Skip to main content

Influenza Pandemic: Key Securities Market Participants Are Making Progress, but Agencies Could Do More to Address Potential Internet Congestion and Encourage Readiness

GAO-10-8 Published: Oct 26, 2009. Publicly Released: Oct 26, 2009.
Jump To:
Skip to Highlights

Highlights

Concerns exist that a more severe pandemic outbreak than 2009's could cause large numbers of people staying home to increase their Internet use and overwhelm Internet providers' network capacities. Such network congestion could prevent staff from broker-dealers and other securities market participants from teleworking during a pandemic. The Department of Homeland Security (DHS) is responsible for ensuring that critical telecommunications infrastructure is protected. GAO was asked to examine a pandemic's impact on Internet congestion and what actions can be and are being taken to address it, the adequacy of securities market organizations' pandemic plans, and the Securities and Exchange Commission's (SEC) oversight of these efforts. GAO reviewed relevant studies, regulatory guidance and examinations, interviewed telecommunications providers and financial market participants, and analyzed pandemic plans for seven critical market organizations.

Increased demand during a severe pandemic could exceed the capacities of Internet providers' access networks for residential users and interfere with teleworkers in the securities market and other sectors, according to a DHS study and providers. Private Internet providers have limited ability to prioritize traffic or take other actions that could assist critical teleworkers. Some actions, such as reducing customers' transmission speeds or blocking popular Web sites, could negatively impact e-commerce and require government authorization. However, DHS has not developed a strategy to address potential Internet congestion or worked with federal partners to ensure that sufficient authorities to act exist. It also has not assessed the feasibility of conducting a campaign to obtain public cooperation to reduce nonessential Internet use to relieve congestion. DHS also has not begun coordinating with other federal and private sector entities to assess other actions that could be taken or determine what authorities may be needed to act. Because the key securities exchanges and clearing organizations generally use proprietary networks that bypass the public Internet, their ability to execute and process trades should not be affected by any congestion. In analyzing seven critical market organizations, GAO found they had prepared pandemic plans that addressed key regulatory elements, including hygiene programs to minimize staff illness and continuing operations by spreading staff across geographic areas. However, not all had completed or documented analyses of whether they would have sufficient staff capable of carrying out critical activities if many of their employees were ill. Also, not all had developed alternatives to teleworking if congestion arises. SEC staff have been regularly examining market organizations' readiness, but could further reduce risk of disruptions by ensuring that these organizations prepare complete staffing analyses and teleworking alternatives.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Homeland Security To better ensure that securities market participants as well as organizations in other critical sectors of the economy will continue to have access to the Internet during a pandemic, the Secretary of Homeland Security should develop a strategy outlining actions that could be taken to address potential Internet congestion.
Closed – Implemented
In response to GAO's recommendation, DHS agreed with the importance of developing a strategy outlining actions that could be taken to address potential impacts to National Security and Emergency Protection (NS/EP) communications due to Internet congestion during a pandemic. Although DHS staff believe responsibility for addressing potential congestion outside of NS/EP communications falls within the mission scope of other agencies, in March 2014, they indicated that they had undertaken various efforts, including creating strategies, documentation, and publications, that they believed addressed the intent of this recommendation. Further, DHS issued its 2011 Blueprint for a Secure Cyber Future to create a safe, secure, and resilient cyber environment across the homeland security enterprise. In this document, DHS articulated a strategy to create a safe, secure, and resilient (which includes Internet congestion) cyber environment. Specific goals in this blueprint include ensuring systems have increased fault tolerance, greater understandings of single points of failure to minimize disruptions, and continuous auditing of the resiliency of systems, which all should reduce the potential for congestion problems. This strategy will be achieved by working with private sector partners to help maintain the life-sustaining functions that enable the American ways of life, including routinely working with Internet Service Providers to share threat information and mitigation measures when appropriate. This document also notes several areas in which DHS recommends that private sector communications providers work to improve their networks in ways that could reduce congestion as a potential problem.
Department of Homeland Security To better ensure that securities market participants as well as organizations in other critical sectors of the economy will continue to have access to the Internet during a pandemic, the Secretary of Homeland Security should coordinate with other relevant federal and private sector entities about actions that could potentially reduce Internet congestion.
Closed – Implemented
In response to GAO's recommendation, in March 2014, DHS staff described having undertaken several initiatives to partner with other federal and private sector agencies in efforts that could help address Internet congestion during a pandemic. They noted that DHS's National Coordinating Council (NCC) has ongoing coordination activities with various private sector telecommunication companies to coordinate the initiation, restoration, and reconstitution of Federal Government National Security/Emergency Preparedness (NS/EP) telecommunications services. DHS staff also reported leveraging its Critical Infrastructure Partnership Advisory Council, the Federal Advisory Committee Act, and Title 18 of the Homeland Security Appropriations Act to partner with various stakeholders and jointly publish the strategies. Routinely, DHS meets with cyber and communications stakeholders to discuss many scenarios that have an adverse effect on the broader Homeland Security mission, which has included Internet congestion. Finally, through the National Infrastructure Protection Plan framework, CS&C (DHS component) coordinates regularly with relevant federal and public sector entities represented on several sector coordinating councils, including the Information Technology Sector Coordinating Council, Communications Sector Coordinating Council, and the IT Government Coordinating Council. Among these efforts include providing guidance for developing best practices and model protocols for concerns like Internet congestion during a pandemic. They noted that their NCC partnership with industry focuses on preserving and recovering communications infrastructure to ensure maximum connectivity is available thereby reducing likelihood of congestion. During a disaster situation, NCC advocates on behalf of industry to remove factors limiting response and recovery actions. For example, during the Hurricane Sandy response, NCC worked to prioritize factors aiding communications recovery such as prioritized power restoration to communications facilities, prioritized transportation and delivery of teams and assets needed for restoration and access to fuel for vehicles. These actions helped speed the recovery of communications to ensure delivery of services to the public.
Department of Homeland Security To better ensure that securities market participants as well as organizations in other critical sectors of the economy will continue to have access to the Internet during a pandemic, the Secretary of Homeland Security should work with other federal partners to determine if sufficient authority exists for one or more relevant agencies to take any contemplated actions to address Internet congestion.
Closed – Implemented
In response to GAO's recommendation, DHS noted it would continue to ensure that all proposed programs or activities are within the scope of its own authorities or its federal partners' authorities. They noted that as part of their planning process, they continually assess whether contemplated actions are within the scope of existing authorities or whether new authority is needed. When programs involve the participation of other entities, including other federal departments and agencies, the department coordinates closely with those entities to ensure there is a common understanding of the relevant supporting authorities.
Department of Homeland Security To better ensure that securities market participants as well as organizations in other critical sectors of the economy will continue to have access to the Internet during a pandemic, the Secretary of Homeland Security should assess the effectiveness and feasibility, and undertake if warranted, a public education campaign to reduce such congestion.
Closed – Not Implemented
In response to GAO's recommendation, DHS noted that, while DHS agrees that raising the public's awareness of the importance of minimizing Internet usage during times of congestion is vital to an overall effective pandemic response strategy, DHS sees responsibility in this area as acting to raise awareness for its National Security/Emergency Preparedness (NS/EP) programs, such as the Government Emergency Telecommunications Service, and the Telecommunications Service Priority program. These services are made available to emergency first responders, key government officials (federal, state, and local), and others to ensure NS/EP communications in times of emergency. Its staff noted that since 2010 DHS has undertaken efforts as part of several national campaigns to include Critical Infrastructure Protection Month, National Preparedness Month, the National Cyber Security Awareness Month and the Stop.Think.Connect effort (which educates the public on internet safety), and other national campaigns for public education and awareness campaigns. However, DHS has not taken specific steps to plan and assess the effectiveness of specific messages and communications mechanisms that could be used for a potential campaign to change public behavior to reduce Internet congestion due to non-critical traffic.
United States Securities and Exchange Commission To better ensure that important securities market participants are making adequate preparations for pandemic, the Chairman, SEC, should ensure that SEC staff take steps to ensure that critical financial market organizations are fully documenting the adequacy of their staffing levels to withstand high absenteeism and have formally developed alternative strategies in the event that congestion limits teleworking effectiveness.
Closed – Implemented
In response to this recommendation, in November 2009 the Co-Acting Director of SEC's Trading and Markets Division sent letters to the critical organizations included in our review (as well as all related securities market organizations under SEC's purview) asking them to review their cross-training programs for critical operations to ensure that the plans fully reflect current staffing and operational needs during a pandemic. The SEC notes that the potentially high absenteeism that a severe pandemic could cause, including the potential impairment of critical personnel who normally manage to support essential functions in a crisis, gives securities organizations no choice but to ensure that their cross-training plans for critical operations are robust and current. The Acting Director's letter also urges the organizations to more fully document their plans to maintain critical operations if Internet congestion impairs their ability to rely on telework for support functions. These response measures could encompass a variety of approaches. For example, organizations might address situations in which Internet congestion impairs emergency work-at-home arrangements by planning to bring some previously dispersed essential personnel back to worksites while taking appropriate measures to ensure that this does not compromise their health and safety. Whatever approach is chosen, SEC's letter noted that these plans need to be carefully documented and tested to ensure their efficacy. The Acting Director states that Commission staff will incorporate reviews of the implementation of these recommendations in their future examinations of the exchanges and other key market organizations.

Full Report

Office of Public Affairs

Topics

Computer networksCritical infrastructureCritical infrastructure protectionEmergency preparednessEmployeesInfluenzaInternetInternet service providersRisk assessmentRisk factorsSecuritiesStrategic planningTelecommunicationsTelecommutingPolicies and procedures