GAO-10-834T, Cybersecurity: Continued Attention Is Needed to Protect Federal Information Systems from Evolving Threats


This is the accessible text file for GAO report number GAO-10-834T 
entitled 'Cybersecurity: Continued Attention Is Needed to Protect 
Federal Information Systems from Evolving Threats' which was released 
on June 16, 2010. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as 
part of a longer term project to improve GAO products' accessibility. 
Every attempt has been made to maintain the structural and data 
integrity of the original printed product. Accessibility features, 
such as text descriptions of tables, consecutively numbered footnotes 
placed at the end of the file, and the text of agency comment letters, 
are provided but may not exactly duplicate the presentation or format 
of the printed version. The portable document format (PDF) file is an 
exact electronic replica of the printed version. We welcome your 
feedback. Please E-mail your comments regarding the contents or 
accessibility features of this document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Testimony: 

Before the Committee on Homeland Security, House of Representatives: 

United States Government Accountability Office: 
GAO: 

For Release on Delivery: 
Expected at 10:00 a.m. EDT:
Wednesday, June 16, 2010: 

Cybersecurity: 

Continued Attention Is Needed to Protect Federal Information Systems 
from Evolving Threats: 

Statement of Gregory C. Wilshusen, Director: 
Information Security Issues: 

GAO-10-834T: 

GAO Highlights: 

Highlights of GAO-10-834T, a testimony before the Committee on 
Homeland Security, House of Representatives. 

Why GAO Did This Study: 

Pervasive and sustained cyber attacks continue to pose a potentially 
devastating threat to the systems and operations of the federal 
government. In recent testimony, the Director of National Intelligence 
highlighted that many nation states, terrorist networks, and organized 
criminal groups have the capability to target elements of the United 
States information infrastructure for intelligence collection, 
intellectual property theft, or disruption. In July 2009, press 
accounts reported attacks on Web sites operated by major government 
agencies. The ever-increasing dependence of federal agencies on 
information systems to carry out essential, everyday operations can 
make them vulnerable to an array of cyber-based risks. Thus it is 
increasingly important that the federal government carry out a 
concerted effort to safeguard its systems and the information they 
contain. 

GAO is providing a statement describing (1) cyber threats to federal 
information systems and cyber-based critical infrastructures, (2) 
control deficiencies that make federal systems vulnerable to those 
threats, and (3) opportunities that exist for improving federal 
cybersecurity. In preparing this statement, GAO relied on its 
previously published work in this area. 

What GAO Found: 

Cyber-based threats to federal systems and critical infrastructure are 
evolving and growing. These threats can come from a variety of 
sources, including criminals and foreign nations, as well as hackers 
and disgruntled employees. These potential attackers have a variety of 
techniques at their disposal, which can vastly enhance the reach and 
impact of their actions. For example, cyber attackers do not need to 
be physically close to their targets, their attacks can easily cross 
state and national borders, and cyber attackers can easily preserve 
their anonymity. Further, the interconnectivity between information 
systems, the Internet, and other infrastructure presents increasing 
opportunities for such attacks. Consistent with this, reports of 
security incidents from federal agencies are on the rise, increasing 
by over 400 percent from fiscal year 2006 to fiscal year 2009. 

Compounding the growing number and kinds of threats, GAO—along with 
agencies’ internal assessments—has identified significant deficiencies 
in the security controls on federal information systems, which have 
resulted in pervasive vulnerabilities. These include weaknesses in the 
security of both financial and non-financial systems and information, 
including vulnerabilities in critical federal systems. These 
deficiencies continue to place federal assets at risk of inadvertent 
or deliberate misuse, financial information at risk of unauthorized 
modification or destruction, and critical operations at risk of 
disruption. 

Multiple opportunities exist to improve federal cybersecurity. To 
address identified deficiencies in agencies’ security controls and 
shortfalls in their information security programs, GAO and agency 
inspectors general have made hundreds of recommendations over the past 
several years, many of which agencies are implementing. In addition, 
the White House, the Office of Management and Budget, and certain 
federal agencies have undertaken several governmentwide initiatives 
intended to enhance information security at federal agencies. While 
progress has been made on these initiatives, they all face challenges 
that require sustained attention, and GAO has made several 
recommendations for improving the implementation and effectiveness of 
these initiatives. Further, the Department of Homeland Security also 
needs to fulfill its key cybersecurity responsibilities, such as 
developing capabilities for ensuring the protection of cyber-based 
critical infrastructures and implementing lessons learned from a major 
cyber simulation exercise. Finally, a GAO-convened panel of experts 
has made several recommendations for improving the nation’s 
cybersecurity strategy. Realizing these opportunities for improvement 
can help ensure that the federal government’s systems, information, 
and critical cyber-based infrastructures are effectively protected. 

View [hyperlink, http://www.gao.gov/products/GAO-10-834T] or key 
components. For more information, contact Gregory C. Wilshusen at 
(202) 512-6244 or wilshuseng@gao.gov. 

[End of section] 

Chairman Thompson and Members of the Committee: 

Thank you for the opportunity to testify at today's hearing on 
cybersecurity regarding our recent work on challenges facing federal 
efforts to protect systems and critical infrastructure from cyber-
based threats. 

Pervasive and sustained cyber attacks against the United States 
continue to pose a potentially devastating impact on federal systems 
and operations. In February 2010, the Director of National 
Intelligence testified that many nation states, terrorist networks, 
and organized criminal groups have the capability to target elements 
of the U.S. information infrastructure for intelligence collection, 
intellectual property theft, or disruption.[Footnote 1] As recently as 
July 2009, press accounts reported that a widespread and coordinated 
attack over the course of several days targeted Web sites operated by 
major government agencies, including the Departments of Homeland 
Security and Defense, the Federal Aviation Administration, and the 
Federal Trade Commission, causing disruptions to the public 
availability of government information. Such attacks highlight the 
importance of developing a concerted response to safeguard federal 
information systems. 

In my testimony today, I will describe (1) cyber threats to federal 
information systems and cyber-based critical infrastructures, (2) 
control deficiencies that make federal systems vulnerable to those 
threats, and (3) opportunities that exist for improving federal 
cybersecurity. In preparing this statement in June 2010, we relied on 
our previous reports on federal information security. These reports 
contain detailed overviews of the scope and methodology we used. The 
work on which this statement is based was performed in accordance with 
generally accepted government auditing standards. Those standards 
require that we plan and perform audits to obtain sufficient, 
appropriate evidence to provide a reasonable basis for our findings 
and conclusions based on our audit objectives. We believe that the 
evidence obtained provided a reasonable basis for our findings and 
conclusions based on our audit objectives. 

Background: 

As computer technology has advanced, federal agencies have become 
dependent on computerized information systems to carry out their 
operations and to process, maintain, and report essential information. 
Virtually all federal operations are supported by automated systems 
and electronic data, and agencies would find it difficult, if not 
impossible, to carry out their missions without these information 
assets. Information security is thus critically important. Conversely, 
ineffective information security controls can result in significant 
risks. Examples of such risks include the following: 

* Resources, such as federal payments and collections, could be lost 
or stolen. 

* Sensitive information, such as national security information, 
taxpayer data, Social Security records, medical records, and 
proprietary business information, could be inappropriately accessed 
and used for identity theft or espionage. 

* Critical operations, such as those supporting critical 
infrastructure, national defense, and emergency services could be 
disrupted. 

* Agency missions could be undermined by embarrassing incidents that 
result in diminished confidence in the ability of federal 
organizations to conduct operations and fulfill their responsibilities. 

Federal Systems and Infrastructures Face Increasing Cyber Threats: 

Threats to federal information systems and cyber-based critical 
infrastructures are evolving and growing. Government officials are 
concerned about attacks from individuals and groups with malicious 
intent, such as criminals, terrorists, and foreign nations. Federal 
law enforcement and intelligence agencies have identified multiple 
sources of threats to our nation's critical information systems, 
including foreign nations engaged in espionage and information 
warfare, criminals, hackers, virus writers, and disgruntled employees 
and contractors. 

These groups and individuals have a variety of attack techniques at 
their disposal. Furthermore, as we have previously reported,[Footnote 
2] the techniques have characteristics that can vastly enhance the 
reach and impact of their actions, such as the following: 

* Attackers do not need to be physically close to their targets to 
perpetrate a cyber attack. 

* Technology allows actions to easily cross multiple state and 
national borders. 

* Attacks can be carried out automatically, at high speed, and by 
attacking a vast number of victims at the same time. 

* Attackers can easily remain anonymous. 

The connectivity between information systems, the Internet, and other 
infrastructures creates opportunities for attackers to disrupt 
telecommunications, electrical power, and other critical services. As 
government, private sector, and personal activities continue to move 
to networked operations, the threat will continue to grow. 

Reported Security Incidents Are on the Rise: 

Consistent with the evolving and growing nature of the threats to 
federal systems, agencies are reporting an increasing number of 
security incidents. These incidents put sensitive information at risk. 
Personally identifiable information about U.S. citizens has been lost, 
stolen, or improperly disclosed, thereby potentially exposing those 
individuals to loss of privacy, identity theft, and financial crimes. 
Reported attacks and unintentional incidents involving critical 
infrastructure systems demonstrate that a serious attack could be 
devastating. Agencies have experienced a wide range of incidents 
involving data loss or theft, computer intrusions, and privacy 
breaches, underscoring the need for improved security practices. 

When incidents occur, agencies are to notify the Department of 
Homeland Security's (DHS) federal information security incident 
center--the United States Computer Emergency Readiness Team (US-CERT). 
As shown in figure 1, the number of incidents reported by federal 
agencies to US-CERT has increased dramatically over the past 4 years, 
from 5,503 incidents reported in fiscal year 2006 to about 30,000 
incidents in fiscal year 2009 (over a 400 percent increase). 

Figure 1: Incidents Reported to US-CERT in Fiscal Years 2006 through 
2009: 

[Refer to PDF for image: vertical bar graph] 

Year: 2006; 
Incidents: 5,503. 

Year: 2007; 
Incidents: 11,911. 

Year: 2008; 
Incidents: 16,843. 

Year: 2009; 
Incidents: 29,999. 

Source: GAO analysis of US-CERT data. 

[End of figure] 

The four most prevalent types of incidents and events reported to US- 
CERT during fiscal year 2009 were: (1) malicious code (software that 
infects an operating system or application), (2) improper usage (a 
violation of acceptable computing use policies), (3) unauthorized 
access (where an individual gains logical or physical access to a 
system without permission), and (4) investigation (unconfirmed 
incidents that are potentially malicious or anomalous activity deemed 
by the reporting entity to warrant further review). 

Vulnerabilities Pervade Federal Information Systems: 

The growing threats and increasing number of reported incidents 
highlight the need for effective information security policies and 
practices. However, serious and widespread information security 
control deficiencies continue to place federal assets at risk of 
inadvertent or deliberate misuse, financial information at risk of 
unauthorized modification or destruction, sensitive information at 
risk of inappropriate disclosure, and critical operations at risk of 
disruption. GAO has designated information security as a high-risk 
area in the federal government since 1997. 

In their fiscal year 2009 performance and accountability reports, 21 
of 24 major federal agencies noted that inadequate information system 
controls over their financial systems and information were either a 
material weakness or a significant deficiency.[Footnote 3] 

Similarly, our audits have identified control deficiencies in both 
financial and nonfinancial systems, including vulnerabilities in 
critical federal systems. For example, we reported in September 2008 
[Footnote 4] that, although the Los Alamos National Laboratory--one of 
the nation's weapons laboratories--implemented measures to enhance the 
information security of its unclassified network, vulnerabilities 
continued to exist in several critical areas. Similarly, in October 
2009[Footnote 5] we reported that the National Aeronautics and Space 
Administration (NASA)--the civilian agency that oversees U.S. 
aeronautical and space activities--had not always implemented 
appropriate controls to sufficiently protect the confidentiality, 
integrity, and availability of the information and systems supporting 
its mission directorates. 

Opportunities Exist for Enhancing Federal Cybersecurity: 

Over the past several years, we and agency inspectors general have 
made hundreds of recommendations to agencies for actions necessary to 
resolve prior significant control deficiencies and information 
security program shortfalls. For example, we recommended that agencies 
correct specific information security deficiencies related to user 
identification and authentication, authorization, boundary 
protections, cryptography, audit and monitoring, physical security, 
configuration management, segregation of duties, and contingency 
planning. We have also recommended that agencies fully implement 
comprehensive, agencywide information security programs by correcting 
weaknesses in risk assessments, information security policies and 
procedures, security planning, security training, system tests and 
evaluations, and remedial actions. The effective implementation of 
these recommendations will strengthen the security posture at these 
agencies. Agencies have implemented or are in the process of 
implementing many of our recommendations. 

In addition, the White House, OMB, and certain federal agencies have 
undertaken several governmentwide initiatives that are intended to 
enhance information security at federal agencies. However, these 
initiatives face challenges that require sustained attention: 

* Comprehensive National Cybersecurity Initiative (CNCI): In January 
2008, President Bush initiated a series of 12 projects aimed primarily 
at improving the Department of Homeland Security's (DHS) and other 
federal agencies' efforts to protect against intrusion attempts and 
anticipate future threats.[Footnote 6] The initiative is intended to 
reduce vulnerabilities, protect against intrusions, and anticipate 
future threats against federal executive branch information systems. 
As we recently reported,[Footnote 7] the White House and federal 
agencies have established interagency groups to plan and coordinate 
CNCI activities. However, the initiative faces challenges in achieving 
its objectives related to securing federal information, including 
better defining agency roles and responsibilities, establishing 
measures of effectiveness, and establishing an appropriate level of 
transparency. Until these challenges are adequately addressed, there 
is a risk that CNCI will not fully achieve its goals. 

* Federal Desktop Core Configuration (FDCC): For this initiative, OMB 
directed agencies that have workstations with Windows XP and/or 
Windows Vista operating systems to adopt security configurations 
developed by the National Institute of Standards and Technology, the 
Department of Defense, and DHS. The goal of this initiative is to 
improve information security and reduce overall information technology 
operating costs. We recently reported[Footnote 8] that while agencies 
have taken actions to implement FDCC requirements, none of the 
agencies has fully implemented all configuration settings on their 
applicable workstations. In our report we recommended that OMB, among 
other things, issue guidance on assessing the risks of agencies having 
deviations from the approved settings and monitoring compliance with 
FDCC. 

* Einstein: This is a computer network intrusion detection system that 
analyzes network flow information from participating federal agencies 
and is intended to provide a high-level perspective from which to 
observe potential malicious activity in computer network traffic. We 
recently reported[Footnote 9] that as of September 2009, fewer than 
half of the 23 agencies reviewed had executed the required agreements 
with DHS, and Einstein 2 had been deployed to 6 agencies. Agencies 
that participated in Einstein 1 cited improved identification of 
incidents and mitigation of attacks, but determining whether the 
initiative is meeting its objectives will likely remain difficult 
because DHS lacks performance measures that address how agencies 
respond to alerts. 

* Trusted Internet Connections (TIC) Initiative: This is an effort 
designed to optimize individual agency network services through a 
common solution for the federal government. The initiative is to 
facilitate the reduction of external connections, including Internet 
points of presence. We recently reported[Footnote 10] that none of the 
23 agencies we reviewed met all of the requirements of the TIC 
initiative, and most agencies experienced delays in their plans for 
reducing and consolidating connections. However, most agencies 
reported that they have made progress toward reducing and 
consolidating their external connections and implementing security 
capabilities. 

DHS Needs to Fully Satisfy Its Cybersecurity Responsibilities: 

Federal law and policy[Footnote 11] establish DHS as the focal point 
for efforts to protect our nation's computer-reliant critical 
infrastructures[Footnote 12]--a responsibility known as cyber critical 
infrastructure protection, or cyber CIP. We have reported since 2005 
that DHS has yet to fully satisfy its key responsibilities for 
protecting these critical infrastructures. Our reports included 
recommendations that are essential for DHS to address in order to 
fully implement its responsibilities. We summarized these 
recommendations into key areas listed in table 1. 

Table 1: Key Cybersecurity Areas Identified by GAO: 

1. Bolstering cyber analysis and warning capabilities. 

2. Improving cybersecurity of infrastructure control systems. 

3. Strengthening DHS's ability to help recover from Internet 
disruptions. 

4. Reducing organizational inefficiencies. 

5. Completing actions identified during cyber exercises. 

6. Developing sector-specific plans that fully address all of the 
cyber-related criteria. 

7. Securing internal information systems. 

Source: GAO. 

[End of table] 

DHS has since developed and implemented certain capabilities to 
satisfy aspects of its responsibilities, but the department still has 
not fully implemented our recommendations, and thus further action 
needs to be taken to address these areas. For example, in July 2008, 
we reported[Footnote 13] that DHS's US-CERT did not fully address 15 
key attributes of cyber analysis and warning capabilities related to 
(1) monitoring network activity to detect anomalies, (2) analyzing 
information and investigating anomalies to determine whether they are 
threats, (3) warning appropriate officials with timely and actionable 
threat and mitigation information, and (4) responding to the threat. 
For example, US-CERT provided warnings by developing and distributing 
a wide array of notifications; however, these notifications were not 
consistently actionable or timely. As a result, we recommended that 
the department address shortfalls associated with the 15 attributes in 
order to fully establish a national cyber analysis and warning 
capability as envisioned in the national strategy. DHS agreed in large 
part with our recommendations and has reported that it is taking steps 
to implement them. 

Similarly, in September 2008, we reported that since conducting a 
major cyber attack exercise, called Cyber Storm, DHS had demonstrated 
progress in addressing eight lessons it had learned from these 
efforts.[Footnote 14] However, its actions to address the lessons had 
not been fully implemented. Specifically, while it had completed 42 of 
the 66 activities identified, the department had identified 16 
activities as ongoing and 7 as planned for the future.[Footnote 15] 
Consequently, we recommended that DHS schedule and complete all of the 
corrective activities identified in order to strengthen coordination 
between public and private sector participants in response to 
significant cyber incidents. DHS concurred with our recommendation. 
Since that time, DHS has continued to make progress in completing some 
identified activities but has yet to do so for others. 

Improving the National Cybersecurity Strategy: 

Because the threats to federal information systems and critical 
infrastructure have persisted and grown, efforts have recently been 
undertaken by the executive branch to review the nation's 
cybersecurity strategy. In February 2009, President Obama directed the 
National Security Council and Homeland Security Council to conduct a 
comprehensive review to assess the United States' cybersecurity-
related policies and structures. The resulting report, Cyberspace 
Policy Review: Assuring a Trusted and Resilient Information and 
Communications Infrastructure, recommended, among other things, 
appointing an official in the White House to coordinate the nation's 
cybersecurity policies and activities, creating a new national 
cybersecurity strategy, and developing a framework for cyber research 
and development.[Footnote 16] In response to one of these actions, the 
president appointed a cybersecurity coordinator in December 2009. We 
recently initiated a review to assess the progress made by the 
executive branch in implementing the report's recommendations. 

We also testified in March 2009 on needed improvements to the nation's 
cybersecurity strategy.[Footnote 17] In preparation for that 
testimony, we obtained the views of experts (by means of panel 
discussions) on critical aspects of the strategy, including areas for 
improvement. The experts, who included former federal officials, 
academics, and private sector executives, highlighted 12 key 
improvements that are, in their view, essential to improving the 
strategy and our national cybersecurity posture. The key strategy 
improvements identified by cybersecurity experts are listed in table 2. 

Table 2: Key Strategy Improvements Identified by Cybersecurity Experts: 

1. Develop a national strategy that clearly articulates strategic 
objectives, goals, and priorities. 

2. Establish White House responsibility and accountability for leading 
and overseeing national cybersecurity policy. 

3. Establish a governance structure for strategy implementation. 

4. Publicize and raise awareness about the seriousness of the 
cybersecurity problem. 

5. Create an accountable, operational cybersecurity organization. 

6. Focus more actions on prioritizing assets, assessing 
vulnerabilities, and reducing vulnerabilities than on developing 
additional plans. 

7. Bolster public-private partnerships through an improved value 
proposition and use of incentives. 

8. Focus greater attention on addressing the global aspects of 
cyberspace. 

9. Improve law enforcement efforts to address malicious activities in 
cyberspace. 

10. Place greater emphasis on cybersecurity research and development, 
including consideration of how to better coordinate government and 
private sector efforts. 

11. Increase the cadre of cybersecurity professionals. 

12. Make the federal government a model for cybersecurity, including 
using its acquisition function to enhance cybersecurity aspects of 
products and services. 

Source: GAO analysis of opinions solicited during expert panels. 

[End of table] 

These recommended improvements to the national strategy are in large 
part consistent with our previous reports and extensive research and 
experience in this area.[Footnote 18] Until they are addressed, our 
nation's most critical federal and private sector cyber infrastructure 
remain at unnecessary risk of attack from our adversaries. 

In summary, the threats to federal information systems are evolving 
and growing, and federal systems are not sufficiently protected to 
consistently thwart the threats. Unintended incidents and attacks from 
individuals and groups with malicious intent have the potential to 
cause significant damage to the ability of agencies to effectively 
perform their missions, deliver services to constituents, and account 
for their resources. To help in meeting these threats, opportunities 
exist to improve information security throughout the federal 
government. The prompt and effective implementation of the hundreds of 
recommendations by us and by agency inspectors general to mitigate 
information security control deficiencies and fully implement 
agencywide security programs would strengthen the protection of 
federal information systems, as would efforts by DHS to develop better 
capabilities to meets its responsibilities, and the implementation of 
recommended improvements to the national cybersecurity strategy. Until 
agencies fully and effectively implement these recommendations, 
federal information and systems will remain vulnerable. 

Mr. Chairman, this completes my prepared statement. I would be happy 
to answer any questions you or other Members of the Committee have at 
this time. 

Contact and Acknowledgments: 

If you have any questions regarding this statement, please contact 
Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov. Other 
key contributors to this statement include John de Ferrari (Assistant 
Director), Michael Gilmore (Assistant Director), Anjalique Lawrence 
(Assistant Director), Marisol Cruz, Nick Marinos, Lee McCracken, and 
David Plocher. 

[End of section] 

Footnotes: 

[1] Director of National Intelligence, Annual Threat Assessment of the 
US Intelligence Community for the Senate Select Committee on 
Intelligence, statement before the Senate Select Committee on 
Intelligence (Feb. 2, 2010). 

[2] GAO, Cybercrime: Public and Private Entities Face Challenges in 
Addressing Cyber Threats, [hyperlink, 
http://www.gao.gov/products/GAO-07-705] (Washington, D.C.: June 22, 
2007). 

[3] A material weakness is a deficiency, or combination of 
deficiencies, in internal control such that there is a reasonable 
possibility that a material misstatement of the entity's financial 
statements will not be prevented, or detected and corrected on a 
timely basis. A significant deficiency is a deficiency, or combination 
of deficiencies, in internal control that is less severe than a 
material weakness, yet important enough to merit attention by those 
charged with governance. A control deficiency exists when the design 
or operation of a control does not allow management or employees, in 
the normal course of performing their assigned functions, to prevent, 
or detect and correct misstatements on a timely basis. 

[4] GAO, Information Security: Actions Needed to Better Protect Los 
Alamos National Laboratory's Unclassified Computer Network, 
[hyperlink, http://www.gao.gov/products/GAO-08-1001] (Washington, 
D.C.: Sept. 9, 2008). 

[5] GAO, Information Security: NASA Needs to Remedy Vulnerabilities in 
Key Networks, [hyperlink, http://www.gao.gov/products/GAO-10-4] 
(Washington, D.C.: Oct. 15, 2009). 

[6] The White House, National Security Presidential Directive 54/ 
Homeland Security Presidential Directive 23 (Washington, D.C.: Jan. 8, 
2008). 

[7] GAO, Cybersecurity: Progress Made but Challenges Remain in 
Defining and Coordinating the Comprehensive National Initiative, 
[hyperlink, http://www.gao.gov/products/GAO-10-338] (Washington, D.C.: 
Mar. 5, 2010). 

[8] GAO, Information Security: Agencies Need to Implement Federal 
Desktop Core Configuration Requirements, [hyperlink, 
http://www.gao.gov/products/GAO-10-202] (Washington, D.C.: Mar. 12, 
2010). 

[9] GAO, Information Security: Concerted Effort Needed to Consolidate 
and Secure Internet Connections at Federal Agencies, [hyperlink, 
http://www.gao.gov/products/GAO-10-237] (Washington, D.C.: Mar. 12, 
2010). 

[10] [hyperlink, http://www.gao.gov/products/GAO-10-237]. 

[11] These include The Homeland Security Act of 2002, Homeland 
Security Presidential Directive-7, and the National Strategy to Secure 
Cyberspace. 

[12] Critical infrastructures are systems and assets, whether physical 
or virtual, so vital to the nation that their incapacity or 
destruction would have a debilitating impact on national security, 
national economic security, national public health or safety, or any 
combination of those matters. Federal policy established 18 critical 
infrastructure sectors: agriculture and food; banking and finance; 
chemical; commercial facilities; communications; critical 
manufacturing; dams; defense industrial base; emergency services; 
energy; government facilities; information technology; national 
monuments and icons; nuclear reactors, materials and waste; postal and 
shipping; public health and health care; transportation systems; and 
water. 

[13] GAO, Cyber Analysis and Warning: DHS Faces Challenges in 
Establishing a Comprehensive National Capability, [hyperlink, 
http://www.gao.gov/products/GAO-08-588] (Washington, D.C.: Jul. 31, 
2008). 

[14] GAO, Critical Infrastructure Protection: DHS Needs To Fully 
Address Lessons Learned from Its First Cyber Storm Exercise, 
[hyperlink, http://www.gao.gov/products/GAO-08-825] (Washington, D.C.: 
Sept. 9, 2008). 

[15] At that time, DHS reported that one other activity had been 
completed, but the department was unable to provide evidence 
demonstrating its completion. 

[16] The White House, Cyberspace Policy Review: Assuring a Trusted and 
Resilient Information and Communications Infrastructure (Washington, 
D.C.: May 29, 2009). 

[17] GAO, National Cybersecurity Strategy: Key Improvements Are Needed 
to Strengthen the Nation's Posture, [hyperlink, 
http://www.gao.gov/products/GAO-09-432T] (Washington, D.C.: Mar. 10, 
2009). 

[18] We are currently conducting additional reviews related to these 
improvements. 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Phone: 

The price of each GAO publication reflects GAO’s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO’s Web site, 
[hyperlink, http://www.gao.gov/ordering.htm]. 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional 
information. 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, dawnr@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: