This is the accessible text file for GAO report number GAO-03-715T 
entitled 'Homeland Security: Information Sharing Responsibilities, 
Challenges, and Key Management Issues' which was released on May 08, 
2003.

This text file was formatted by the U.S. General Accounting Office 
(GAO) to be accessible to users with visual impairments, as part of a 
longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov.

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately.

Testimony
Before the Committee on Government Reform, House of Representatives:

For Release on Delivery
Expected at 10:00 a.m. EDT
Thursday, May 8, 2003:

Homeland Security:

Information Sharing Responsibilities, Challenges, and Key Management 
Issues:

Statement of 

Robert F. Dacey, Director,
Information Security Issues

Randolph C. Hite, Director,
Information Technology Architecture and Systems Issues

GAO-03-715T:

GAO Highlights:

Highlights of GAO-03-715T, a testimony before the Committee on 
Government Reform, House of Representatives 

Why GAO Did This Study:

The Homeland Security Act of 2002, which created the Department of 
Homeland Security, brought together 22 diverse organizations to help 
prevent terrorist attacks in the United States, reduce the 
vulnerability of the United States to terrorist attacks, and minimize 
damage and assist in recovery from attacks that do occur. To 
accomplish this mission, the act established specific homeland security
responsibilities for the department, which included sharing 
information among its own entities and with other federal agencies, 
state and local governments, the private sector, and others.

GAO was asked to discuss DHS’s information sharing efforts,
including (1) the significance of information sharing in fulfilling
DHS's responsibilities; (2) GAO’s related prior analyses and
recommendations for improving the federal government’s
information sharing efforts; and (3) key management issues DHS
should consider in developing and implementing effective information
sharing processes and systems.

What GAO Found:


DHS’s responsibilities include the coordination and sharing of 
information related to threats of domestic terrorism within the 
department and with and between other federal agencies, state and 
local governments, the private sector, and other entities. To 
accomplish its missions, DHS must, for example access, receive, and 
analyze law enforcement information, intelligence information, and 
other threat, incident, and vulnerability information from federal and 
nonfederal sources; and analyze such information to identify and 
assess the nature and scope of terrorist threats. DHS must also share information both internally and externally with
agencies and law enforcement on such things as goods and passengers
inbound to the United States and individuals who are known or 
suspected terrorists and criminals.

GAO has made numerous recommendations related to information sharing.
Although improvements have been made, more efforts are needed to
address the following challenges, among others, that GAO has 
identified.

* Developing a comprehensive and coordinated national plan to 
facilitate information sharing on critical infrastructure. 

* Developing productive information sharing relationships between the
federal government and state and local governments and the private
sector. 

* Providing appropriate incentives for nonfederal entities to increase
information sharing with the federal government and enhance other
critical infrastructure protection efforts. 

Through its prior work, GAO has identified potential information 
sharing barriers, critical success factors, and other key management 
issues that DHS should consider as it establishes systems and processes 
to facilitate information sharing among and between government 
entities and the private sector. It will be important for the 
department to understand the numerous potential barriers to 
information sharing and develop appropriate strategies to address 
them, considering any related provisions of the Homeland Security Act. 
GAO’s work has also identified critical success factors for
information sharing that DHS should consider as it proceeds. Further, 
as part of its information technology management, DHS should develop 
and implement an enterprise architecture to integrate the many 
existing systems and processes required to support its mission and to 
guide the department’s investments in new systems to effectively 
support homeland security in the coming years. Other key management 
issues include ensuring that sensitive information is secured, 
developing secure communications networks, integrating staff from 
different organizations, and ensuring that the department has properly 
skilled staff.


www.gao.gov/cgi-bin/getrpt?GAO-03-715T.
To view the full testimony, click on the link
above.
For more information, contact Robert F.
Dacey at (202) 512-3317 or daceyr@gao.gov.

[End of section]:

Mr. Chairman and Members of the Committee:

I am pleased to be here today to discuss challenges for the Department 
of Homeland Security (DHS) in integrating its information gathering and 
sharing functions. The Homeland Security Act of 2002 brought together 
22 diverse organizations and created a new cabinet-level department to 
help prevent terrorist attacks in the United States, reduce the 
vulnerability of the United States to terrorist attacks, and minimize 
damage and assist in recovery from attacks that do occur. To accomplish 
this mission, the Act established specific homeland security 
responsibilities for the department and directed it to coordinate its 
efforts and share information among its own entities and with other 
federal agencies, state and local governments, the private sector, and 
others.

In my testimony today, I will summarize GAO's analysis of information 
sharing as an integral part of fulfilling DHS's mission and 
responsibilities. I will then discuss GAO's related prior analyses and 
recommendations for improving the federal government's information 
sharing efforts. Lastly, I will discuss the key management issues DHS 
should consider in developing and implementing effective information 
sharing processes and systems.

In preparing this testimony, we relied on prior GAO reports and 
testimonies on combating terrorism, critical infrastructure protection 
(CIP), homeland security, information sharing, information technology 
(IT), and national preparedness, among others. We also reviewed and 
analyzed the National Strategy for Homeland Security, the National 
Strategy to Secure Cyberspace, the National Strategy for the Physical 
Protection of Critical Infrastructures and Key Assets,the National 
Strategy for Combating Terrorism,[Footnote 1] the Homeland Security Act 
of 2002,[Footnote 2] and other relevant federal policies. Our work was 
performed during April and May 2003 in accordance with generally 
accepted government auditing standards.

Results in Brief:

The Homeland Security Act of 2002 and other federal policy, including 
the National Strategy for Homeland Security, assign responsibilities to 
DHS for the coordination and sharing of information related to threats 
of domestic terrorism, within the department and with and between other 
federal agencies, state and local governments, the private sector, and 
other entities. For example, to accomplish its missions, the new 
department must (1) access, receive, and analyze law enforcement 
information, intelligence information, and other threat, incident, and 
vulnerability information from federal and nonfederal sources; (2) 
analyze such information to identify and assess the nature and scope of 
terrorist threats; and (3) administer the Homeland Security Advisory 
System and provide specific warning information and advice on 
appropriate protective measures and countermeasures. Further, DHS must 
share information both internally and externally with agencies and law 
enforcement on such things as goods and passengers inbound to the 
United States and individuals who are known or suspected terrorists and 
criminals. It also must share information among emergency responders in 
preparing for and responding to terrorist attacks and other 
emergencies.

GAO has made numerous recommendations over the last several years 
related to information sharing functions that have been transferred to 
DHS. One significant area concerns the federal government's CIP 
efforts, which is focused on the sharing of information on incidents, 
threats, and vulnerabilities, and the providing of warnings related to 
critical infrastructures both within the federal government and between 
the federal government and state and local governments and the private 
sector. Although improvements have been made, further efforts are 
needed to address the following critical CIP challenges:

* developing a comprehensive and coordinated national plan to 
facilitate CIP information sharing that clearly delineates the roles 
and responsibilities of federal and nonfederal CIP entities, defines 
interim objectives and milestones, sets timeframes for achieving 
objectives, and establishes performance measures;

* developing fully productive information sharing relationships within 
the federal government and between the federal government and state and 
local governments and the private sector;

* improving the federal government's capabilities to analyze incident, 
threat, and vulnerability information obtained from numerous sources 
and share appropriate, timely, useful warnings and other information 
concerning both cyber and physical threats to federal entities, state 
and local governments, and the private sector; and:

* providing appropriate incentives for nonfederal entities to increase 
information sharing with the federal government and enhance other CIP 
efforts.

In addition, GAO recently identified challenges in consolidating and 
standardizing watch list structures and policies, which are essential 
to effectively sharing information on suspected terrorists and 
criminals.[Footnote 3]

The success of homeland security also relies on establishing effective 
systems and processes to facilitate information sharing among and 
between government entities and the private sector. Through our prior 
work, we have identified potential information sharing barriers, 
critical success factors, and other key management issues that DHS 
should consider as it establishes systems and processes to facilitate 
information sharing among and between government entities and the 
private sector. It will be important for the department to understand 
the numerous potential barriers to information sharing and develop 
appropriate strategies to address them, considering any related 
provisions of the Homeland Security Act. Our work has also identified 
critical success factors for information sharing that DHS should 
consider as it proceeds. Further, as part of its information technology 
management, DHS must develop and implement an enterprise architecture 
to integrate the many existing systems and processes required to 
support its mission and to guide the department's investments in new 
systems to effectively support homeland security in the coming years. 
Other key management issues include ensuring that sensitive information 
is secured, developing secure communications networks, integrating 
staff from different organizations, and ensuring that the department 
has properly skilled staff.

Information Sharing Is Integral to Fulfilling DHS's Mission:

With the terrorist attacks of September 2001, the threat of terrorism 
rose to the top of the country's national security and law enforcement 
agendas. As stated by the President in his National Strategy for 
Homeland Security in July 2002, our nation's terrorist enemies are 
constantly seeking new tactics or unexpected ways to carry out their 
attacks and magnify their effects, such as working to obtain chemical, 
biological, radiological, and nuclear weapons. In addition, terrorists 
are gaining expertise in less traditional means, such as cyber attacks. 
In response to these growing threats, Congress passed and the President 
signed the Homeland Security Act of 2002 creating the DHS. The overall 
mission of this new cabinet-level department includes preventing 
terrorist attacks in the United States, reducing the vulnerability of 
the United States to terrorist attacks, and minimizing damage and 
assisting in recovery from attacks that do occur. To accomplish this 
mission, the act established specific homeland security 
responsibilities for the department and directed it to coordinate its 
efforts and share information within DHS and with other federal 
agencies, state and local governments, the private sector, and other 
entities. This information sharing is critical to successfully 
addressing increasing threats and fulfilling the mission of DHS.

Threats, Incidents, and the Consequences of Potential Attacks Are 
Increasing:

DHS's responsibilities include the protection of our nation's publicly 
and privately controlled resources essential to the minimal operations 
of the economy and government against the risks of physical as well as 
computer-based or cyber attacks. Over the last decade, physical and 
cyber events, as well as related analyses by various entities, have 
demonstrated the increasing threat to the United States.

With the coordinated terrorist attacks against the World Trade Center 
in New York City and the Pentagon in Washington, D.C., on September 11, 
2001, the threat of terrorism rose to the top of the country's national 
security and law enforcement agendas. Even before these catastrophic 
incidents, the threat of attacks against people, property, and 
infrastructures had increased concerns about terrorism. The terrorist 
bombings in 1993 of the World Trade Center in New York City and in 1995 
of the Alfred P. Murrah Federal Building in Oklahoma City, which killed 
168 people and wounded hundreds of others, prompted increased emphasis 
on the need to strengthen and coordinate the federal government's 
ability to effectively combat terrorism domestically. The 1995 Aum 
Shinrikyo sarin nerve agent attack in the Tokyo subway system also 
raised new concerns about U.S. preparedness to combat terrorist 
incidents involving weapons of mass destruction.[Footnote 4] However, 
as clearly demonstrated by the September 11, 2001, incidents, a 
terrorist attack would not have to fit the definition of weapons of 
mass destruction to result in mass casualties, destruction of critical 
infrastructures, economic losses, and disruption of daily life 
nationwide.

U.S. intelligence and law enforcement communities continuously assess 
both foreign and domestic terrorist threats to the United States. The 
U.S. foreign intelligence community--the Central Intelligence Agency, 
the Defense Intelligence Agency, the Federal Bureau of Investigation 
(FBI), and the Department of State's Bureau of Research and 
Intelligence--monitors the foreign-origin terrorist threat to the 
United States. In addition, the FBI gathers intelligence and assesses 
the threat posed by domestic sources. According to the U.S. 
intelligence community, conventional explosives and firearms continue 
to be the terrorists' weapons of choice. The community also believes 
that terrorists are less likely to use weapons of mass destruction, 
although the possibility that terrorists will use these weapons may 
increase over the next decade.

Nevertheless, in February 2003, the Director of Central Intelligence 
testified[Footnote 5]that in his view, we have entered a new world of 
proliferation, where there are knowledgeable non-state purveyors of 
weapons of mass destruction materials and technology that are 
increasingly capable of providing technology and equipment that 
previously could only be supplied by countries with established 
capabilities. He also stated that although there have been successes on 
many fronts in the war on terrorism, recent events underscore the 
threat that the al Qaeda network continues to pose to the United 
States. He further stated that even without an attack on the U.S. 
homeland, more than 600 people were killed in acts of terror last year-
-200 in al Qaeda-related attacks alone--including 19 U.S. citizens. In 
addition, he stated that terrorism directed at U.S. interests goes 
beyond Middle Eastern or religious extremist groups, adding that the 
Revolutionary Armed Forces of Colombia has shown a new willingness to 
inflict casualties on U.S. nationals. Table 1 summarizes key physical 
threats to homeland security.

Table 1: Physical Threats to Homeland Security:

Threat: Chemical weapons; Description: Chemical weapons are extremely 
lethal and capable of producing tens of thousands of casualties. They 
are also relatively easy to manufacture, using basic equipment, trained 
personnel, and precursor materials that often have legitimate dual 
uses. As the 1995 Tokyo subway attack revealed, even sophisticated 
nerve agents are within the reach of terrorist groups.

Threat: Biological weapons; Description: Biological weapons, which 
release large quantities of living, disease-causing microorganisms, 
have extraordinary lethal potential. Like chemical weapons, biological 
weapons are relatively easy to manufacture, requiring straightforward 
technical skills, basic equipment, and a seed stock of pathogenic 
microorganisms. Biological weapons are especially dangerous because we 
may not know immediately that we have been attacked, allowing an 
infectious agent time to spread. Moreover, biological agents can serve 
as a means of attack against humans as well as livestock and crops, 
inflicting casualties as well as economic damage.

Threat: Radiological weapons; Description: Radiological weapons, or 
"dirty bombs," combine radioactive material with conventional 
explosives. The individuals and groups engaged in terrorist activity 
can cause widespread disruption and fear, particularly in heavily 
populated areas.

Threat: Nuclear weapons; Description: Nuclear weapons have enormous 
destructive potential. Terrorists who seek to develop a nuclear weapon 
must overcome two formidable challenges. First, acquiring or refining a 
sufficient quantity of fissile material is very difficult--though not 
impossible. Second, manufacturing a workable weapon requires a very 
high degree of technical capability--though terrorists could feasibly 
assemble the simplest type of nuclear device. To get around these 
significant though not insurmountable challenges, terrorists could seek 
to steal or purchase a nuclear weapon.

Threat: Conventional means; Description: Terrorists, both domestic and 
international, continue to use traditional methods of violence and 
destruction to inflict harm and spread fear. They have used knives, 
guns, and bombs to kill the innocent. They have taken hostages and 
spread propaganda. Given the low expense, ready availability of 
materials, and relatively high chance for successful execution, 
terrorists will continue to make use of conventional attacks.

Source: National Strategy for Homeland Security:

[End of table]

In addition to these physical threats, terrorists and others with 
malicious intent, such as transnational criminals and intelligence 
services, pose a threat to our nation's computer systems. As dramatic 
increases in computer interconnectivity, especially in the use of the 
Internet, continue to revolutionize the way much of the world 
communicate and conducts business, this widespread interconnectivity 
also poses significant risks to the government's and our nation's 
computer systems and, more importantly, to the critical operations and 
infrastructures they support. For example, telecommunications, power 
distribution, water supply, public health services, national defense 
(including the military's warfighting capability), law enforcement, 
government services, and emergency services all depend on the security 
of their computer operations. If not properly controlled, the speed and 
accessibility that create the enormous benefits of the computer age 
also allow individuals and organizations to inexpensively eavesdrop on 
or interfere with these operations from remote locations for 
mischievous or malicious purposes.

Government officials are increasingly concerned about cyber attacks 
from individuals and groups with malicious intent, such as crime, 
terrorism, foreign intelligence gathering, and acts of war. According 
to the FBI, terrorists, transnational criminals, and intelligence 
services are quickly becoming aware of and are using information 
exploitation tools such as computer viruses, Trojan horses, worms, 
logic bombs, and eavesdropping sniffers that can destroy, intercept, 
degrade the integrity of, or deny access to data.[Footnote 6] In 
addition, the disgruntled organization insider is a significant threat, 
since these individuals often have knowledge that allows them to gain 
unrestricted access and inflict damage or steal assets without 
possessing a great deal of knowledge about computer intrusions. As 
greater amounts of money are transferred through computer systems, as 
more sensitive economic and commercial information is exchanged 
electronically, and as the nation's defense and intelligence 
communities increasingly rely on commercially available IT, the 
likelihood increases that cyber attacks will threaten vital national 
interests. Table 2 summarizes the key cyber threats to our 
infrastructure.

Table 2: Cyber Threats to Critical Infrastructure Observed by the FBI:

Threat: Criminal groups; Description: There is an increased use of 
cyber intrusions by criminal groups who attack systems for purposes of 
monetary gain.

Threat: Foreign intelligence services; Description: Foreign 
intelligence services use cyber tools as part of their information 
gathering and espionage activities.

Threat: Hackers; Description: Hackers sometimes crack into networks for 
the thrill of the challenge or for bragging rights in the hacker 
community. While remote cracking once required a fair amount of skill 
or computer knowledge, hackers can now download attack scripts and 
protocols from the Internet and launch them against victim sites. Thus, 
while attack tools have become more sophisticated, they have also 
become easier to use.

Threat: Hacktivists; Description: Hacktivism refers to politically 
motivated attacks on publicly accessible Web pages or e-mail servers. 
These groups and individuals overload e-mail servers and hack into Web 
sites to send a political message.

Threat: Information warfare; Description: Several nations are 
aggressively working to develop information warfare doctrine, programs, 
and capabilities. Such capabilities enable a single entity to have a 
significant and serious impact by disrupting the supply, 
communications, and economic infrastructures that support military 
power--impacts that, according to the Director of Central 
Intelligence,[A] can affect the daily lives of Americans across the 
country.

Threat: Insider threat; Description: The disgruntled organization 
insider is a principal source of computer crimes. Insiders may not need 
a great deal of knowledge about computer intrusions because their 
knowledge of a victim system often allows them to gain unrestricted 
access to cause damage to the system or to steal system data.

Threat: Virus writers; Description: Virus writers are posing an 
increasingly serious threat. Several destructive computer viruses and 
"worms" have harmed files and hard drives, including the Melissa Macro 
Virus, the Explore.Zip worm, the CIH (Chernobyl) Virus, Nimda, and Code 
Red.

Source: Federal Bureau of Investigation unless otherwise indicated.

[A] Prepared Statement of George J. Tenet, Director of Central 
Intelligence, before the Senate Select Committee on Intelligence, Feb. 
2, 2000.

[End of table]

As the number of individuals with computer skills has increased, more 
intrusion or "hacking" tools have become readily available and 
relatively easy to use. A hacker can literally download tools from the 
Internet and "point and click" to start an attack. Experts also agree 
that there has been a steady advance in the sophistication and 
effectiveness of attack technology. Intruders quickly develop attacks 
to exploit vulnerabilities discovered in products, use these attacks to 
compromise computers, and share them with other attackers. In addition, 
they can combine these attacks with other forms of technology to 
develop programs that automatically scan the network for vulnerable 
systems, attack them, compromise them, and use them to spread the 
attack even further.

Along with these increasing threats, the number of computer security 
incidents reported to the CERT® Coordination Center (CERT/CC)[Footnote 
7] rose from 9,859 in 1999, to 52,658 in 2001, to 82,094 in 2002, and 
to 42,586 for the first quarter of 2003. And these are only the 
reported attacks. The Director, CERT® Centers, stated that as much as 
80 percent of actual security incidents goes unreported, in most cases 
because the organization (1) was unable to recognize that its systems 
had been penetrated because there were no indications of penetration or 
attack or (2) was reluctant to report incidents. Figure 1 shows the 
number of incidents reported to the CERT/CC from 1995 through the first 
quarter of 2003.

Figure 1: Information Security Incidents Reported to Carnegie-Mellon's 
CERT Coordination Center: 1995 through First Quarter 2003:

[See PDF for image]

[End of figure]

According to the National Security Agency, foreign governments already 
have or are developing computer attack capabilities, and potential 
adversaries are developing a body of knowledge about U.S. systems and 
methods to attack these systems. Since the terrorist attacks of 
September 11, 2001, warnings of the potential for terrorist cyber 
attacks against our critical infrastructures have also increased. For 
example, in February 2002, the threat to these infrastructures was 
highlighted by the Special Advisor to the President for Cyberspace 
Security in a Senate briefing when he stated that although to date none 
of the traditional terrorists groups, such as al Qaeda, have used the 
Internet to launch a known assault on the United States' 
infrastructure, information on water systems was discovered on 
computers found in al Qaeda camps in Afghanistan.[Footnote 8] Also, in 
his February 2002 statement for the Senate Select Committee on 
Intelligence, the director of central intelligence discussed the 
possibility of cyber warfare attack by terrorists.[Footnote 9] He 
stated that the September 11 attacks demonstrated the nation's 
dependence on critical infrastructure systems that rely on electronic 
and computer networks. Further, he noted that attacks of this nature 
would become an increasingly viable option for terrorists as they and 
other foreign adversaries become more familiar with these targets and 
the technologies required to attack them.

Since September 11, 2001, the critical link between cyberspace and 
physical space has also been increasingly recognized. In his November 
2002 congressional testimony, the Director, CERT Centers at Carnegie-
Mellon University, noted that supervisory control and data acquisition 
(SCADA) systems and other forms of networked computer systems have been 
used for years to control power grids, gas and oil distribution 
pipelines, water treatment and distribution systems, hydroelectric and 
flood control dams, oil and chemical refineries, and other physical 
systems, and that these control systems are increasingly being 
connected to communications links and networks to reduce operational 
costs by supporting remote maintenance, remote control, and remote 
update
functions.[Footnote 10] These computer-controlled and network-
connected systems are potential targets for individuals bent on causing 
massive disruption and physical damage, and the use of commercial, off-
the-shelf technologies for these systems without adequate security 
enhancements can significantly limit available approaches to protection 
and may increase the number of potential attackers.

Not only is the cyber protection of our critical infrastructures 
important in and of itself, but a physical attack in conjunction with a 
cyber attack has been highlighted as a major concern. In fact, the 
National Infrastructure Protection Center (NIPC) has stated that the 
potential for compound cyber and physical attacks, referred to as 
"swarming attacks," is an emerging threat to the U.S. critical 
infrastructure.[Footnote 11] As NIPC reports, the effects of a swarming 
attack include slowing or complicating the response to a physical 
attack. For example, cyber attacks can be used to delay the 
notification of emergency services and to deny the resources needed to 
manage the consequences of a physical attack. In addition, a swarming 
attack could be used to worsen the effects of a physical attack. For 
example, a cyber attack on a natural gas distribution pipeline that 
opens safety valves and releases fuels or gas in the area of a planned 
physical attack could enhance the force of the physical attack.

Information Sharing is Critical to Meeting DHS's Mission:

As our government and our nation has become ever more reliant on 
interconnected computer systems to support critical operations and 
infrastructures and as physical and cyber threats and potential attack 
consequences have increased, the importance of sharing information and 
coordinating the response to threats among stakeholders has increased. 
Information sharing and coordination among organizations are central to 
producing comprehensive and practical approaches and solutions to 
combating threats. For example, having information on threats and on 
actual incidents experienced by others can help an organization 
identify trends, better understand the risk it faces, and determine 
what preventive measures should be implemented. In addition, 
comprehensive, timely information on incidents can help federal and 
nonfederal analysis centers determine the nature of an attack, provide 
warnings, and advise on how to mitigate an imminent attack. Also, 
sharing information on terrorists and criminals can help to secure our 
nation's borders.

The Homeland Security Act of 2002 created DHS with the primary 
responsibility of preventing terrorist attacks in the United States, 
reducing the vulnerability of the United States to terrorist attacks, 
and minimizing damage and assisting in recovery from attacks that do 
occur. To help DHS accomplish its mission, the act establishes, among 
other entities, five under secretaries with responsibility over 
directorates for management, science and technology, information 
analysis and infrastructure protection, border and transportation 
security, and emergency preparedness and response. Figure 2 shows DHS's 
organization and positions filled, as currently reported by DHS.

Figure 2: Department of Homeland Security:

[See PDF for image]

[End of figure]

As part of DHS's responsibilities, the act includes several provisions 
specifically related to coordinating and sharing information within the 
department and among other federal agencies, state and local 
governments, the private sector, and other entities. It also includes 
provisions for protecting CIP information shared by the private sector 
and for sharing different types of information, such as grand jury and 
intelligence information. Other DHS responsibilities related to 
information sharing include:

* requesting and receiving information from other federal agencies, 
state and local government agencies, and the private sector relating to 
threats of terrorism in the United States;

* distributing or, as appropriate, coordinating the distribution of 
warnings and information with other federal agencies, state and local 
governments and authorities, and the public;

* creating and fostering communications with the private sector;

* promoting existing public/private partnerships and developing new 
public/private partnerships to provide for collaboration and mutual 
support; and:

* coordinating and, as appropriate, consolidating the federal 
government's communications and systems of communications relating to 
homeland security with state and local governments and authorities, the 
private sector, other entities, and the public.

Each DHS directorate is responsible for coordinating relevant efforts 
with other federal, state, and local governments. The act also 
established the Office for State and Local Government Coordination to, 
among other things, provide state and local governments with regular 
information, research, and technical support to assist them in securing 
the nation. Further, the act included provisions as the "Homeland 
Security Information Sharing Act" that requires the President to 
prescribe and implement procedures for facilitating homeland security 
information sharing and establishes authorities to share different 
types of information, such as grand jury information; electronic, wire, 
and oral interception information; and foreign intelligence 
information.

The following sections illustrate how DHS will require successful 
information sharing within the department and between federal agencies, 
state and local governments, and the private sector to effectively 
carry out its mission.

Information Analysis and Infrastructure Protection Directorate:

The Information Analysis and Infrastructure Protection Directorate 
(IAIP) is responsible for accessing, receiving, and analyzing law 
enforcement information, intelligence information, and other threat and 
incident information from respective agencies of federal, state, and 
local governments and the private sector, and for combining and 
analyzing such information to identify and assess the nature and scope 
of terrorist threats. IAIP is also tasked with coordinating with other 
federal agencies to administer the Homeland Security Advisory System to 
provide specific warning information along with advice on appropriate 
protective measures and countermeasures.[Footnote 12] Further, IAIP is 
responsible for disseminating, as appropriate, information analyzed by 
DHS within the department, to other federal agencies, to state and 
local government agencies, and to private sector entities.

The Homeland Security Act of 2002 makes DHS and its IAIP directorate 
also responsible for key CIP functions for the federal government. CIP 
involves activities that enhance the security of our nation's cyber and 
physical public and private infrastructure that are critical to 
national security, national economic security, and/or national public 
health and safety. Information sharing is a key element of these 
activities. Over 80 percent of our nation's critical infrastructures 
are controlled by the private sector. As part of their CIP 
responsibilities, IAIP is responsible for (1) developing a 
comprehensive national plan for securing the key resources and critical 
infrastructure of the United States and (2) recommending measures to 
protect the key resources and critical infrastructure of the United 
States in coordination with other federal agencies and in cooperation 
with state and local government agencies and authorities, the private 
sector, and other entities.

Federal CIP policy has continued to evolve since the mid-1990s through 
a variety of working groups, special reports, executive orders, 
strategies, and organizations. In particular, Presidential Decision 
Directive 63 (PDD 63) issued in 1998 established CIP as a national goal 
and described a strategy for cooperative efforts by government and the 
private sector to protect the physical and cyber-based systems 
essential to the minimum operations of the economy and the government. 
To accomplish its goals, PDD 63 established and designated 
organizations to provide central coordination and support. These 
included the Critical Infrastructure Assurance Office (CIAO), an 
interagency office established to develop a national plan for CIP, and 
NIPC, which was expanded to address national-level threat assessment, 
warning, vulnerability, and law enforcement investigation/response. 
The Homeland Security Act of 2002 transferred these and certain other 
CIP entities and their functions (other than the Computer 
Investigations and Operations Section of NIPC) to DHS's IAIP 
directorate.

Federal CIP policy beginning with PDD 63 and reinforced through other 
strategy documents, including the National Strategy for Homeland 
Security issued in July 2002, called for a range of activities intended 
to establish a partnership between the public and private sectors to 
ensure the security of our nation's critical infrastructures. To ensure 
coverage of critical infrastructure sectors, this policy identified 
infrastructure sectors that were essential to our national security, 
national economic security, and/or national public health and safety. 
For these sectors, which now total 14, federal government leads (sector 
liaisons) and private-sector leads (sector coordinators) were to work 
with each other to address problems related to CIP for their sector. In 
particular, they were to (1) develop and implement vulnerability 
awareness and education programs and (2) contribute to a sectoral plan 
by:

* assessing the vulnerabilities of the sector to cyber or physical 
attacks;

* recommending a plan to eliminate significant vulnerabilities;

* proposing a system for identifying and preventing major attacks; and:

* developing a plan for alerting, containing, and rebuffing an attack 
in progress and then, in coordination with the Federal Emergency 
Management Agency as appropriate, rapidly reconstituting minimum 
essential capabilities in the aftermath of an attack.

CIP policy also called for sector liaisons to identify and assess 
economic incentives to encourage the desired sector behavior in CIP. 
Federal grant programs to assist state and local efforts, legislation 
to create incentives for the private sector and, in some cases, 
regulation are mentioned in CIP policy.

Federal CIP policy also encourages the voluntary creation of 
information sharing and analysis centers (ISACs) to serve as mechanisms 
for gathering, analyzing, and appropriately sanitizing and 
disseminating information to and from infrastructure sectors and the 
federal government through NIPC. ISACs are critical since private-
sector entities control over 80 percent of our nation's critical 
infrastructures. Their activities could improve the security posture of 
the individual sectors, as well as provide an improved level of 
communication within and across sectors and all levels of government. 
While PDD 63 encouraged the creation of ISACs, it left the actual 
design and functions of the ISACs, along with their relationship with 
NIPC, to be determined by the private sector in consultation with the 
federal government. PDD 63 did provide suggested activities, which the 
ISACs could undertake, including:

* establishing baseline statistics and patterns on the various 
infrastructures;

* serving as a clearinghouse for information within and among the 
various sectors;

* providing a library for historical data for use by the private sector 
and government; and:

* reporting private-sector incidents to NIPC.

As we reported in our April 8, 2003,[Footnote 13] testimony, table 3 
shows the sectors identified in federal CIP policy, the lead agencies 
for these sectors, and whether or not an ISAC has been established for 
the sector.

Table 3: Lead Agencies and ISAC Status by CIP Sector:

Sectors: Sectors identified by PDD 63:

Sectors: Information and telecommunications; Designated lead agency: 
Homeland Security*; ISAC established: No.

Sectors: Information technology; Designated lead agency: [Empty]; ISAC 
established: Yes.

Sectors: Telecommunications; Designated lead agency: [Empty]; ISAC 
established: Yes.

Sectors: Research and education networks; Designated lead agency: 
[Empty]; ISAC established: Yes.

Sectors: Banking and finance; Designated lead agency: Treasury; ISAC 
established: Yes.

Sectors: Water; Designated lead agency: Environmental Protection 
Agency; ISAC established: Yes.

Sectors: Transportation; Designated lead agency: Homeland Security*; 
ISAC established: No.

Sectors: Aviation; Designated lead agency: [Empty]; ISAC established: 
[Empty].

Sectors: Surface transportation; Designated lead agency: [Empty]; ISAC 
established: Yes.

Sectors: Maritime; Designated lead agency: [Empty]; ISAC established: 
prospective.

Sectors: Trucking; Designated lead agency: [Empty]; ISAC established: 
4.

Sectors: Emergency services**; Designated lead agency: Homeland 
Security*; ISAC established: No.

Sectors: Emergency law enforcement; Designated lead agency: [Empty]; 
ISAC established: Yes.

Sectors: Emergency fire services; Designated lead agency: [Empty]; ISAC 
established: Yes.

Sectors: Government **; Designated lead agency: Homeland Security*; 
ISAC established: No.

Sectors: Interstate; Designated lead agency: [Empty]; ISAC established: 
Yes.

Sectors: Energy; Designated lead agency: Energy; ISAC established: No.

Sectors: Electric power; Designated lead agency: [Empty]; ISAC 
established: Yes.

Sectors: Oil and gas; Designated lead agency: [Empty]; ISAC 
established: Yes.

Sectors: Public health; Designated lead agency: Health and Human 
Services; ISAC established: No.

Sectors: Sectors identified by The National Strategy for Homeland 
Security.

Sectors: Food; Meat and poultry
All other food products; Designated lead agency: ; Agriculture
Health and Human Services; ISAC established: Yes.

Sectors: Agriculture; Designated lead agency: Agriculture; ISAC 
established: No.

Sectors: Chemical industry and hazardous materials; Designated lead 
agency: Environmental Protection Agency; ISAC established: No.

Sectors: Chemicals; Designated lead agency: [Empty]; ISAC established: 
Yes.

Sectors: Defense industrial base; Designated lead agency: Defense; ISAC 
established: No.

Sectors: Postal and shipping; Designated lead agency: Homeland 
Security; ISAC established: No.

Sectors: National monuments and icons; Designated lead agency: 
Interior; ISAC established: No.

Sectors: Other communities that have established ISACs; Designated lead 
agency: [Empty]; ISAC established: No.

Sectors: Real estate; Designated lead agency: [Empty]; ISAC 
established: Yes.

*The lead agencies previously designated by PDD 63 were (from top to 
bottom) the Department of Commerce, Department of Transportation, 
Department of Justice/Federal Bureau of Investigation, and the Federal 
Emergency Management Agency.

**PDD 63 identified as critical sectors (1) emergency law enforcement 
and (2) emergency fire services and continuity of government. In the 
National Strategy for Homeland Security, emergency law enforcement and 
emergency fire services are both included in an emergency services 
sector. Also, continuity of government, along with continuity of 
operations, is listed as a subcomponent under the government sector.

[End of table]

As called for by the National Strategy for Homeland Security, on 
February 14, 2003, the President also released the National Strategy to 
Secure Cyberspace and the complementary National Strategy for the 
Physical Protection of Critical Infrastructures and Key Assets. These 
two strategies identify priorities, actions, and responsibilities for 
the federal government (including lead agencies and DHS) as well as for 
state and local governments and the private sector. These two 
strategies also emphasize the importance of developing mechanisms for 
the public and private sectors to share information about 
vulnerabilities, incidents, threats, and other security data. For 
example, the National Strategy to Secure Cyberspace calls for the 
development of a National Cyberspace Security Response System. To be 
coordinated by DHS, this system is described as a public/private 
architecture for analyzing and warning, managing incidents of national 
significance, promoting continuity in government systems and private-
sector infrastructures, and increasing information sharing across and 
between organizations to improve cyberspace security. The system is to 
include governmental and nongovernmental entities, such as private-
sector ISACs. The strategies also encourage the continued establishment 
of ISACs and efforts to enhance the analytical capabilities of existing 
ISACs.

As we previously reported, according to a DHS official, the department 
is continuing to carry out the CIP activities of the functions and 
organizations transferred to it by the Homeland Security Act of 
2002.[Footnote 14] And although NIPC has experienced the loss of 
certain senior leadership prior to its transition to the new department 
and has identified some staffing needs, this official stated that the 
department is able to provide the functions previously performed by 
NIPC. Further, he stated that the department is enhancing those 
activities as it integrates them within the new department and is 
developing a business plan. The official also stated that the 
department is continuing previously established efforts to maintain and 
build relationships with other federal entities, including the FBI and 
other NIPC partners, and with the private sector.

To fulfill its mission, the IAIP directorate will need to ensure 
effective information sharing with other federal entities. For example, 
information sharing with the recently formed Terrorist Threat 
Integration Center (TTIC) is a central function of the directorate. 
TTIC was created to merge and analyze terrorist-related information 
collected domestically and abroad to enhance coordination, facilitate 
threat analysis, and enable more comprehensive threat assessments. DHS 
plans to provide staff to work at TTIC, and the center is to provide 
DHS with a comprehensive assessment of threat information that will 
guide the department's response to any potential attacks. In addition, 
IAIP will need to establish effective information sharing with the 
numerous CIP entities not transferred to DHS. In July 2002, we issued a 
report identifying at least 50 organizations that were involved in 
national or multinational cyber CIP efforts, including 5 advisory 
committees, 6 Executive Office of the President organizations, 38 
executive branch organizations associated with departments, agencies, 
or intelligence organizations, and 3 other organizations.[Footnote 15] 
Only 5 of the CIP organizations transferred to DHS.

The Directorate of Border and Transportation Security:

According to the act, the Border and Transportation Security 
Directorate (BTS) is responsible for, among other things, (1) 
preventing the entry of terrorists and the instruments of terrorism 
into the United States; (2) securing the borders, territorial waters, 
ports, terminals, waterways, and air, land, and sea transportation 
systems, including managing and coordinating those functions 
transferred to the department; (3) carrying out immigration enforcement 
functions; (4) establishing and administering rules for granting visas, 
and (5) administering customs laws. A number of federal entities are 
under its responsibility, such as the Transportation Security 
Administration, U.S. Customs Service, the border security functions of 
the Immigration and Naturalization Service (INS), Animal and Plant 
Health Inspection Service, and the Federal Law Enforcement Training 
Center.

To successfully protect the borders and transportation systems of the 
United States, BTS faces the challenge of sharing information across 
the various organizations under its responsibility. According to the 
National Strategy for Homeland Security, to successfully prevent the 
entry of contraband, unauthorized aliens, and potential terrorists, DHS 
will have to increase the level of information available on inbound 
goods and passengers to the border management component agencies under 
the BTS. For example, the strategy discusses the need to increase the 
security of international shipping containers--noting that 50 percent 
of the value of U.S. imports arrives via 16 million containers. To 
increase security, U.S. inspectors will need shared information so that 
they can identify high-risk containers. In addition, protecting our 
borders from the entry of unauthorized aliens and potential terrorists 
will require the sharing of information between various law enforcement 
and immigration services. For example, we recently reported on the use 
of watch lists as important tools to help secure our nation's 
borders.[Footnote 16] These lists provide decision makers with 
information about individuals who are known or suspected terrorists and 
criminals so that these individuals can either be prevented from 
entering the country, apprehended while in the country, or apprehended 
as they attempt to exit the country.

The Emergency Preparedness and Response Directorate:

According to the act, the Emergency Preparedness and Response 
Directorate (EPR) ensures that the nation is prepared for, and able to 
recover from, terrorist attacks, major disasters, and other 
emergencies. In addition, EPR is responsible for building a 
comprehensive national incident management system with federal, state, 
and local governments and authorities to respond to such attacks and 
disasters. This project will require developing an extensive program of 
information sharing among federal, state and local governments. 
Further, EPR is to develop comprehensive programs for developing 
interoperable communications technology and helping to ensure that 
emergency response providers acquire such technology. Among the 
functions transferred to EPR are the Federal Emergency Management 
Agency, the Integrated Hazard Information System of the National 
Oceanic and Atmospheric Administration, and the Metropolitan Medical 
Response System.

Information sharing is important to emergency responders to prepare for 
and respond to terrorist attacks and other emergencies. For example, if 
a biological attack were to occur, it would be important for health 
officials to quickly and effectively exchange information with relevant 
experts directly responding to the event in order to respond 
appropriately. To support this type of exchange, the Centers for 
Disease Control and Prevention (CDC) created the Epidemic Information 
Exchange (Epi-X), a secure, Web-based communications network that 
serves as an information exchange between CDC, state and local health 
departments, poison control centers, and other public health 
professionals. According to CDC, Epi-X's primary goals include 
informing health officials about important public health events, 
helping them respond to public health emergencies, and encouraging 
professional growth and the exchange of information. CDC has also 
created an emergency operations center to respond to public health 
emergencies and to allow for immediate secure communication between 
CDC, the Department of Health and Human Services, federal intelligence 
and emergency response officials, DHS, and state and local public 
health officials.

Information Sharing Challenges:

GAO has made numerous recommendations over the last several years 
related to information sharing functions that have been transferred to 
DHS. One significant area of GAO work concerns the federal government's 
CIP efforts, which is focused on the sharing of information on 
incidents, threats, and vulnerabilities, and the providing of warnings 
related to critical infrastructures both within the federal government 
and between the federal government and state and local governments, and 
the private sector. Although improvements have been made in protecting 
our nation's critical infrastructures and continuing efforts are in 
progress, further efforts are needed to address the following critical 
CIP challenges that GAO has identified:

* developing a comprehensive and coordinated national plan to 
facilitate CIP information sharing, which clearly delineates the roles 
and responsibilities of federal and nonfederal CIP entities, defines 
interim objectives and milestones, sets timeframes for achieving 
objectives, and establishes performance measures;

* developing fully productive information sharing relationships within 
the federal government and between the federal government and state and 
local governments and the private sector;

* improving the federal government's capabilities to analyze incident, 
threat, and vulnerability information obtained from numerous sources 
and share appropriate timely, useful warnings and other information 
concerning both cyber and physical threats to federal entities, state 
and local governments, and the private sector; and:

* providing appropriate incentives for nonfederal entities to increase 
information sharing with the federal government.

In addition, GAO recently identified challenges in consolidating and 
standardizing watch list structures and policies, which are essential 
to effectively sharing information on suspected criminals and 
terrorists.

A Complete and Coordinated National CIP Plan Needs to Be Developed:

An underlying issue in the implementation of CIP is that no national 
plan to facilitate information sharing yet exists that clearly 
delineates the roles and responsibilities of federal and nonfederal CIP 
entities, defines interim objectives and milestones, sets timeframes 
for achieving objectives, and establishes performance measures. Such a 
clearly defined plan is essential for defining the relationships among 
all CIP organizations to ensure that the approach is comprehensive and 
well coordinated. Since 1998, we have reported on the need for such a 
plan and made numerous related recommendations.

In September 1998, we reported that developing a governmentwide 
strategy that clearly defined and coordinated the roles of federal 
entities was important to ensure governmentwide cooperation and support 
for PDD 63.[Footnote 17] At that time, we recommended that the Office 
of Management and Budget (OMB) and the Assistant to the President for 
National Security Affairs ensure such coordination.

In January 2000, the President issued Defending America's Cyberspace: 
National Plan for Information Systems Protection: Version 1.0: An 
Invitation to a Dialogue as a first major element of a more 
comprehensive effort to protect the nation's information systems and 
critical assets from future attacks. The plan proposed achieving the 
twin goals of making the U.S. government a model of information 
security and developing a public/private partnership to defend our 
national infrastructures. However, this plan focused largely on federal 
cyber CIP efforts, saying little about the private-sector role.

In September 2001, we reported that agency questions had surfaced 
regarding specific roles and responsibilities of entities involved in 
cyber CIP and the timeframes within which CIP objectives were to be 
met, as well as guidelines for measuring progress.[Footnote 18] 
Accordingly, we made several recommendations to supplement those we had 
made in the past. Specifically, we recommended that the Assistant to 
the President for National Security Affairs ensure that the federal 
government's strategy to address computer-based threats define:

* specific roles and responsibilities of organizations involved in CIP 
and related information security activities;

* interim objectives and milestones for achieving CIP goals and a 
specific action plan for achieving these objectives, including 
implementing vulnerability assessments and related remedial plans; and:

* performance measures for which entities can be held accountable.

In July 2002 we issued a report identifying at least 50 organizations 
that were involved in national or multinational cyber CIP efforts, 
including 5 advisory committees, 6 Executive Office of the President 
organizations, 38 executive branch organizations associated with 
departments, agencies, or intelligence organizations, and 3 other 
organizations.[Footnote 19] Although our review did not cover 
organizations with national physical CIP responsibilities, the large 
number of organizations that we did identify as involved in CIP efforts 
presents a need to clarify how these entities coordinate their 
activities with each other. Our report also stated that PDD 63 did not 
specifically address other possible critical sectors and their 
respective federal agency counterparts. Accordingly, we recommended 
that the federal government's strategy also:

* include all relevant sectors and define the key federal agencies' 
roles and responsibilities associated with each of these sectors, and:

* define the relationships among the key CIP organizations.

In July 2002, the National Strategy for Homeland Security called for 
interim cyber and physical infrastructure protection plans that DHS 
would use to build a comprehensive national infrastructure plan. 
Implementing a well-developed plan is critical in effective 
coordination in times of crises. According to the strategy, the 
national plan is to provide a methodology for identifying and 
prioritizing critical assets, systems, and functions, and for sharing 
protection responsibility with state and local governments and the 
private sector. The plan is also to establish standards and benchmarks 
for infrastructure protection and provide a means to measure 
performance. The plan is expected to inform DHS on budgeting and 
planning for critical infrastructure protection activities and how to 
use policy instruments to coordinate between government and private 
entities to improve the security of our national infrastructures to 
appropriate levels. The strategy also states that the DHS is to unify 
the currently divided responsibilities for cyber and physical security. 
According to the department's November 2002 reorganization plan, the 
Assistant Secretary for Infrastructure Protection is responsible for 
developing a comprehensive national infrastructure plan.

As discussed previously, in February 2003, the President issued the 
interim strategies--The National Strategy to Secure Cyberspace and The 
National Strategy for the Physical Protection of Critical 
Infrastructures and Key Assets (hereafter referred to in this testimony 
as the cyberspace security strategy and the physical protection 
strategy). These strategies identify priorities, actions, and 
responsibilities for the federal government, including federal lead 
departments and agencies and the DHS, as well as for state and local 
governments and the private sector. Both define strategic objectives 
for protecting our nation's critical assets. The physical protection 
strategy discusses the goals and objectives for protecting our nation's 
critical infrastructure and key assets from physical attack. The 
cyberspace security strategy provides a framework for organizing and 
prioritizing the individual and concerted responsibilities of all 
levels of government to secure cyberspace.

According to the physical protection strategy, across government, there 
are inconsistent methodologies to prioritize efforts to enhance 
critical infrastructure protection. This problem is compounded with 
ineffective communication among the federal, state, and local 
governments that has resulted in untimely, disparate, and at times 
conflicting communication between those who need it most. DHS has been 
given a primary role in providing cross-sector coordination to improve 
communication and planning efforts and serves as the single point of 
coordination for state and local governments on homeland security 
issues. To fulfill its role as the cross-sector coordinator, DHS will 
partner with state and local governments and the private sector to 
institute processes that are transparent, comprehensive, and results-
oriented. This effort will include creating mechanisms for 
collaborative national planning efforts between the private and public 
sectors and for consolidating the individual sector plans into a 
comprehensive plan that will define their respective roles, 
responsibilities, and expectations.

The cyberspace security strategy is the counterpart to the physical 
protection strategy and provides the framework for organizing and 
prioritizing the individual and concerted responsibilities of all 
levels of government to secure cyberspace. DHS serves as the focal 
point for managing cybersecurity incidents that could impact the 
federal government or the national information infrastructure, and 
thus, plays a central role in executing the initiatives assigned in 
this strategy. While the cyberspace security strategy mentions the 
responsibility of DHS in creating a comprehensive national plan for 
securing resources and key infrastructures, much of the strategy's 
emphasis remains on coordinating and integrating various plans with the 
private sector.

Neither strategy (1) clearly indicates how the physical and cyber 
efforts will be coordinated; (2) defines the roles, responsibilities, 
and relationships among the key CIP organizations, including state and 
local governments and the private sector; (3) indicates time frames or 
milestones for their overall implementation or for accomplishing 
specific actions or initiatives; nor (4) establishes performance 
measures for which entities can be held responsible. Until a 
comprehensive and coordinated plan is completed that unifies the 
responsibilities for cyber and physical infrastructures; identifies 
roles, responsibilities, and relationships for all CIP efforts; 
establishes time frames or milestones for implementation; and 
establishes performance measures, our nation risks not having a 
consistent and appropriate information sharing framework to deal with 
growing threats to its critical infrastructure.

Better Information Sharing on Threats and Vulnerabilities Must Be 
Implemented:

Information sharing is a key element in developing comprehensive and 
practical approaches to defending against potential cyber and other 
attacks, which could threaten the national welfare. Information on 
threats, vulnerabilities, and incidents experienced by others can help 
identify trends, better understand the risks faced, and determine what 
preventive measures should be implemented. However, as we have reported 
in recent years, establishing the trusted relationships and 
information-sharing protocols necessary to support such coordination 
can be difficult. In addition, the private sector has expressed 
concerns about sharing information with the government and the 
difficulty of obtaining security clearances. Both Congress and the 
administration have taken steps to address information sharing issues 
in law and recent policy guidance, but their effectiveness will largely 
depend on how DHS implements its information sharing responsibilities.

A number of activities have been undertaken to build information-
sharing relationships between the federal government and the private 
sector, such as InfraGard, the Partnership for Critical Infrastructure 
Security, efforts by the CIAO, and efforts by lead agencies to 
establish ISACs. For example, the InfraGard Program, which provides the 
FBI and NIPC with a means of securely sharing information with 
individual companies, has expanded substantially. By early January 
2001, 518 entities were InfraGard members--up from 277 members in 
October 2000. Members include representatives from private industry, 
other government agencies, state and local law enforcement, and the 
academic community. As of February 2003, InfraGard members totaled over 
6,700.

As stated above, PDD 63 encouraged the voluntary creation of ISACs to 
serve as the mechanism for gathering, analyzing, and appropriately 
sanitizing and disseminating information between the private sector and 
the federal government through NIPC. In April 2001, we reported that 
NIPC and other government entities had not developed fully productive 
information-sharing relationships but that NIPC had undertaken a range 
of initiatives to foster information sharing relationships with ISACs, 
as well as with government and international entities. We recommended 
that NIPC formalize relationships with ISACs and develop a plan to 
foster a two-way exchange of information between them.

In response to our recommendations, NIPC officials told us in July 2002 
that an ISAC development and support unit had been created, whose 
mission was to enhance private-sector cooperation and trust so that it 
would result in a two-way sharing of information. As shown previously 
in table 3, as of April 8, 2003, DHS reported that there are 16 current 
ISACs, including ISACs established for sectors not identified as 
critical infrastructure sectors. DHS officials also stated that they 
have formal agreements with most of the current ISACs.

In spite of progress made in establishing ISACs, additional efforts are 
needed. All sectors do not have a fully established ISAC, and even for 
those sectors that do, our recent work showed that participation may be 
mixed and the amount of information being shared between the federal 
government and private-sector organizations also varies. Specifically, 
the five ISACs we recently reviewed[Footnote 20] showed different 
levels of progress in implementing the PDD 63 suggested activities. For 
example, four of the five reported that efforts were still in progress 
to establish baseline statistics, which includes developing a database 
on the normal levels of computer security incidents that would be used 
for analysis purposes. Also, while all five reported that they serve as 
the clearinghouse of information (such as incident reports and warnings 
received from members) for their own sectors, only three of the five 
reported that they are also coordinating with other sectors. Only one 
of the five ISACs reported that it provides a library of incidents and 
historical data that is available to both the private sector and the 
federal government, and although three additional ISACs do maintain a 
library, it is available only to the private sector. Table 4 summarizes 
the reported status of the five ISACs in performing these and other 
activities suggested by PDD 63.

Table 4: ISACs' Progress in Performing Activities Suggested by PDD 63:

Activity: Establish baseline statistics; ISAC: Telecommunications: In 
progress; ISAC: Electricity: In progress; ISAC: Information Technology: 
Yes; ISAC: Energy: In progress; ISAC: Water: In progress.

Activity: Serve as clearinghouse within and among sectors; ISAC: 
Telecommunications: Yes; ISAC: Electricity: Yes; ISAC: Information 
Technology: Yes; ISAC: Energy: Only within own sector; ISAC: Water: 
Only within own sector.

Activity: Provide library to private sector and government; ISAC: 
Telecommunications: In progress; ISAC: Electricity: Yes; ISAC: 
Information Technology: Available only to private sector; ISAC: Energy: 
Available only to private sector; ISAC: Water: Available only to 
private sector.

Activity: Report incidents to NIPC; ISAC: Telecommunications: Yes; 
ISAC: Electricity: Yes; ISAC: Information Technology: Yes; ISAC: 
Energy: No; ISAC: Water: Yes.

Source: ISACs.

[End of table]

Some in the private sector have expressed concerns about voluntarily 
sharing information with the government. Specifically, concerns have 
been raised that industry could potentially face antitrust violations 
for sharing information with other industry partners, have their 
information subject to the Freedom of Information Act (FOIA), or face 
potential liability concerns for information shared in good faith. For 
example, neither the IT nor the energy or the water ISACs share their 
libraries with the federal government because of concerns that 
information could be released under FOIA. And, officials of the energy 
ISAC stated that they have not reported incidents to NIPC because of 
FOIA and antitrust concerns.

There will be continuing debate as to whether adequate protection is 
being provided to the private sector as these entities are encouraged 
to disclose and exchange information on both physical and cyber 
security problems and solutions that are essential to protecting our 
nation's critical infrastructures. The National Strategy for Homeland 
Security includes "enabling critical infrastructure information 
sharing" in its 12 major legislative initiatives. It states that the 
nation must meet this need by narrowly limiting public disclosure of 
information relevant to protecting our physical and cyber critical 
infrastructures in order to facilitate the voluntary submission of 
information. It further states that the Attorney General will convene a 
panel to propose any legal changes necessary to enable sharing of 
essential homeland security related information between the federal 
government and the private sector.

Actions have already been taken by the Congress and the administration 
to strengthen information sharing. For example, the USA PATRIOT Act 
promotes information sharing among federal agencies, and numerous 
terrorism task forces have been established to coordinate 
investigations and improve communications among federal and local law 
enforcement.[Footnote 21] Moreover, the Homeland Security Act of 2002 
includes provisions that restrict federal, state, and local government 
use and disclosure of critical infrastructure information that has been 
voluntarily submitted to DHS. These restrictions include exemption from 
disclosure under FOIA, a general limitation on use to CIP purposes, and 
limitations on use in civil actions and by state or local governments. 
The act also provides penalties for any federal employee who improperly 
discloses any protected critical infrastructure information. Last month 
DHS issued for comment its proposed rules for how critical 
infrastructure information volunteered by the public will be protected. 
At this time, it is too early to tell what impact the act will have on 
the willingness of the private sector to share critical infrastructure 
information.

Information sharing within the government also remains a challenge. In 
April 2001, we reported that NIPC and other government entities had not 
developed fully productive information sharing and cooperative 
relationships.[Footnote 22] For example, federal agencies had not 
routinely reported incident information to NIPC, at least in part 
because guidance provided by the federal Chief Information Officers 
Council, which is chaired by OMB, directs agencies to report such 
information to the Federal Computer Incident Response Center 
(FedCIRC).[Footnote 23] Further, NIPC and Department of Defense 
officials agreed that their information-sharing procedures needed 
improvement, noting that protocols for reciprocal exchanges of 
information had not been established. In addition, the expertise of the 
U.S. Secret Service regarding computer crime had not been integrated 
into NIPC efforts. The NIPC director stated in July 2002 that the 
relationship between NIPC and other government entities had 
significantly improved since our review, and that quarterly meetings 
with senior government leaders were instrumental in improving 
information sharing. Also, in testimony in 2002, officials from the 
FedCIRC and the U.S. Secret Service 
discussed the collaborative and cooperative relationships that were 
subsequently formed between their agencies and NIPC.

Also, the private sector has expressed its concerns about the value of 
information being provided by the government. For example, in July 2002 
the President for the Partnership for Critical Infrastructure Security 
stated in congressional testimony that information sharing between the 
government and private sector needs work, specifically, in the quality 
and timeliness of cyber security information coming from the 
government.[Footnote 24] In March 2003 we also reported that the 
officials from the chemical industry noted that they need better threat 
information from law enforcement agencies, as well as better 
coordination among agencies providing threat information.[Footnote 25] 
They stated that chemical companies do not receive enough specific 
threat information and that it frequently comes from multiple 
government agencies. Similarly, in developing a vulnerability 
assessment methodology to assess the security of chemical facilities 
against terrorist and criminal attacks, the Department of Justice 
observed that chemical facilities need more specific information about 
potential threats in order to design their security systems and 
protocols. Chemical industry officials also noted that efforts to share 
threat information among industry and federal agencies will be 
effective only if government agencies provide specific and accurate 
threat information. Threat information also forms the foundation for 
some of the tools available to industry for assessing facility 
vulnerabilities. The Justice vulnerability assessment methodology 
requires threat information as the foundation for hypothesizing about 
threat scenarios, which form the basis for determining site 
vulnerabilities.

The Homeland Security Act, the President's National Strategy for 
Homeland Security, the National Strategy to Secure Cyberspace, and the 
National Strategy for the Physical Protection of Critical 
Infrastructures and Key Assets all acknowledge the importance of 
information sharing and identify multiple responsibilities for DHS to 
share information on threats and vulnerabilities. In particular:

* The Homeland Security Act authorizes the IAIP Under Secretary to have 
access to all information in the federal government that concerns 
infrastructure or other vulnerabilities of the United States to 
terrorism and to use this information to fulfill their responsibilities 
to provide appropriate analysis and warnings related to threats to and 
vulnerabilities of critical information systems, crisis management 
support in response to threats or attacks on critical information 
systems, and technical assistance upon request to private sector and 
government entities to respond to major failures of critical 
information systems.

* The National Strategy for Homeland Security specifies the need for 
DHS to work with state and local governments to achieve "seamless 
communication" among all responders. This responsibility includes 
developing a national emergency communication plan to establish 
policies and procedures to improve the exchange of information. 
Ensuring improved communications also involves developing systems that 
help prevent attacks and minimize damage. Such systems, which would be 
accessed and used by all levels of government, would detect hostile 
intents and help locate individual terrorists as well as monitor and 
detect outbreaks.

* The cyberspace security strategy encourages DHS to work with the 
National Infrastructure Advisory Council and the private sector to 
develop an optimal approach and mechanism to disclose vulnerabilities 
in order to expedite the development of solutions without creating 
opportunities for exploitation by hackers. DHS is also expected to 
raise awareness about removing obstacles to sharing information 
concerning cybersecurity and infrastructure vulnerabilities between 
the public and private sectors and is encouraged to work closely with 
ISACs to ensure that they receive timely and actionable threat and 
vulnerability data and to coordinate voluntary contingency planning 
efforts.

* The physical protection strategy describes DHS' need to collaborate 
with the intelligence community and the Department of Justice to 
develop comprehensive threat collection, assessment, and dissemination 
processes that are distributed to the appropriate entity in a timely 
manner. It also enumerates several initiatives directed to DHS to 
accomplish to create a more effective information-sharing environment 
among the key stakeholders, including establishing requirements for 
sharing information; supporting state and local participation with 
ISACs to more effectively communicate threat and vulnerability 
information; protecting secure and proprietary information deemed 
sensitive by the private sector; implementing processes for collecting, 
analyzing, and disseminating threat data to integrate information from 
all sources; and developing interoperable systems to share sensitive 
information among government entities to facilitate meaningful 
information exchange.

* The National Strategy for Homeland Security also describes DHS's need 
to engage its partners around the world in cooperative efforts to 
improve security. It states that DHS will increase information sharing 
between the international law enforcement, intelligence, and military 
communities.

Analysis and Warning Capabilities Need to Be Improved:

Analysis and warning capabilities should be developed to detect 
precursors to attacks on the nation so that advanced warnings can be 
issued and protective measures implemented. Since the 1990s, the 
national security community and the Congress have identified the need 
to establish analysis and warning capabilities to protect against 
strategic computer attacks against the nation's critical computer-
dependent infrastructures. Such capabilities need to address both cyber 
and physical threats and involve (1) gathering and analyzing 
information for the purpose of detecting and reporting otherwise 
potentially damaging actions or intentions and (2) implementing a 
process for warning policymakers and allowing them time to determine 
the magnitude of the related risks.

In April 2001,[Footnote 26] we reported on NIPC's progress and 
impediments in developing analysis and warning capabilities for 
computer-based attacks, which included the following:[Footnote 27]

Lack of a generally accepted methodology for analyzing strategic cyber-
based threats. For example, there was no standard terminology, no 
standard set of factors to consider, and no established thresholds for 
determining the sophistication of attack techniques. According to 
officials in the intelligence and national security community, 
developing such a methodology would require an intense interagency 
effort and dedication of resources.

Prolonged leadership vacancies and inadequate staff expertise, in part 
because other federal agencies had not provided the originally 
anticipated number of detailees. For example, at the close of our 
review in February 2001, the position of Chief of the Analysis and 
Warning Section, which was to be filled by the Central Intelligence 
Agency, had been vacant for about half of NIPC's 3-year existence. In 
addition, NIPC had been operating with only 13 of the 24 analysts that 
NIPC officials estimated were needed to develop analytical 
capabilities.

Lack of industry-specific data on factors such as critical system 
components, known vulnerabilities, and interdependencies. Under PDD 63, 
such information is to be developed for each of eight industry segments 
by industry representatives and the designated federal lead agencies. 
However, at the close of our work, only three industry assessments had 
been partially completed, and none had been provided to NIPC. In 
September 2001, we reported that although outreach efforts had raised 
awareness and improved information sharing, substantive, comprehensive 
analysis of infrastructure sector interdependencies and 
vulnerabilities had been limited.

Another challenge confronting the analysis and warning capabilities of 
our nation is that, historically, our national CIP attention and 
efforts have been focused on cyber threats. As we also reported in 
April 2001, although PDD 63 covers both physical and cyber threats, 
federal efforts to meet the directive's requirements have pertained 
primarily to cyber threats, since this is an area that the leaders of 
the administration's CIP strategy view as needing attention. However, 
the terrorist attacks of September 11, 2001, have increased the 
emphasis of physical threats. In addition, in July 2002, NIPC reported 
that the potential for concurrent cyber and physical ("swarming") 
attacks is an emerging threat to the U.S. critical infrastructure. 
Further, in July 2002, the director of NIPC also told us that NIPC had 
begun to develop some capabilities for identifying physical CIP 
threats. For example, NIPC had developed thresholds with several ISACs 
for reporting physical incidents and, since January 2002, has issued 
several information bulletins concerning physical CIP threats. However, 
NIPC's director acknowledged that fully developing this capability 
would be a significant challenge. The physical protection strategy 
states that DHS will maintain a comprehensive, up-to-date assessment of 
vulnerabilities across sectors and improve processes for domestic 
threat data collection, analysis, and dissemination to state and local 
governments and private industry.

The administration and Congress continue to emphasize the need for 
these analysis and warning capabilities. The National Strategy for 
Homeland Security identified intelligence and warning as one of six 
critical mission areas and called for major initiatives to improve our 
nation's analysis and warning capabilities. The strategy also stated 
that no government entity was then responsible for analyzing terrorist 
threats to the homeland, mapping these threats to our vulnerabilities, 
and taking protective action. The Homeland Security Act gives such 
responsibility to the new DHS. For example, the IAIP Under Secretary is 
responsible for administering the Homeland Security Advisory System, 
and is to coordinate with other federal agencies to provide specific 
warning information and advice to state and local agencies, the private 
sector, the public, and other entities about appropriate protective 
measures and countermeasures to homeland security threats.

An important aspect of improving our nation's analysis and warning 
capabilities is having comprehensive vulnerability assessments. The 
President's National Strategy for Homeland Security also states that 
comprehensive vulnerability assessments of all of our nation's critical 
infrastructures are important from a planning perspective in that they 
enable authorities to evaluate the potential effects of an attack on a 
given sector and then invest accordingly to protect it. The strategy 
states that the U.S. government does not perform vulnerability 
assessments of the nation's entire critical infrastructure. The 
Homeland Security Act of 2002 states that the DHS's IAIP Under 
Secretary is to carry out comprehensive assessments of the 
vulnerabilities of key resources and critical infrastructures of the 
United States.

Another critical issue in developing effective analysis and warning 
capabilities is to ensure that appropriate intelligence and other 
threat information, both cyber and physical, is received from the 
intelligence and law enforcement communities. For example, there has 
been considerable public debate regarding the quality and timeliness of 
intelligence data shared between and among relevant intelligence, law 
enforcement, and other agencies. Also, as the transfer of NIPC to DHS 
organizationally separated it from the FBI's law enforcement activities 
(including the Counterterrorism Division and NIPC field agents), it 
will be critical to establish mechanisms for continued communication to 
occur. Further, it will be important that the relationships between the 
law enforcement and intelligence communities and the new DHS are 
effective and that appropriate information is exchanged on a timely 
basis. The act gives DHS broad statutory authority to access 
intelligence information, as well as other information relevant to the 
terrorist threat and to turn this information into useful warnings. For 
example, DHS is to be a key
participant in the multi-agency TTIC[Footnote 28] that reportedly began 
operations on May 1, 2003. According to a White House fact sheet, DHS's 
IAIP is to receive and analyze terrorism-related information from the 
TTIC.[Footnote 29] Although the purpose of TTIC and the authorities and 
responsibilities of the FBI and Central Intelligence Agency (CIA) 
counterterrorism organizations remain distinct, it has been reported 
that many details of the new center have not yet been finalized, 
including the types of reports that will be provided to other agencies.

In addition, according to NIPC's director, as of July 2002, a 
significant challenge in developing a robust analysis and warning 
function is the development of the technology and human capital 
capacities to collect and analyze substantial amounts of information. 
Similarly, the Director of the FBI testified in June 2002 that 
implementing a more proactive approach to preventing terrorist acts and 
denying terrorist groups the ability to operate and raise funds require 
a centralized and robust analytical capacity that did not exist in the 
FBI's Counterterrorism Division.[Footnote 30] He also stated that 
processing and exploiting information gathered domestically and abroad 
during the course of investigations requires an enhanced analytical and 
data mining capacity that was not then available. According to DHS's 
reorganization plans, the IAIP Under Secretary and the CIO of the 
department are to fulfill their responsibilities as laid out by the act 
to establish and utilize a secure communications and IT infrastructure. 
This infrastructure is to include data-mining and other analytical 
tools in order to access, receive, analyze, and disseminate data and 
information.

Additional Incentives Are Needed to Encourage Increased Information 
Sharing Efforts:

PDD 63 stated that sector liaisons should identify and assess economic 
incentives to encourage sector information sharing and other desired 
behavior. Consistent with the original intent of PDD 63, the National 
Strategy for Homeland Security states that, in many cases, sufficient 
incentives exist in the private market for addressing the problems of 
CIP. However, the strategy also discusses the need to use all available 
policy tools to protect the health, safety, or well-being of the 
American people. It mentions federal grant programs to assist state and 
local efforts, legislation to create incentives for the private sector, 
and, in some cases, regulation. The physical protection strategy 
reiterates that additional regulatory directives and mandates should 
only be necessary in instances where the market forces are insufficient 
to prompt the necessary investments to protect critical infrastructures 
and key assets. The cyberspace security strategy also states that the 
market is to provide the major impetus to improve cyber security and 
that regulation will not become a primary means of securing cyberspace.

Last year, the Comptroller General testified on the need for strong 
partnerships with those outside the federal government and that the new 
department would need to design and manage tools of public policy to 
engage and work constructively with third parties.[Footnote 31] We have 
also previously testified on the choice and design of public policy 
tools that are available to governments.[Footnote 32] These public 
policy tools include grants, regulations, tax incentives, and regional 
coordination and partnerships to motivate and mandate other levels of 
government or the private sector to address security concerns. Some of 
these tools are already being used, such as in the water and chemical 
sectors.

Without appropriate consideration of public policy tools, private 
sector participation in sector-related information sharing and other 
CIP efforts may not reach its full potential. For example, we reported 
in January 2003[Footnote 33] on the efforts of the financial services 
sector to address cyber threats, including industry efforts to share 
information and to better foster and facilitate sectorwide efforts. We 
also reported on the efforts of federal entities and regulators to 
partner with the financial services industry to protect critical 
infrastructures and to address information security. We found that 
although federal entities had a number of efforts ongoing, Treasury, in 
its role as sector liaison, had not undertaken a comprehensive 
assessment of the potential public policy tools to encourage the 
financial services sector in implementing information sharing and other 
CIP-related efforts. Because of the importance of considering public 
policy tools to encourage private sector participation, we recommended 
that Treasury assess the need for public policy tools to assist the 
industry in meeting the sector's goals. In addition, in February 2003, 
we reported on the mixed progress five ISACs had made in accomplishing 
the activities suggested by PDD 63. We recommended that the responsible 
lead agencies assess the need for public policy tools to encourage 
increased private-sector CIP activities and greater sharing of 
intelligence and incident information between the sectors and the 
federal government.

The President's fiscal year 2004 budget request for the new DHS 
includes $829 million for information analysis and infrastructure 
protection, a significant increase from the estimated $177 million for 
fiscal year 2003. In particular, the requested funding for protection 
includes about $500 million to identify key critical infrastructure 
vulnerabilities and support the necessary steps to ensure that security 
is improved at these sites. Although it also includes almost $300 
million for warning advisories, threat assessments, a communications 
system, and outreach efforts to state and local governments and the 
private sector, additional incentives may still be needed to encourage 
nonfederal entities to increase their CIP efforts.

Consolidating and Standardizing Watch List Structures and Policies:

We recently reported on the terrorist and criminal watch list systems 
maintained by different federal agencies.[Footnote 34] These watch 
lists are important information-sharing tools for securing our nation's 
borders against terrorists. Simply stated, watch lists can be viewed as 
automated databases that are supported by certain analytical 
capabilities. These lists contain various types of data, from 
biographical data-such as a person's name and
date of birth-to biometric data such as fingerprints. Nine federal 
agencies,[Footnote 35] which before the establishment of DHS spanned 
five different cabinet-level departments,[Footnote 36] currently 
maintain 12 terrorist and criminal watch lists. These lists are also 
used by at least 50 federal, state, and local agencies.

We found that the watch lists include overlapping but not identical 
sets of data, and that different policies and procedures govern whether 
and how these data are shared with others. As a general rule, we found 
that this information sharing is more likely to occur among federal 
agencies than between federal agencies and either state and local 
governments agencies or private entities. According to the National 
Strategy for Homeland Security, in the aftermath of the September 11th 
attacks, it became clear that vital watch list information stored in 
numerous and disparate databases was not available to the right people 
at the right time. In particular, federal agencies that maintained 
information about terrorists and other criminals had not consistently 
shared it. The strategy attributed these information-sharing 
limitations to legal, cultural, and technical barriers that resulted in 
the watch lists being developed in different ways, for different 
purposes, and in isolation from one another. To address these 
limitations, the strategy provides for developing a consolidated watch 
list that would bring together the information on known or suspected 
terrorists contained in federal agencies' respective lists.

Further, we found that the extent to which such information sharing is 
accomplished electronically is constrained by fundamental differences 
in the watch lists' systems architecture. Agencies have developed their 
respective watch lists and managed their use in isolation from each 
other, in recognition of each agency's unique legal, cultural, and 
technological environments. The result is inconsistent and limited 
information sharing. We found that federal agencies that shared their 
watch list data with each other had developed and implemented their own 
interfaces with other federal agencies' watch lists. The consequence is 
the kind of overly complex, unnecessarily inefficient and potentially 
ineffective network that is associated with unstructured and 
nonstandard database environments. In particular, this environment 
consists of nine agencies-with 12 watch lists-that collectively 
maintain at least 17 interfaces. A simplified representation of the 
number of watch list interfaces and the complexity of the watch list 
environment is provided in figure 3.

Figure 3: Simplified Overview of the Border Security Process, 
Departments and Agencies Involved, Watch Lists Used, and Sharing Among 
Watch Lists:

[See PDF for image]

[End of figure]

As we recently reported, differences in agencies' cultures have been 
and remain one of the principal impediments to integrating and sharing 
information from watch lists and other information.

Finally, we found that not all of the nine agencies have policies and 
procedures governing the sharing of watch lists. In addition, each 
agency had different policies and procedures on memorandums of 
understanding, ranging from one agency's not specifying any 
requirements to others' specifying in detail that such agreements 
should include how, when, and where information would be shared with 
other parties. We recommended that the Secretary of DHS, in 
collaboration with the heads of other departments and agencies that 
have or use watch lists, lead an effort to consolidate and standardize 
the federal government's watch list structures and policies to promote 
better integration and information sharing. DHS generally agreed with 
our findings and recommendations.

Effective Systems and Processes Need to Be Established to Facilitate 
Information Sharing:

The success of homeland security relies on establishing effective 
systems and processes to facilitate information sharing among 
government entities and the private sector. In February 2003, the Chief 
Information Officer (CIO) of DHS stated that a key goal to protecting 
our nation is to put in place mechanisms that provide the right 
information to the right people all the time. He further stated that IT 
would provide homeland security officials throughout the United States 
with complete awareness of threats and vulnerabilities as well as 
knowledge of the personnel and resources available to conquer those 
threats. We have identified potential barriers and critical success 
factors to information sharing that DHS should consider. Also, in 
addition to the need to develop technological solutions, key management 
issues that DHS must overcome to achieve success include:

* integrating existing IT resources of 22 different agencies,

* making new IT investments,

* ensuring that sensitive information is secured,

* developing secure communications networks,

* developing a performance focus,

* integrating staff from different organizations and ensuring that the 
department has properly skilled staff, and:

* ensuring effective oversight.

Addressing these issues will be critical to establishing the effective 
systems and processes required to facilitate information sharing within 
the new department.

Potential Barriers to Information Sharing:

GAO has previous reported numerous potential barriers to information 
sharing. that DHS faces, examples of which are summarized in table 
5.[Footnote 37] It will be important for the department to understand 
these barriers, consider any related provisions of the Homeland 
Security Act of 2002, and develop appropriate strategies to address 
them.

Table 5: Potential Barriers to Information Sharing:

Where information sharing can potentially break down: Government 
efforts to sponsor research and development efforts to develop new 
homeland security technologies; Why: * Intellectual property concerns 
may affect the willingness to contract with the government, including 
poor definitions of what technical data are needed by the government 
and unwillingness on the part of government officials to exercise the 
flexibilities available to them concerning intellectual property 
rights; * Concerns that inadvertent release of confidential business 
material, such as attempted or successful attacks, gaps in security, or 
trade secrets or proprietary information, could damage reputations, 
lower consumer confidence, hurt competitiveness, and decrease market 
shares of firms.

Where information sharing can potentially break down: Government 
efforts to facilitate data sharing on critical infrastructures; Why: * 
Concerns about potential antitrust violations may keep companies from 
sharing information with other industry partners; * Concerns that 
sharing information with the government could subject data to Freedom 
of Information Act disclosures or expose companies to potential 
liability may also prevent companies from sharing data with government 
agencies; * Reluctance to disclose corporate information.

Where information sharing can potentially break down: Private sector 
efforts to get data from the government on potential vulnerabilities 
and threats; Why: * National security concerns may prevent agencies 
from sharing data with the private sector; * The process of 
declassifying and sanitizing data takes time-possibly too long to be of 
use to private-sector time-critical operations; * Difficulty obtaining 
security clearances for nonfederal personnel; * Quality (specific, 
accurate, and actionable) and timeliness of information received from 
the federal government.

Where information sharing can potentially break down: Coordinating law 
enforcement and intelligence activities; Why: * Law enforcement and 
intelligence agencies may operate in "distinct universes" separated by 
jurisdictional, organizational, and cultural boundaries. At the same 
time, however, roles and responsibilities at different levels of 
government are not always clear and distinct; * Information may be 
considered too sensitive to release to law enforcement colleagues 
because it could compromise source and collection techniques; * 
Certain laws and regulations as well as privacy concerns may prevent 
information sharing between federal agencies, state, and local law 
enforcement agencies; * Insufficient direction about what specific 
steps should be taken when security alert status is increased; * Lack 
of access to databases and problems with interconnectivity may impede 
information sharing between agencies.

Where information sharing can potentially break down: Issuing attack 
warnings and responding to attacks; Why: * Information-sharing 
mechanisms and procedures for warning against attacks, especially 
between different levels of government, may be inadequate; * Roles and 
responsibilities between emergency, rescue, relief, and recovery 
organizations may not always be clear, especially at different levels 
of government.

Source: GAO.

[End of table]

Success Factors for Sharing Information:

In October 2001, we reported on information sharing practices of 
organizations that successfully share sensitive or time-critical 
information.[Footnote 38] We found that these practices include:

* establishing trust relationships with a wide variety of federal and 
nonfederal entities that may be in a position to provide potentially 
useful information and advice on vulnerabilities and incidents;

* developing standards and agreements on how shared information will be 
used and protected;

* establishing effective and appropriately secure communications 
mechanisms; and:

* taking steps to ensure that sensitive information is not 
inappropriately disseminated.

Among the organizations we studied, we found some very good models to 
learn from and build on. For example, CERT/CC is charged with 
establishing a capability to quickly and effectively coordinate 
communication between experts in order to limit damage, responding to 
incidents, and building awareness of security issues across the 
Internet community. In this role, CERT/CC receives Internet security-
related information from system and network administrators, technology 
managers, and policymakers and provides them with this information 
along with guidance and coordination to major security events. Further, 
the Agora is a Seattle-based regional network that at the time of our 
study had over 600 professionals representing various fields, including 
information systems security; law enforcement; local, state, and 
federal governments; engineering; IT; academics; and other specialties. 
Members work to establish confidential ways for organizations to share 
sensitive information about common problems and best practices for 
dealing with security threats. They develop and share knowledge about 
how to protect electronic infrastructures, and they prompt more 
research specific to electronic information systems security.

In addition, we have previously reported on several other key 
considerations in establishing effective information sharing, 
including:

* identifying and agreeing on the types of information to be collected 
and shared between parties,

* developing standard terms and reporting thresholds,

* balancing varying interests and expectations, and:

* determining the right format and standards for collecting data so 
that disparate agencies can aggregate and integrate data sets.

Some efforts have already taken place in these areas. For example, NIPC 
obtained information sharing agreements with most information sharing 
and analysis centers, which included specific reporting thresholds for 
physical and cyber incidents. Also, incident reporting thresholds have 
been publicly issued. It will be important for DHS to incorporate these 
considerations into its information sharing efforts.

Developing Technological Solutions:

Developing and implementing appropriate technological solutions can 
improve the effectiveness and efficiency of information sharing. We 
have previously reported on the lack of connectivity and 
interoperability between databases and technologies important to the 
homeland security effort.[Footnote 39] Databases belonging to federal 
law enforcement agencies and INS, for example, are not connected, and 
databases between state, local, and federal governments are not always 
connected. The technological constraints caused by different system 
architectures that impede the sharing of different agencies' watch 
lists illustrate the widespread lack of interoperability of many 
federal government information systems.

New technologies for data integration and interoperability could enable 
agencies to share information without the need for radical structural 
changes. This would allow the component agencies of DHS to work 
together yet retain a measure of autonomy, thus removing some barriers 
hindering agencies from embracing change. In August 2002,[Footnote 40] 
we reported on various existing technologies that could be more widely 
implemented to facilitate information sharing. We reported that 
Extensible Markup Language (XML) is useful for better information 
sharing. XML is a flexible, nonproprietary set of standards for 
annotating or "tagging" information so that it can be transmitted over 
a network such as the Internet and readily interpreted by disparate 
computer systems. If implemented broadly with consistent data 
definitions and structures, XML offers the promise of making it 
significantly easier for organizations and individuals to identify, 
integrate, and process information that may be widely dispersed among 
systems and organizations. For example, law enforcement agencies could 
potentially better identify and retrieve information about criminal 
suspects from any number of federal, state, and local databases.

We also reported that various technologies could be used to protect 
information in shared databases. For example, data could be protected 
through electronically secured entry technology (ESET). ESET would 
allow users of separate databases to cross check or "mine" data 
securely without directly disclosing their information to others, thus 
allowing agencies to collaborate as well as address their needs for 
confidentiality or privacy. Such technology could, for example, allow 
an airline to cross check a passenger or employee against data held by 
government agencies in a single-step process without actually 
disclosing the data to the airline. In checking an individual, the 
airline would not receive any data from the agencies' databases, rather 
it would receive a "yes or no" type response and/or a referral for 
further action. Additionally, appropriate authorities could 
automatically be notified.

We noted that intrusion detection systems could be used to prevent 
unauthorized users from accessing shared information. Intrusion 
detection uses normal system and network activity data as well as known 
attack patterns. Deviations from normal traffic patterns can help to 
identify potential intruders.

We also observed the need to simplify the process of analyzing 
information to more efficiently and effectively identify information of 
consequence that must be shared. Great emphasis has been placed upon 
data mining and data integration, but the third and perhaps most 
crucial component may be data visualization. The vast amount of 
information potentially available to be mined and integrated must be 
intelligently analyzed, and the results effectively presented, so that 
the right people have the right information necessary to act 
effectively upon such information. This may involve pinpointing the 
relevant anomalies.

Before DHS was established, OHS had already begun several technological 
initiatives to integrate terrorist-related information from databases 
from different agencies responsible for homeland security. These 
included (1) adopting meta-data standards for electronic information so 
that homeland security officials understood what information was 
available and where it could be found and (2) developing data-mining 
tools to assist in identifying patterns of criminal behavior so that 
suspected terrorists could be detained before they could act.

To address these technological challenges, the Homeland Security Act 
emphasized investments in new and emerging technologies to meet some of 
these challenges and established the Science and Technology 
Directorate, making it responsible for establishing and administering 
research and development efforts and priorities to support DHS 
missions.

Improving Information Technology Management:

Improving IT management will be critical to transforming the new 
department. DHS should develop and implement an enterprise 
architecture, or corporate blueprint, to integrate the many existing 
systems and processes required to support its mission. This 
architecture will also guide the department's investments in new 
systems to effectively support homeland security in the coming years. 
Other key IT management capacities that DHS will need to establish 
include investment and acquisition management processes, effective IT 
security, and secure communications networks.

An Enterprise Architecture:

Effectively managing a large and complex endeavor requires, among other 
things, a well-defined and enforced blueprint for operational and 
technological change, commonly referred to as an enterprise 
architecture. Developing, maintaining, and using enterprise 
architectures is a leading practice in engineering both individual 
systems and entire enterprises. Enterprise architectures include 
several components, including a (1) current or "as is" environment, (2) 
target or "to be" environment, and (3) transition plan or strategy to 
move from the current to the target environment. Governmentwide 
requirements for having and using architectures to guide and constrain 
IT investment decisionmaking are also addressed in federal law and 
guidance.[Footnote 41] Our experience with federal agencies has shown 
that attempts to transform IT environments without enterprise 
architectures often result in unconstrained investment and systems that 
are duplicative and ineffective. Moreover, our February 2002 report on 
the federal agencies' use of enterprise architectures found that their 
use of enterprise architectures was a work in progress, with much to be 
accomplished.[Footnote 42]

DHS faces tremendous IT challenges because programs and agencies have 
been brought together in the new department from throughout the 
government, each with their own information systems. It will be a major 
undertaking to integrate these diverse systems to enable effective 
information sharing among themselves, as well as with those outside the 
department.

The Office of Homeland Security has acknowledged that an enterprise 
architecture is an important next step because it can help identify 
shortcomings and opportunities in current homeland-security-related 
operations and systems, such as duplicative, inconsistent, or missing 
information. Furthermore, the President's homeland security strategy 
identifies, among other things, the lack of an enterprise architecture 
as an impediment to DHS's systems interoperating effectively and 
efficiently. Finally, the CIO of DHS has stated that the most important 
function of his office will be to design and help implement a national 
enterprise architecture that will guide the department's investment in 
and use of IT. As part of its enterprise development efforts, the 
department has established working groups comprising state and local 
CIOs to ensure that it understands and represents their business 
processes and strategies relevant to homeland security. In addition, 
OMB, in its current review of DHS's redundant IT for consolidation and 
integration, has taken an initial first step to evaluate DHS's 
component systems.[Footnote 43] The CIO has set two milestones for 
developing the enterprise architecture. By June 2003, he intends to 
complete a baseline inventory of the department's current IT resources 
and business processes, and by August 2003 he intends to complete the 
future enterprise architecture. No target date has been provided for 
the transition plan to move from the current to the target environment.

In June 2002, we recommended that the federal government develop an 
architecture that defined the homeland security mission and the 
information, technologies, and approaches necessary to perform the 
mission in a way that was divorced from organizational parochialism and 
cultural differences.[Footnote 44] Specifically, we recommended that 
the architecture describe homeland security operations in both (1) 
logical terms, such as interrelated processes and activities, 
information needs and flows, and work locations and users, and (2) 
technical terms, such as hardware, software, data, communications, and 
security attributes and performance standards. We observed that a 
particularly critical function of a homeland security architecture 
would be to establish protocols and standards for data collection to 
ensure that data being collected were usable and interoperable and to 
tell people what they needed to collect and monitor.

The CIO Council, OMB, and GAO have collaborated to produce guidance on 
the content, development, maintenance, and implementation of 
architectures that could be used in developing an architecture for 
DHS.[Footnote 45] In April, we issued an executive guide on assessing 
and improving enterprise architecture management that extends this 
guidance.[Footnote 46]

Investment and Acquisition Management Processes:

The Clinger-Cohen Act, federal guidance, and recognized best practices 
provide a framework for organizations to follow to effectively manage 
their IT investments. This involves having a single, corporate approach 
governing how an organization's IT investment portfolio is selected, 
controlled, and evaluated across its various components, including 
assuring that each investment is aligned with the organization's 
enterprise architecture. The lack of effective processes can lead to 
cost, schedule, and performance shortfalls, and in some cases, to 
failed system development efforts. GAO has issued numerous reports on 
agency investment and acquisition management challenges, including INS, 
which have been transferred into DHS.

INS has had long-standing difficulty developing and fielding 
information systems to support its program operations. Since 1990, we 
have reported that INS managers and field officials did not have 
adequate, reliable, and timely information to effectively carry out the 
agency's mission. For example, INS's benefit fraud investigations have 
been hampered by a lack of integrated information systems.[Footnote 47] 
Also, INS's alien address information could not be fully relied on to 
locate many aliens who were believed to be in the country and who might 
have knowledge that would assist the nation in its antiterrorism 
efforts.[Footnote 48] Contributing to this situation was INS's lack of 
written procedures and automated controls to help ensure that reported 
changes of address by aliens are recorded in all of INS's automated 
databases. Our work has identified weaknesses in INS's IT management 
capacities as the root cause of its system problems, and we have made 
recommendations to correct the weaknesses. INS has made progress in 
addressing our recommendations.

In a briefing to the House Appropriations Committee in February, the 
DHS CIO stated that his objective was to develop an IT investment 
review process by March 2003. Moreover, he set March as the milestone 
for finalizing the identification of all of DHS's mission-critical 
applications and February of next year as the milestone for having 
evaluated all major applications and investments in view of 
prioritizing actions to either renew or retire them.

Sound acquisition management is also central to accomplishing the 
department's mission. One of the largest federal departments, DHS will 
potentially have one of the most extensive acquisition requirements in 
government. The new department is expected to acquire a broad range of 
technologies and services from private-sector companies.

Moreover, DHS is faced with the challenge of integrating the 
procurement functions of many of its constituent programs and missions. 
Inherited challenges exist in several of the incoming agencies. For 
example, Customs has major procurement programs under way that must be 
closely managed to ensure that it achieves expectations. Despite some 
progress, we reported that Customs still lacks important acquisition 
management controls.[Footnote 49] For its new import processing system, 
Customs has not begun to establish process controls for determining 
whether acquired software products and services satisfy contract 
requirements before acceptance, nor to establish related controls for 
effective and efficient transfer of acquired software products to the 
support organization responsible for software maintenance. Agreeing 
with one of our recommendations, Customs continues to make progress and 
plans to establish effective acquisition process controls.

Getting the most from its IT investment will depend on how well the 
department manages its acquisition activities. High-level attention to 
strong system and service acquisition management practices is critical 
to ensuring success.

Information Security Challenges:

The Federal Information Security Management Act of 2002 requires 
federal agencies to provide information security protections 
commensurate with the risk and magnitude of the harm resulting from 
unauthorized access, use, disclosure, disruption, modification, or 
destruction of information collected or maintained by or on behalf of 
the agency, and information systems used or operated by an agency or by 
a contractor of an agency or other organization on behalf of an 
agency.[Footnote 50] Further, the Homeland Security Act specifically 
requires DHS to establish procedures to ensure the authorized use and 
the security and confidentiality of information shared with the 
department, including information on threats of terrorism against the 
United States; infrastructure or other vulnerabilities to terrorism; 
and threatened interference with, attack on, compromise of, or 
incapacitation of critical infrastructure or protected systems by 
either physical or computer-based attack. However, establishing an 
effective information security program may present significant 
challenges for DHS, which must bring together programs and agencies 
from throughout the government and integrate their diverse 
communications and information systems to enable effective 
communication and information sharing both within and outside the 
department.

Since 1996, we have reported that poor information security is a 
widespread problem for the federal government with potentially 
devastating consequences.[Footnote 51] Further, we have identified 
information security as a governmentwide high-risk issue in reports to 
the Congress since 1997--most recently in January 2003.[Footnote 52] 
Although agencies have taken steps to redesign and strengthen their 
information system security programs, our analyses of information 
security at major federal agencies have shown that federal systems were 
not being adequately protected from computer-based threats, even though 
these systems process, store, and transmit enormous amounts of 
sensitive data and are indispensable to many federal agency operations. 
For the past several years, we have analyzed audit
results for 24 of the largest federal agencies,[Footnote 53] and our 
latest analyses, of audit reports issued from October 2001 through 
October 2002, continued to show significant weaknesses in federal 
computer systems that put critical operations and assets at 
risk.[Footnote 54] In particular, we found that all 24 agencies had 
weaknesses in security program management, which is fundamental to the 
appropriate selection and effectiveness of the other categories of 
controls and covers a range of activities related to understanding 
information security risks, selecting and implementing controls 
commensurate with risk, and ensuring that the controls implemented 
continue to operate effectively. In addition, we found that 22 of the 
24 agencies had weaknesses in access controls--weaknesses that can make 
it possible for an individual or group to inappropriately modify, 
destroy, or disclose sensitive data or computer programs for purposes 
such as personal gain or sabotage, or in today's increasingly 
interconnected computing environment, can expose an agency's 
information and operations to attacks from remote locations all over 
the world by individuals with only minimal computer and 
telecommunications resources and expertise. In April 2003,[Footnote 55] 
we also reported that many agencies still had not established 
information security programs consistent with requirements originally 
prescribed by government information security reform 
legislation[Footnote 56] and now permanently authorized by the Federal 
Information Security Management Act.

Considering the sensitive and classified information to be maintained 
and shared by DHS, it is critical that the department implement federal 
information security requirements to ensure that its systems are 
appropriately assessed for risk and that adequate controls are 
implemented and working properly. Federal information security 
guidance, such as that issued by the National Institute of Standards 
and Technology (NIST), can aid DHS in this process. For example, NIST 
has issued guidance to help agencies perform self-assessments of their 
information security programs, conduct risk assessments, and use 
metrics to determine the adequacy of in-place security controls, 
policies, and procedures.[Footnote 57] In addition, as we have 
previously reported, agencies need more specific guidance on the 
controls that they need to implement to help ensure adequate 
protection.[Footnote 58] Currently, agencies have wide discretion in 
deciding which computer security controls to implement and the level of 
rigor with which to enforce these controls. One set of specific 
controls will not be appropriate for all types of systems and data, but 
our studies of best practices at leading organizations have shown that 
more specific guidance is important.[Footnote 59] In particular, 
specific mandatory standards for varying risk levels can clarify 
expectations for information protection, including audit criteria; 
provide a standard framework for assessing information security risk; 
help ensure that shared data are appropriately protected; and reduce 
demands for limited resources to independently develop security 
controls. Responding to this need, the Federal Information Security 
Management Act (FISMA) requires NIST to develop, for systems other than 
national security systems, (1) standards to be used by all agencies to 
categorize all of their information and information systems based on 
the objectives of providing appropriate levels of information security 
according to a range of risk levels; (2) guidelines recommending the 
types of information and information systems to be included in each 
category; and (3) minimum information security requirements for 
information and information systems in each category.

DHS has identified implementing its information security program as a 
year one objective. In continuing these efforts, it is important that 
DHS consider establishing processes to annually review its information 
security program and to collect and report data on the program, as 
required by FISMA and OMB.

Secure Communications Networks:

The "Homeland Security Information Sharing Act," included in the 
Homeland Security Act of 2002, provides for the President to prescribe 
and implement procedures for federal agencies to share homeland 
security and classified information with others, such as state and 
local governments, through information sharing systems. Provisions of 
the act depict the type of information to be shared as that which 
reveals a threat of actual or potential attack or other hostile acts. 
Grand jury information; electronic, wire, or oral information; and 
foreign intelligence information are all included in these provisions. 
The National Strategy for Homeland Security also refers to the need for 
a secure intranet to increase the flow of classified federal 
information to state and local entities. According to the strategy, 
this network would provide a more effective way to share information 
about terrorists. The strategy also refers to putting into place a 
secure communications network to allow agencies to share information in 
their existing databases.

To ensure the safe transmittal of sensitive, and, in some cases, 
classified, information vertically among everyone from intelligence 
entities, including the CIA, to local entities, such as those involved 
in emergency response and law enforcement, as well as horizontally 
across the same levels of government, requires developing and 
implementing communications networks with adequate security to protect 
the confidentiality, integrity, and availability of the transmitted 
information. Furthermore, these communications networks must be 
accessible to a variety of parties, from federal agencies to state and 
local government entities and some private entities.

There appear to be many efforts under way to implement secure networks. 
For example, according to the recently published the cyberspace 
security strategy, DHS intends to develop a national cyberspace 
security response system, the Cyber Warning Information Network (CWIN), 
to provide crisis management support to government and non-government 
network operation centers. CWIN is envisioned as providing private and 
secure network communications for both government and industry for the 
purpose of sharing cyber alert and warning information. Moreover, the 
National Communications System, one of the 22 entities that were merged 
into the DHS, has implemented a pilot system, the Global Early Warning 
Information System (GEWIS), which will measure how critical areas of 
the Internet are performing worldwide and then use that data to notify 
government, industry, and allies of impending cyberattacks or possible 
disturbances.

Other agencies are also engaged in efforts to provide homeland security 
networking and information management support for crisis management 
activities. Earlier, in 2001, the President's Advisor for Cyberspace 
Security outlined the high-level functional requirements for a private, 
secure network called GovNet. Department of Defense officials have also 
stated that the Army National Guard's network GuardNet, which was used 
to communicate among the states and the District of Columbia during the 
9/11 terrorist attacks, is being considered for homeland security 
mission support.

It was also recently reported that the Justice Department and the FBI 
are expanding two existing sensitive but unclassified law enforcement 
networks to share homeland security information across all levels of 
government. When fully deployed, their Antiterrorism Information 
Exchange (ATIX) will provide law enforcement agencies at all levels 
access to information. Law enforcement agencies also can use ATIX to 
distribute security alerts to private-sector organizations and public 
officials who lack security clearances. Users, who will have different 
access levels on a need-to-know basis, will include a broad range of 
public safety and infrastructure organizations, including businesses 
that have homeland security concerns and duties. They will have access 
to a secure e-mail system via a secure Intranet, which the FBI and DHS 
will use to deliver alerts to ATIX users. The FBI and other federal 
agencies, including DHS, will link to ATIX via Law Enforcement Online, 
the bureau's system for sensitive-but-unclassified law enforcement data 
that provides an encrypted communications service for law enforcement 
agencies on a virtual private network. The second Department of Justice 
and FBI network, the Multistate Antiterrorism Regional Information 
Exchange System, will enable crime analysts working on terrorism 
investigations to quickly check a broad range of criminal databases 
maintained by federal, state, and local agencies.

In March of this year, it was also reported that DHS's CIO had 
announced that DHS is opening up a network for secure videoconferencing 
to communicate with the nation's governors in the event of another 
terrorist attack. The CIO has also stated that a major initiative in 
implementing the department's IT strategy for providing the right 
information to the right people at all times is establishing the DHS 
Information Sharing Network Pilot project. Moreover, he sets 2005 as a 
milestone for DHS to build a "network of networks." However, no 
specifics on the latter two projects have been provided.

Managing Performance:

As we have previously reported,[Footnote 60] the new department has the 
challenge of developing a national homeland security performance focus, 
which relies on related national and agency strategic and performance 
planning efforts of the OHS, OMB, and the other departments and 
agencies. Indeed, the individual planning activities of the various 
component departments and agencies represent a good start in the 
development of this focus. However, our past work on implementation of 
the Government Performance and Results Act (GPRA) has highlighted 
ongoing difficulty with many federal departments and agencies setting 
adequate performance goals, objectives, and targets. Accordingly, 
attention is needed to developing and achieving appropriate performance 
expectations and measures for information sharing and in ensuring that 
there is linkage between DHS's plans, other agencies' plans, and the 
national strategies regarding information sharing. Ensuring these 
capabilities and linkages will be vital in establishing comprehensive 
planning and accountability mechanisms that will not only guide DHS's 
efforts but also help assess how well they are really working.

As we previously reported to this committee,[Footnote 61] one of the 
barriers the new department faces in establishing effective homeland 
security is interagency cooperation, which is largely attributed to 
"turf" issues among the 22 component agencies subsumed by the new 
department. Strong and sustained commitment of agency leaders would 
provide performance incentives to managers and staff to break down 
cultural resistance and encourage more effective information sharing 
pertaining to homeland security. Moreover, agency leaders have a wide 
range of tools at their disposal for enforcing and rewarding 
cooperative efforts, including performance bonuses for senior 
executives and incentive award programs for staff.

Our studies of other cross-cutting federal services with similar "turf" 
problems have also shown that agency performance plans, which are 
required by GPRA, offer a good avenue for developing incentives to 
cooperate. Specifically, agencies can set up goals in their performance 
plans for participation in cross-cutting programs and report on their 
progress in meeting these goals to Congress. Congress could also build 
similar incentives into budget resolutions.

Shared programmatic goals and metrics would also encourage cooperation 
and coordination. Agencies subsumed by DHS should all participate in 
the development of goals, milestones, and metrics to measure progress 
and success, and such indicators should be clearly articulated and 
endorsed by senior management. Such goals and metrics must be carefully 
chosen since how performance is measured greatly influences the nature 
of the performance itself; poorly chosen metrics may lead to unintended 
or counter-productive results. However, visible, clearly articulated 
and carefully chosen shared goals and metrics can effectively overcome 
"turf" issues. Developing metrics to measure the success of these 
activities is critical to ensuring a successful effort. Similar 
indicators more directly related to information sharing could be 
developed.

Emphasizing Human Capital:

Human capital is another critical ingredient required for ensuring 
successful information sharing for homeland security. The cornerstones 
to effective human capital planning include leadership; strategic human 
capital planning; acquiring, developing, and retaining talent; and 
building results-oriented organizational cultures. The homeland 
security and intelligence communities must include these factors in 
their management approach in order to benefit from effective 
collaboration in this critical time.

As we have previously reported, the government-wide increase in 
homeland security activities has created a demand for personnel with 
skills in areas such as IT, foreign language proficiencies, and law 
enforcement, without whom critical information has less chance of being 
shared, analyzed, integrated, and disseminated in a timely, effective 
manner.[Footnote 62] We specifically reported that shortages in 
staffing at some agencies had exacerbated backlogs in intelligence and 
other information, adversely affecting agency operations and hindering 
U.S. military, law enforcement, intelligence, counterterrorism, and 
diplomatic efforts.[Footnote 63]

We have also previously reported that some of the agencies that moved 
into DHS have long-standing human capital problems that will need to be 
addressed. One of these challenges has been the ability to hire and 
retain a talented and motivated staff. For example, we reported that 
INS has been unable to reach its program goals in large part because of 
such staffing problems as hiring shortfalls and agent 
attrition.[Footnote 64] We also reported that several INS functions 
have been affected by the lack of a staff resource allocation model to 
identify staffing needs.[Footnote 65] We concluded then that it was 
likely that increased attention to the enforcement of immigration laws 
and border control would test the capacity of DHS to hire large numbers 
of inspectors for work at our nation's border entry points. Moreover, 
we reported that other agencies being integrated into DHS were also 
expected to experience challenges in hiring security workers and 
inspectors. For example, we reported
that the Agriculture Department, the Customs Service, INS, and other 
agencies were all seeking simultaneously to increase the size of their 
inspections staffs.[Footnote 66]

To overcome its significant human capital shortfalls, DHS must develop 
a comprehensive strategy capable of ensuring that the new department 
can acquire, develop, and retain the skills and talents needed to 
prevent and protect against terrorism. This requires identifying skill 
needs; attracting people with scarce skills into government jobs; 
melding diverse compensation systems to support the new department's 
many needs; and establishing a performance-oriented, accountable 
culture that promotes employee involvement and empowerment. In 
February, the DHS CIO acknowledged the lack of properly skilled IT 
staff within the component agencies. Challenges facing DHS in this 
area, he stated, include overcoming political and cultural barriers, 
leveraging cultural beliefs and diversity to achieve collaborative 
change, and recruiting and retaining skilled IT workers. He 
acknowledged that the department would have to evaluate the talent and 
skills of its IT workforce to identify existing skill gaps. He further 
stated that a critical component of DHS's IT strategic plan would 
address the actions needed to train, reskill, or acquire the necessary 
skills to achieve a world-class workforce. He committed to working 
closely with the department's Chief Human Capital Officer and with the 
Office of Personnel Management to achieve this goal. He set July 2003 
as a milestone for developing a current inventory of IT skills, 
resources, and positions and September 2003 as the targeted date for 
developing an action plan.

Ensuring Institutional Oversight:

It is important to note that accountability is also a critical factor 
in ensuring the success of the new department. The oversight entities 
of the executive branch-including the Inspectors General, OMB and OHS-
have a vital role to play in ensuring expected performance and 
accountability. Likewise, congressional committees and GAO, as the 
investigative arm of the legislative branch, with their long-term and 
broad institutional roles, also have roles to play in overseeing that 
the new department meets the demands of its homeland security mission.

:

In conclusion, our country is at a critical point in its history where 
information sharing with and between all levels of government and the 
private sector must become an integral part of everyday operations if 
we are to be able to identify terrorist threats and protect against 
attack. As such, information sharing is an essential part of DHS's 
responsibilities and is critical to achieving its mission. To implement 
these responsibilities, DHS will need to develop effective information 
sharing systems and other information sharing mechanisms, as well as 
develop strategies to address other challenges in establishing its 
organization and information architecture and in developing effective 
working relationships, cooperation, and trust with other federal 
agencies, state and local governments, and the private sector.

Mr. Chairman, this concludes my statement. I would be happy to answer 
any questions that you or members of the committee may have at this 
time.

Contacts and Acknowledgement:

If you should have any questions about this testimony, please contact 
Robert F. Dacey at (202) 512-3317 or daceyr@gao.gov or Randolph C. Hite 
at (202) 512-3439 or hiter@gao.gov.

(310191):

FOOTNOTES

[1] The White House, The National Strategy for Homeland Security 
(Washington, D.C.: July 2002); The National Strategy to Secure 
Cyberspace (Washington, D.C.: February 2003); The National Strategy for 
the Physical Protection of Critical Infrastructures and Key Assets 
(Washington, D.C.: February 2003); and The National Strategy for 
Combating Terrorism (Washington, D.C.: February 2003).

[2] Public Law 107-296.

[3] Watch lists are automated databases that contain various types of 
data on individuals, from biographical data--such as a person's name 
and date of birth--to biometric data such as fingerprints.

[4] A weapon of mass destruction is a chemical, biological, 
radiological, or nuclear agent or weapon. 

[5] Testimony of Director of Central Intelligence George J. Tenet 
before Senate Select Committee on Intelligence on The Worldwide Threat 
2003: Evolving Dangers in a Complex World (Feb. 11, 2003).

[6] Virus: a program that "infects" computer files, usually executable 
programs, by inserting a copy of itself into the file. These copies are 
usually executed when the "infected" file is loaded into memory, 
allowing the virus to infect other files. Unlike the computer worm, a 
virus requires human involvement (usually unwitting) to propagate. 
Trojan horse: a computer program that conceals harmful code. A Trojan 
horse usually masquerades as a useful program that a user would wish to 
execute. Worm: an independent computer program that reproduces by 
copying itself from one system to another across a network. Unlike 
computer viruses, worms do not require human involvement to propagate. 
Logic bomb: in programming, a form of sabotage in which a programmer 
inserts code that causes the program to perform a destructive action 
when some triggering event occurs, such as terminating the programmer's 
employment. Sniffer: synonymous with packet sniffer. A program that 
intercepts routed data and examines each packet in search of specified 
information, such as passwords transmitted in clear text. 

[7] The CERT Coordination Center (CERT/CC) is a center of Internet 
security expertise at the Software Engineering Institute, a federally 
funded research and development center operated by Carnegie Mellon 
University.

[8] "Administrative Oversight: Are We Ready for A Cyber Terror Attack?" 
Testimony before the Senate Committee on the Judiciary, Subcommittee on 
Administrative Oversight and the Courts, by Richard A. Clarke, Special 
Advisor to the President for Cyberspace Security and Chairman of the 
President's Critical Infrastructure Protection Board (Feb. 13, 2002).

[9] Testimony of George J. Tenet, Director of Central Intelligence, 
before the Senate Select Committee on Intelligence, Feb. 6, 2002.

[10] Testimony of Richard D. Pethia, Director, CERT Centers, Software 
Engineering Institute, Carnegie Mellon University, before the House 
Committee on Government Reform, Subcommittee on Government Efficiency, 
Financial Management and Intergovernmental Relations, Nov. 19, 2002.

[11] National Infrastructure Protection Center, Swarming Attacks: 
Infrastructure Attacks for Destruction and Disruption (Washington, 
D.C.: July 2002).

[12] The Homeland Security Advisory System uses five levels (Severe, 
High, Elevated, Guarded, and Low) to inform federal, state, and local 
government agencies and authorities, the private sector, and the public 
of the nation's terrorist threat conditions. 

[13] U.S. General Accounting Office, Information Security Progress 
Made, But Challenges Remain to Protect Federal Systems and the Nation's 
Critical Infrastructures, GAO-03-564T (Washington, D.C.: Apr. 8, 2003).

[14] GAO-03-564T.

[15] U.S. General Accounting Office, Critical Infrastructure 
Protection: Federal Efforts Require a More Coordinated and 
Comprehensive Approach for Protecting Information Systems, GAO-02-474 
(Washington, D.C.: July 15, 2002).

[16] U.S. General Accounting Office, Information Technology: Terrorist 
Watch Lists Should Be Consolidated to Promote Better Integration and 
Sharing, GAO-03-322 (Washington, D.C: Apr. 15, 2003). 

[17] U.S. General Accounting Office, Information Security: Serious 
Weaknesses Place Critical Federal Operations and Assets at Risk, GAO/
AIMD-98-92 (Washington, D.C.: Sept. 23, 1998).

[18] U.S. General Accounting Office, Combating Terrorism: Selected 
Challenges and Related Recommendations, GAO-01-822 (Washington, D.C.: 
Sept. 20, 2001).

[19] GAO-02-474.

[20] U.S. General Accounting Office, Critical Infrastructure 
Protection: Challenges for Selected Agencies and Industry Sectors, GAO-
03-233 (Washington, D.C.: Feb. 28, 2003).

[21] The Uniting and Strengthening America by Providing Appropriate 
Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act, 
Public Law No. 107-56, October 26, 2001. 

[22] U.S. General Accounting Office, Critical Infrastructure 
Protection: Significant Challenges in Developing National 
Capabilities, GAO-01-323 (Washington, D.C.: April. 24, 2001). 

[23] The Federal Computer Incident Response Center has been 
incorporated into the new Department of Homeland Security (DHS).

[24] Testimony of Kenneth C. Watson, President, Partnership for 
Critical Infrastructure Security, before the Subcommittee on Oversight 
and Investigation of the Energy and Commerce Committee, U.S. House of 
Representatives, July 9, 2002.

[25] U. S. General Accounting Office, Homeland Security: Voluntary 
Initiatives Are Under Way at Chemical Facilities, but the Extent of 
Security Preparedness is Unknown, GAO-03-439 (Washington D.C.: Mar. 14, 
2003).

[26] GAO-01-323.

[27] Pursuant to the Homeland Security Act of 2002, the functions of 
NIPC (except for computer investigations and operations) were 
transferred over to DHS from the FBI. 

[28] The center was formed from elements of the Department of Homeland 
Security, the FBI's Counterterrorism Division, the Director of Central 
Intelligence's Counterterrorist Center, and the Department of Defense. 

[29] The White House, Fact Sheet: Strengthening Intelligence to Better 
Protect America (Washington, D.C.: Jan. 28, 2003).

[30] Testimony of Robert S. Mueller, III, Director Federal Bureau of 
Investigation, before the Subcommittee for the Departments of Commerce, 
Justice, and State, the Judiciary, and Related Agencies, Committee on 
Appropriations, U.S. House of Representatives, June 21, 2002.

[31] U.S. General Accounting Office, Homeland Security: Proposal for 
Cabinet Agency Has Merit, But Implementation Will Be Pivotal to 
Success, GAO-01-886T (Washington, D.C.: June 25, 2002).

[32] U.S. General Accounting Office, Combating Terrorism: Enhancing 
Partnerships Through a National Preparedness Strategy, GAO-02-549T 
(Washington, D.C.: Mar. 28, 2002).

[33] U.S. General Accounting Office, Critical Infrastructure 
Protection: Efforts of the Financial Services Sector to Address Cyber 
Threats, GAO-03-173 (Washington, D.C.: Jan. 30, 2003).

[34] GAO-03-322.

[35] The nine agencies are the State Department's Bureau of 
Intelligence and Research and Bureau of Consular Affairs; the Justice 
Department's Federal Bureau of Investigation, Immigration and 
Naturalization Service, U.S. Marshals Service, and the U.S. National 
Central Bureau for Interpol; the Department of Defense's Air Force 
Office of Special Investigations; the Transportation Department's 
Transportation Security Administration; and the Treasury Department's 
U.S. Customs Service. Of these, the Immigration and Naturalization 
Service, the Transportation Security Administration, and the U.S. 
Customs Service have been incorporated into the new DHS. 

[36] These departments are the Departments of State, Treasury, 
Transportation, Justice, and Defense.

[37] U.S. General Accounting Office, National Preparedness: Integrating 
New and Existing Technology and Information Sharing into an Effective 
Homeland Security Strategy, GAO-02-811T (Washington, D.C.: June 7, 
2002), GAO-02-24, and GAO-03-233.

[38] U.S. General Accounting Office, Information Sharing: Practices 
That Can Benefit Critical Infrastructure Protection, GAO-02-24 
(Washington, D.C.: Oct. 15, 2001).

[39] GAO-02-811T 

[40] U.S. General Accounting Office, National Preparedness: Technology 
and Information Sharing Challenges, GAO-02-1048R (Washington, D.C.: 
Aug. 30, 2002).

[41] U.S. General Accounting Office, Business Systems Modernization: 
Longstanding Management and Oversight Weaknesses Continue to Put 
Investments at Risk, GAO-03-553T (Washington, D.C.: Mar. 31, 2003).

[42] U.S, General Accounting Office, Information Technology: Enterprise 
Architecture Use across the Federal Government Can Be Improved, GAO-02-
6 (Washington, D.C.: Feb.19, 2002).

[43] Office of Management and Budget, Reducing Redundant IT 
Infrastructure Related to Homeland Security, Memorandum for the Heads 
of Selected Departments and Agencies, July 19, 2002, M-02-12.

[44] GAO-02-811T. 

[45] See Chief Information Officer Council, A Practical Guide to 
Federal Enterprise Architecture, Version 1.0, (Washington, D.C.: Feb. 
2001).

[46] U.S. General Accounting Office, Information Technology: A 
Framework for Assessing and Improving Enterprise Architecture 
Management (Version 1.1), GAO-03-584G (Washington, D.C.: Apr. 2003). 

[47] U.S. General Accounting Office, Immigration Benefit Fraud: Focused 
Approach Is Needed to Address Problems, GAO-02-66 (Washington, D.C.: 
Jan. 31, 2002).

[48] U.S. General Accounting Office, Homeland Security: INS Cannot 
Locate Many Aliens Because It Lacks Reliable Address Information, GAO-
03-188 (Washington, D.C.: Nov. 21, 2002).

[49] U.S. General Accounting Office, Customs Service Modernization: 
Management Improvements Needed on High-Risk Automated Commercial 
Environment Project, GAO-02-545 (Washington, D.C.: May 13, 2002).

[50] Title III--Federal Information Security Management Act of 2002, E-
Government Act of 2002, P.L. 107-347, December 17, 2002. This act 
superseded an earlier version of FISMA that was enacted as Title X of 
the Homeland Security Act of 2002. 

[51] U.S. General Accounting Office, Information Security: 
Opportunities for Improved OMB Oversight of Agency Practices, GAO/
AIMD-96-110 (Washington, D.C.: Sept. 24, 1996).

[52] U.S. General Accounting Office, High-Risk Series: Protecting 
Information Systems Supporting the Federal Government and the Nation's 
Critical Infrastructures, GAO-03-121 (Washington, D.C.: January 2003).

[53] U.S. General Accounting Office, Information Security: Serious 
Weaknesses Place Critical Federal Operations and Assets at Risk, GAO/
AIMD-98-92 (Washington, D.C.: Sept. 23, 1998); Information Security: 
Serious and Widespread Weaknesses Persist at Federal Agencies, GAO/
AIMD-00-295 (Washington, D.C.: Sept. 6, 2000); Computer Security: 
Improvements Needed to Reduce Risk to Critical Federal Operations and 
Assets, GAO-02-231T (Washington, D.C.: Nov. 9, 2001), and Computer 
Security: Progress Made, but Critical Federal Operations and Assets 
Remain at Risk, GAO-02-303T (Washington, D.C.: Nov. 19, 2002).

[54] GAO-03-303T.

[55] GAO-03-564T.

[56] Title X, Subtitle G--Government Information Security Reform, Floyd 
D. Spence National Defense Authorization Act for Fiscal Year 2001, 
P.L.106-398, October 30, 2000.

[57] National Institute of Standards and Technology, Security Self-
Assessment Guide for Information Technology Systems, NIST Special 
Publication 800-26, November 2001; Risk Management Guide for 
Information Technology Systems - Recommendations of the National 
Institute of Standards and Technology, Special Publication 800-30, 
January 2002; Security Metrics Guide for Information Technology 
Systems, NIST Draft Special Publication 800-55 (October 2002).

[58] GAO-03-121.

[59] U.S. General Accounting Office, Information Security Management: 
Learning From Leading Organizations, GAO/AIMD-98-68 (Washington, D.C.: 
May 1998).

[60] U.S. General Accounting Office, Major Management Challenges and 
Program Risks: Department of Homeland Security, GAO-03-102 (Washington, 
D.C.: January 2003).

[61] GAO-02-1048R.

[62] GAO-02-1122T.

[63] U.S. General Accounting Office, Foreign Languages: Human Capital 
Approach Needed to Correct Staffing and Proficiency Shortfalls, GAO-02-
375 (Washington, D.C.: January 2002).

[64] U.S. General Accounting Office, Immigration Enforcement: 
Challenges to Implementing the INS Interior Enforcement Strategy, GAO-
02-861T (Washington, D.C.: June 19, 2002).

[65] U.S. General Accounting Office, Immigration and Naturalization 
Service: Overview of Recurring Management Challenges, GAO-02-168T 
(Washington, D.C.: Oct. 17, 2001).

[66] GAO-03-260.