functions that have now been transferred to DHS, including those related to the federal government's CIP efforts. According to an official in the Infrastructure Protection Office's Infrastructure Coordination Division, this division is responsible for building relationships with the ISACs and is currently working with them and the sector coordinators (private sector counterparts to federal sector liaisons) to determine how best to establish these relationships. In addition, this official said that DHS's interagency Homeland Security Operations Center provides the day-to-day operational relationship with the ISACs to share threat and warning information. GAO has not specifically assessed whether the poor state of infrastructure sectors may have serious negative implications for security against potential terrorist attack. However, the relationship between reliability and security may be an appropriate consideration as DHS and the critical infrastructure sectors identified in federal CIP policy continue their efforts to assess the vulnerabilities of these sectors to cyber or physical attacks.