Internet Infrastructure:

DHS Faces Challenges in Developing a Joint Public/Private Recovery Plan

GAO-06-672: Published: Jun 16, 2006. Publicly Released: Jul 28, 2006.

Additional Materials:

Contact:

David A. Powner
(202) 512-3000
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Since the early 1990s, growth in the use of the Internet has revolutionized the way that our nation communicates and conducts business. While the Internet was originally developed by the Department of Defense, the vast majority of its infrastructure is currently owned and operated by the private sector. Federal policy recognizes the need to prepare for debilitating Internet disruptions and tasks the Department of Homeland Security (DHS) with developing an integrated public/private plan for Internet recovery. GAO was asked to (1) identify examples of major disruptions to the Internet, (2) identify the primary laws and regulations governing recovery of the Internet in the event of a major disruption, (3) evaluate DHS plans for facilitating recovery from Internet disruptions, and (4) assess challenges to such efforts.

A major disruption to the Internet could be caused by a cyber incident (such as a software malfunction or a malicious virus), a physical incident (such as a natural disaster or an attack that affects key facilities), or a combination of both cyber and physical incidents. Recent cyber and physical incidents have caused localized or regional disruptions but have not caused a catastrophic Internet failure. Federal laws and regulations addressing critical infrastructure protection, disaster recovery, and the telecommunications infrastructure provide broad guidance that applies to the Internet, but it is not clear how useful these authorities would be in helping to recover from a major Internet disruption. Specifically, key legislation on critical infrastructure protection does not address roles and responsibilities in the event of an Internet disruption. Other laws and regulations governing disaster response and emergency communications have never been used for Internet recovery. DHS has begun a variety of initiatives to fulfill its responsibility for developing an integrated public/private plan for Internet recovery, but these efforts are not complete or comprehensive. Specifically, DHS has developed high-level plans for infrastructure protection and incident response, but the components of these plans that address the Internet infrastructure are not complete. In addition, the department has started a variety of initiatives to improve the nation's ability to recover from Internet disruptions, including working groups to facilitate coordination and exercises in which government and private industry practice responding to cyber events. However, progress to date on these initiatives has been limited, and other initiatives lack time frames for completion. Also, the relationships among these initiatives are not evident. As a result, the government is not yet adequately prepared to effectively coordinate public/private plans for recovering from a major Internet disruption. Key challenges to establishing a plan for recovering from Internet disruptions include (1) innate characteristics of the Internet (such as the diffuse control of the many networks making up the Internet and private sector ownership of core components) that make planning for and responding to disruptions difficult, (2) a lack of consensus on DHS's role and when the department should get involved in responding to a disruption, (3) legal issues affecting DHS's ability to provide assistance to restore Internet service, (4) reluctance of many in the private sector to share information on Internet disruptions with DHS, and (5) leadership and organizational uncertainties within DHS. Until these challenges are addressed, DHS will have difficulty achieving results in its role as a focal point for helping to recover the Internet from a major disruption.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Matter for Congressional Consideration

    Matter: Given the importance of the Internet as a critical infrastructure supporting our nation's communications and commerce, Congress may wish to consider clarifying the legal framework that guides roles and responsibilities for Internet recovery in the event of a major disruption. This effort could include providing specific authorities for Internet recovery as well as examining potential roles for the federal government, such as providing access to disaster areas, prioritizing selected entities for service recovery, and using federal contracting mechanisms to encourage more secure technologies. This effort also could include examining the Stafford Act to determine if there would be benefits in establishing specific authority for the government to provide for-profit companies--such as those that own or operate critical communications infrastructures--with limited assistance during a crisis.

    Status: Closed - Implemented

    Comments: Consistent with this matter for consideration, Congress has taken action that considered clarifying the legal framework that guides roles and responsibilities for Internet recovery. Specifically, in April 2010 the Senate introduced S.773, the Cybersecurity Act of 2009. This bill would require the President to designate an agency to be responsible for coordinating the response and restoration of any Federal Government or United States critical infrastructure information system or network affected by a cybersecurity emergency declaration. In addition, in 2006 the Senate Committee on Homeland Security and Governmental Affairs reported S.3721 out to the full Senate. Section 533 of this bill would have required a Department of Homeland Security entity to develop model standards or guidelines that states could adopt in conjunction with critical infrastructure owners and operators to permit access to restricted areas in the event of an emergency or major disaster. The 109th Congress took no further action on this legislation.

    Recommendations for Executive Action

    Recommendation: To improve DHS's ability to facilitate public/private efforts to recover the Internet in case of a major disruption, the Secretary of the Department of Homeland Security should establish dates for revising the National Response Plan and finalizing the National Infrastructure Protection Plan--including efforts to update key components relevant to the Internet.

    Agency Affected: Department of Homeland Security

    Status: Closed - Implemented

    Comments: In response to our recommendation, DHS finalized the National Infrastructure Protection Base Plan in June 2006 and updated the National Response Framework (formerly the National Response Plan) in January 2008. Also in January 2008, DHS finalized Emergency Response Function #2, which is the Communications Annex to the National Response Plan. This Annex provides for the restoration of the public communications infrastructure and ensures the provision of federal communications support to response efforts during incidents of national significance. In addition, in August 2010, DHS officials stated that the National Response Framework's Cyber Incident Annex would be replaced by the National Cyber Incident Response Plan, which would describe how the United States will respond to significant cyber incidents. DHS officials also stated that the National Cyber Incident Response Plan would be finalized following testing during Cyberstorm III, which is scheduled for September 2010.

    Recommendation: To improve DHS's ability to facilitate public/private efforts to recover the Internet in case of a major disruption, the Secretary of the Department of Homeland Security should use the planned revisions to the National Response Plan and the National Infrastructure Protection Plan as a basis, draft public/private plans for Internet recovery, and obtain input from key Internet infrastructure companies.

    Agency Affected: Department of Homeland Security

    Status: Closed - Not Implemented

    Comments: In August 2010, DHS officials stated that DHS no longer concurred with this recommendation. Specifically, they stated that DHS is not responsible for working with the private sector to draft public-private Internet recovery plans. DHS officials noted that public-private forums such as the Cross-Sector Cyber Security Working Group (CSCSWG) and the Information Technology Sector Coordinating Council (ITSCC) can be used to discuss cybersecurity risks, interdependencies, and plans for recovery in the event of a significant cyber incident.

    Recommendation: To improve DHS's ability to facilitate public/private efforts to recover the Internet in case of a major disruption, the Secretary of the Department of Homeland Security should review the National Communications System (NCS) and the National Cyber Security Division (NCSD) organizational structures and roles in light of the convergence of voice and data communications.

    Agency Affected: Department of Homeland Security

    Status: Closed - Implemented

    Comments: In April of 2007, DHS commissioned a task force that reviewed National Communication System (NCS) and National Cyber Security Division (NCSD) organizational structures and roles. The task force recommended that NCS and NCSD be physically and functionally merged. Since then, DHS has taken steps to implement the recommendation by, for example, physically co-locating NCS and NCSD personnel in the same office space. In addition, the department said it plans to address other merger-related issues as part of an ongoing strategic planning effort for the area but did not provide a date when this effort is to be finalized.

    Recommendation: To improve DHS's ability to facilitate public/private efforts to recover the Internet in case of a major disruption, the Secretary of the Department of Homeland Security should identify the relationships and interdependencies among the various Internet recovery-related activities currently under way in NCS and NCSD, including initiatives by the United States Computer Emergency Readiness Team, the National Cyber Response Coordination Group, the Internet Disruption Working Group, the North American Incident Response Group, and the groups responsible for developing and implementing cyber recovery exercises.

    Agency Affected: Department of Homeland Security

    Status: Closed - Implemented

    Comments: In August 2010, DHS officials stated that National Cybersecurity and Communications Integration Center (NCCIC) co-locates organizations that are responsible for developing and implementing cyber recovery activities, including US-CERT and the National Communication System's National Coordinating Center for Telecommunications. The center has been designed to serve as a 24-hour, DHS-led coordinated watch and warning center to address threats and incidents affecting the nation's critical information technology and cyber infrastructure. According to DHS officials, the NCCIC concept-of-operations, which is still being drafted, will define the relationships and interdependencies between NCCIC-participating organizations.

    Recommendation: To improve DHS's ability to facilitate public/private efforts to recover the Internet in case of a major disruption, the Secretary of the Department of Homeland Security should establish time lines and priorities for key efforts identified by the Internet Disruption Working Group.

    Agency Affected: Department of Homeland Security

    Status: Closed - Not Implemented

    Comments: In August 2010 DHS officials stated that the Internet Disruption Working Group disbanded sometime after 2006 and that other DHS entities were no longer implementing the working group's key efforts.

    Recommendation: To improve DHS's ability to facilitate public/private efforts to recover the Internet in case of a major disruption, the Secretary of the Department of Homeland Security should identify ways to incorporate lessons learned from actual incidents and during cyber exercises into recovery plans and procedures.

    Agency Affected: Department of Homeland Security

    Status: Closed - Implemented

    Comments: As a result of its first national-level cyber exercise conducted in February 2006, called Cyber Storm, DHS identified eight lessons that had significant impact across sectors, agencies, and exercise participants. These lessons involved improving (1) the interagency coordination groups; (2) contingency planning, risk assessment, and roles and responsibilities; (3) integration of incidents across infrastructures; (4) access to information; (5) coordination of response activities; (6) strategic communications and public relations; (7) processes, tools, and technology; and (8) the exercise program. Since then DHS has begun implementing these lessons learned, as we recently reported in September 2008 (see GAO-08-825).

    Recommendation: To improve DHS's ability to facilitate public/private efforts to recover the Internet in case of a major disruption, the Secretary of the Department of Homeland Security should work with private-sector stakeholders representing the Internet infrastructure to address challenges to effective Internet recovery by further defining needed government functions in responding to a major Internet disruption.

    Agency Affected: Department of Homeland Security

    Status: Closed - Implemented

    Comments: DHS participates in multiple public-private initiatives such as the Cross-Sector Cyber Security Working Group (CSCSWG) and the Information Technology Sector Coordinating Council (ITSCC) that may be used to discuss cybersecurity risks, interdependencies, and plans for recovery in the event of a significant cyber incident. To date, DHS has not yet documented specific governmental functions that it would provide in responding to a major Internet disruption.

    Recommendation: To improve DHS's ability to facilitate public/private efforts to recover the Internet in case of a major disruption, the Secretary of the Department of Homeland Security should work with private-sector stakeholders representing the Internet infrastructure to address challenges to effective Internet recovery by defining a trigger for government involvement in responding to such a disruption.

    Agency Affected: Department of Homeland Security

    Status: Closed - Implemented

    Comments: DHS provided GAO with a March 2010 draft revision of the National Cyber Incident Response Plan. Consistent with our recommendation, the draft plan defines the conditions that would trigger heightened levels of coordination among government agencies and with the private sector to respond to a cyber incident. DHS officials stated that the draft plan would be finalized following testing during Cyberstorm III, which is scheduled for September 2010.

    Recommendation: To improve DHS's ability to facilitate public/private efforts to recover the Internet in case of a major disruption, the Secretary of the Department of Homeland Security should work with private-sector stakeholders representing the Internet infrastructure to address challenges to effective Internet recovery by documenting assumptions and developing approaches to deal with key challenges that are not within the government's control.

    Agency Affected: Department of Homeland Security

    Status: Closed - Implemented

    Comments: Consistent with this recommendation, DHS released the Information Technology Sector Baseline Risk Assessment in August 2009. According to this document, DHS collaborated with members of the private and public sectors to develop and document a risk assessment methodology for the Information Technology sector. The document identifies assumptions, such as the sufficiency of an IT-sector member's emergency power capacity, which could pose a challenge to Internet recovery. The document also identifies multiple risks that could affect Internet recovery efforts and references general mitigation strategies that currently exist, are being enhanced, or which could be considered for the future. By documenting these assumptions and developing strategies to manage key challenges outside of the government's control, DHS is better able to facilitate public/private efforts to recover the Internet in case of a major disruption.

    Mar 10, 2014

    Jan 6, 2014

    May 23, 2013

    May 22, 2013

    May 21, 2013

    Apr 24, 2013

    Apr 18, 2013

    Feb 28, 2013

    Feb 22, 2013

    Jan 29, 2013

    Looking for more? Browse all our products here