This is the accessible text file for GAO report number GAO-05-434 entitled 'Critical Infrastructure Protection: Department of Homeland Security Faces Challenges in Fulfilling Cybersecurity Responsibilities' which was released on June 27, 2005. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to Congressional Requesters: May 2005: Critical Infrastructure Protection: Department of Homeland Security Faces Challenges in Fulfilling Cybersecurity Responsibilities: [Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-05-434] GAO Highlights: Highlights of GAO-05-434, a report to congressional requesters: Why GAO Did This Study: Increasing computer inter-connectivity has revolutionized the way that our government, our nation, and much of the world communicate and conduct business. While the benefits have been enormous, this widespread interconnectivity also poses significant risks to our nation’s computer systems and, more importantly, to the critical operations and infrastructures they support. The Homeland Security Act of 2002 and federal policy established DHS as the focal point for coordinating activities to protect the computer systems that support our nation’s critical infrastructures. GAO was asked to determine (1) DHS’s roles and responsibilities for cyber critical infrastructure protection, (2) the status and adequacy of DHS’s efforts to fulfill these responsibilities, and (3) the challenges DHS faces in fulfilling its cybersecurity responsibilities. What GAO Found: As the focal point for critical infrastructure protection (CIP), the Department of Homeland Security (DHS) has many cybersecurity-related roles and responsibilities that we identified in law and policy (see table below for 13 key responsibilities). DHS established the National Cyber Security Division to take the lead in addressing the cybersecurity of critical infrastructures. While DHS has initiated multiple efforts to fulfill its responsibilities, it has not fully addressed any of the 13 responsibilities, and much work remains ahead. For example, the department established the United States Computer Emergency Readiness Team as a public/private partnership to make cybersecurity a coordinated national effort, and it established forums to build greater trust and information sharing among federal officials with information security responsibilities and law enforcement entities. However, DHS has not yet developed national cyber threat and vulnerability assessments or government/industry contingency recovery plans for cybersecurity, including a plan for recovering key Internet functions. DHS faces a number of challenges that have impeded its ability to fulfill its cyber CIP responsibilities. These key challenges include achieving organizational stability, gaining organizational authority, overcoming hiring and contracting issues, increasing awareness about cybersecurity roles and capabilities, establishing effective partnerships with stakeholders, achieving two-way information sharing with these stakeholders, and demonstrating the value DHS can provide. In its strategic plan for cybersecurity, DHS identifies steps that can begin to address the challenges. However, until it confronts and resolves these underlying challenges and implements its plans, DHS will have difficulty achieving significant results in strengthening the cybersecurity of our critical infrastructures. DHS’s Key Cybersecurity Responsibilities: * Develop a national plan for critical infrastructure protection, including cybersecurity. * Develop partnerships and coordinate with other federal agencies, state and local governments, and the private sector. * Improve and enhance public/private information sharing involving cyber attacks, threats, and vulnerabilities. * Develop and enhance national cyber analysis and warning capabilities. * Provide and coordinate incident response and recovery planning efforts. * Identify and assess cyber threats and vulnerabilities. * Support efforts to reduce cyber threats and vulnerabilities. * Promote and support research and development efforts to strengthen cyberspace security. * Promote awareness and outreach. * Foster training and certification. * Enhance federal, state, and local government cybersecurity. * Strengthen international cyberspace security. * Integrate cybersecurity with national security. Source: GAO analysis of law and policy. [End of table] What GAO Recommends: GAO is making recommendations to the Secretary of Homeland Security to strengthen the department’s ability to implement key cybersecurity responsibilities by completing critical activities and resolving underlying challenges. In written comments on a draft of this report, DHS agreed with our recommendation to engage stakeholders to prioritize its responsibilities, but disagreed with and sought clarification on recommendations to resolve its challenges. www.gao.gov/cgi-bin/getrpt?GAO-05-434. To view the full product, including the scope and methodology, click on the link above. For more information, contact David Powner at (202) 512- 9286 or pownerd@gao.gov. [End of section] Contents: Letter: Results in Brief: Background: DHS's Roles and Responsibilities for Cybersecurity in Support of Critical Infrastructure Protection Are Many and Varied: DHS Has Initiated Efforts That Begin to Address Its Responsibilities, but More Work Remains: DHS Continues to Face Challenges in Establishing Itself as a National Focal Point for Cyberspace Security: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendixes: Appendix I: Objectives, Scope, and Methodology: Appendix II: DHS Organizations with Cyber-Related Roles: Appendix III: Comments from the Department of Homeland Security: Appendix IV: GAO Contact and Staff Acknowledgments: Tables: Table 1: Sources of Emerging Cybersecurity Threats: Table 2: Likely Sources of Cyber Attacks, According to Respondents to the CSI/FBI 2003 Computer Crime and Security Survey: Table 3: Types of Cyber Attacks: Table 4: Federal Government Actions in Developing CIP Policy: Table 5: Infrastructure Sectors Identified by the National Strategy for Homeland Security and HSPD-7: Table 6: Thirteen DHS Cybersecurity Responsibilities: Table 7: DHS Partnership and Information-Sharing Initiatives: Table 8: DHS Initiatives to Enhance Analytical Capabilities: Table 9: Incident Response and Recovery Initiatives: Table 10: DHS Cybersecurity Awareness and Outreach Initiatives: Table 11: Key Initiatives in Cybersecurity Education: Table 12: DHS's Intergovernmental Cybersecurity Initiatives: Table 13: International Cybersecurity Initiatives: Figures: Figure 1: Security Vulnerabilities, 1995-2004: Figure 2: NCSD Organization Chart: Abbreviations: CERT/CC: CERT® Coordination Center: CIP: critical infrastructure protection: DHS: Department of Homeland Security: HSPD: Homeland Security Presidential Directive: ISAC: information sharing and analysis center: IT: information technology: NCSD: National Cyber Security Division: NIPP: National Infrastructure Protection Plan: US-CERT: United States-Computer Emergency Response Team: Letter May 26, 2005: Congressional Requesters: Since the early 1990s, increasing computer interconnectivity--most notably growth in the use of the Internet--has revolutionized the way that our government, our nation, and much of the world communicate and conduct business. While the benefits have been enormous, this widespread interconnectivity also poses significant risks to the government's and our nation's computer systems and, more importantly, to the critical operations and infrastructures they support. The speed and accessibility that create the enormous benefits of the computer age, if not properly controlled, allow unauthorized individuals and organizations to inexpensively eavesdrop on or interfere with these operations from remote locations for mischievous or malicious purposes, including fraud or sabotage. Recent terrorist attacks and threats have further underscored the need to manage and bolster the cybersecurity of our nation's critical infrastructures. Federal law and policy call for critical infrastructure protection (CIP) activities that are intended to enhance the cyber and physical security of both the public and private infrastructures that are essential to national security, national economic security, and national public health and safety.[Footnote 1] Federal policy recognizes the importance of building public/private partnerships and identifies several critical infrastructure sectors as well as federal agencies to work with the sectors to coordinate efforts to strengthen the security of the nation's public and private, computer-dependent critical infrastructure. In addition, it establishes the Department of Homeland Security (DHS) as the focal point for the security of cyberspace--including analysis, warning, information sharing, vulnerability reduction, mitigation, and recovery efforts for public and private critical infrastructure information systems. To accomplish this mission, DHS is to work with the federal agencies, state and local governments, and the private sector. In response to your request, we determined (1) DHS's roles and responsibilities for cyber critical infrastructure protection and national information security, as established in law and policy, and the specific organizational structures DHS has created to fulfill them; (2) the status of DHS's efforts to protect the computer systems that support the nation's critical infrastructures and to strengthen information security--both inside and outside the federal government-- and the extent to which such efforts adequately address its responsibilities; and (3) the challenges DHS faces in fulfilling its cybersecurity roles and responsibilities. To accomplish these objectives, we reviewed relevant law, policy, directives, and documents and interviewed officials from DHS, other federal agencies, and the private sector who are involved in efforts to enhance the cybersecurity of critical infrastructures. Appendix I provides further details on our objectives, scope, and methodology. We performed our work from July 2004 to April 2005 in accordance with generally accepted government auditing standards. Results in Brief: As the focal point for critical infrastructure protection, DHS has many cybersecurity-related roles and responsibilities that are called for in law and policy. These responsibilities include developing plans, building partnerships, and improving information sharing, as well as implementing activities related to the five priorities in the national cyberspace strategy: (1) developing and enhancing national cyber analysis and warning, (2) reducing cyberspace threats and vulnerabilities, (3) promoting awareness of and training in security issues, (4) securing governments' cyberspace, and (5) strengthening national security and international cyberspace security cooperation. To fulfill its cybersecurity role, in June 2003, DHS established the National Cyber Security Division to serve as a national focal point for addressing cybersecurity and coordinating the implementation of cybersecurity efforts. While DHS has initiated multiple efforts, it has not fully addressed any of the 13 key cybersecurity-related responsibilities that we identified in federal law and policy, and it has much work ahead in order to be able to fully address them. For example, DHS (1) has recently issued the Interim National Infrastructure Protection Plan, which includes cybersecurity elements; (2) operates the United States Computer Emergency Readiness Team to address the need for a national analysis and warning capability; and (3) has established forums to foster information sharing among federal officials with information security responsibilities and among various law enforcement entities. However, DHS has not yet developed national threat and vulnerability assessments or developed and exercised government and government/industry contingency recovery plans for cybersecurity, including a plan for recovering key Internet functions. Further, DHS continues to have difficulties in developing partnerships--as called for in federal policy--with other federal agencies, state and local governments, and the private sector. DHS faces a number of challenges that have impeded its ability to fulfill its cyber CIP responsibilities. Key challenges include achieving organizational stability; gaining organizational authority; overcoming hiring and contracting issues; increasing awareness about cybersecurity roles and capabilities; establishing effective partnerships with stakeholders (other federal agencies, state and local governments, and the private sector); achieving two-way information sharing with these stakeholders; and demonstrating the value DHS can provide. In its strategic plan for cybersecurity, DHS has identified steps that can begin to address these challenges. However, until it effectively confronts and resolves these underlying challenges, DHS will have difficulty achieving significant results in strengthening the cybersecurity of our nation's critical infrastructures, and our nation will lack the strong cybersecurity focal point envisioned in federal law and policy. We are making recommendations to the Secretary of Homeland Security to strengthen the department's ability to implement key cybersecurity responsibilities by completing critical activities and resolving underlying challenges. DHS provided written comments on a draft of this report (see app. III). In brief, DHS agreed that strengthening cybersecurity is central to protecting the nation's critical infrastructures and that much remains to be done. In addition, DHS concurred with our recommendation to engage stakeholders in prioritizing its key cybersecurity responsibilities. However, DHS did not concur with our recommendations to identify and prioritize initiatives to address the challenges it faces, or to establish performance metrics and milestones for these initiatives. Specifically, DHS reported that its strategic plan for cybersecurity already provides a prioritized list, performance measures, and milestones to guide and track its activities. The department sought additional clarification of these recommendations. While we agree with DHS that its plan identifies activities (along with some performance measures and milestones) that will begin to address the challenges, this plan does not include specific initiatives that would ensure that the challenges are addressed in a prioritized and comprehensive manner. For example, the strategic plan for cybersecurity does not include initiatives to help stabilize and build authority for the organization. Further, the strategic plan does not identify the relative priority of its initiatives and does not consistently identify performance measures for completing its initiatives. As DHS moves forward in identifying initiatives to address the underlying challenges it faces, it will be important to establish performance measures and milestones for fulfilling these initiatives. DHS officials (as well as others who were quoted in our report) also provided detailed technical corrections, which we have incorporated in this report as appropriate. Background: Critical Infrastructure Protection (CIP) involves activities that enhance the cyber and physical security of the public and private infrastructures that are critical to national security, national economic security, and national public health and safety. Because a large percentage of the nation's critical infrastructures is owned and operated by the private sector, public/private partnerships are crucial for successful critical infrastructure protection. Recent terrorist attacks and threats have further underscored the need to encourage and manage CIP activities. Vulnerabilities are being identified on a more frequent basis and, if these vulnerabilities are exploited, several of our nation's critical infrastructures could be disrupted or disabled. Sources of Potential Cyber Attacks on Critical Infrastructures Are Proliferating: Several types of organizations and individuals are capable of conducting attacks on our nation's critical infrastructures. Historically, attacks on our infrastructures could be conducted only by a relatively small number of entities. However, with critical infrastructures' increasing reliance on computers and networks, more organizations and individuals can cause harm using cyber attacks. Further, U.S. authorities are becoming increasingly concerned about the prospect of combined physical and cyber attacks, which could have devastating consequences. Table 1 lists sources of threats that have been identified by the U.S. intelligence community and others. Table 1: Sources of Emerging Cybersecurity Threats: Threat: Bot-network operators; Description: Bot-network operators are hackers; however, instead of breaking into systems for the challenge or bragging rights, they take over multiple systems in order to coordinate attacks and to distribute phishing[A] schemes, spam, and malwareb attacks. The services of these networks are sometimes made available on underground markets (e.g., purchasing a denial-of-service attack, servers to relay spam or phishing attacks, etc.) Threat: Criminal groups; Description: Criminal groups seek to attack systems for monetary gain. Specifically, organized crime groups are using spam, phishing, and spyware/malware to commit identity theft and online fraud. International corporate spies and organized crime organizations also pose a threat to the United States through their ability to conduct industrial espionage and large-scale monetary theft and to hire or develop hacker talent. Threat: Foreign intelligence services; Description: Foreign intelligence services use cyber tools as part of their information- gathering and espionage activities. In addition, several nations are aggressively working to develop information warfare doctrine, programs, and capabilities. Such capabilities enable a single entity to have a significant and serious impact by disrupting the supply, communications, and economic infrastructures that support military power--impacts that could affect the daily lives of U.S. citizens across the country. Threat: Hackers; Description: Hackers break into networks for the thrill of the challenge or for bragging rights in the hacker community. While remote cracking once required a fair amount of skill or computer knowledge, hackers can now download attack scripts and protocols from the Internet and launch them against victim sites. Thus, while attack tools have become more sophisticated, they have also become easier to use. According to the Central Intelligence Agency, the large majority of hackers do not have the requisite expertise to threaten difficult targets such as critical U.S. networks. Nevertheless, the worldwide population of hackers poses a relatively high threat of an isolated or brief disruption causing serious damage. Threat: Insiders; Description: The disgruntled organization insider is a principal source of computer crime. Insiders may not need a great deal of knowledge about computer intrusions because their knowledge of a target system often allows them to gain unrestricted access to cause damage to the system or to steal system data. The insider threat also includes outsourcing vendors as well as employees who accidentally introduce malware into systems. Threat: Phishers; Description: Individuals, or small groups, that execute phishing schemes in an attempt to steal identities or information for monetary gain. Phishers may also use spam and spyware/malware to accomplish their objectives. Threat: Spammers; Description: Individuals or organizations that distribute unsolicited e- mail with hidden or false information in order to sell products, conduct phishing schemes, distribute spyware/malware, or attack organizations (i.e., denial of service). Threat: Spyware/malware authors; Description: Individuals or organizations with malicious intent carry out attacks against users by producing and distributing spyware and malware. Several destructive computer viruses and worms have harmed files and hard drives, including the Melissa Macro Virus, the Explore.Zip worm, the CIH (Chernobyl) Virus, Nimda, Code Red, Slammer, and Blaster. Threat: Terrorists; Description: Terrorists seek to destroy, incapacitate, or exploit critical infrastructures in order to threaten national security, cause mass casualties, weaken the U.S. economy, and damage public morale and confidence. Terrorists may use phishing schemes or spyware/malware in order to generate funds or gather sensitive information. Source: GAO analysis based on data from the Federal Bureau of Investigation, Central Intelligence Agency, and the Software Engineering Institute's CERT® Coordination Center. [A] Phishing involves the creation and use of e-mails and Web sites that are designed to look like those of well-known legitimate businesses or government agencies, in order to deceive Internet users into disclosing their personal data for criminal purposes, such as identity theft and fraud. [B] Malware is software designed with malicious intent, such as a virus. [End of table] Government officials are increasingly concerned about attacks from individuals and groups with malicious intent--such as crime, terrorism, foreign intelligence gathering, and acts of war. For example, in February 2005, the Federal Bureau of Investigation Director testified before the Senate Select Committee on Intelligence about current threats--including cyber threats--to the United States.[Footnote 2] He stated that the cyber threat to the United States is serious, and the number of actors with both the ability and the desire to use computers for illegal and harmful purposes continues to rise. The Director added that individuals or groups from foreign states, including foreign governments, continue to pose threats to our national and economic security because they have the resources to support advanced network exploitation and attack. In addition, he stated that "terrorists show a growing understanding of the critical role of information technology in the day-to-day operations of our economy and national security and have expanded their recruitment to include people studying math, computer science and engineering." The Director further stated that although individual hackers do not pose a great threat, hackers intent on stealing information or motivated by money are a concern--adding that "if this pool of talent is utilized by terrorists, foreign governments or criminal organizations, the potential for a successful cyber attack on our critical infrastructures is greatly increased." Analyses by various organizations have also demonstrated the increasing threats that are faced by critical infrastructure sectors in the United States. For example, in May 2004, the E-Crime Watch™ survey of security and law enforcement executives found that 43 percent of the respondents reported "an increase in electronic crimes and intrusions over the previous year and 70 percent reported at least one electronic crime or intrusion being committed against their organization." Regarding the source of the electronic crime or intrusion, 70 percent of respondents reported that they knew the source. The respondents most frequently identified hackers (40 percent), followed by current and former employees and contractors (31 percent), as the greatest threats to cybersecurity.[Footnote 3] Similarly, respondents to the 2003 Computer Security Institute and Federal Bureau of Investigation Computer Crime and Security Survey identified independent hackers as the most likely source of cyber attacks, as shown in table 2.[Footnote 4] Table 2: Likely Sources of Cyber Attacks, According to Respondents to the CSI/FBI 2003 Computer Crime and Security Survey: Potential source: Independent hackers; Percentage of respondents: 82%. Potential source: Disgruntled employees; Percentage of respondents: 77%. Potential source: U.S. competitors; Percentage of respondents: 40%. Potential source: Foreign governments; Percentage of respondents: 28%. Potential source: Foreign corporations; Percentage of respondents: 25%. Source: 2003 CSI/FBI Computer Crime and Security Survey. [End of table] As larger amounts of money are transferred through computer systems, as more sensitive economic and commercial information is exchanged electronically, and as the nation's defense and intelligence communities increasingly rely on commercially available information technology, the likelihood increases that information attacks will threaten vital national interests. Types of Attacks Are Expanding and Tools Are Readily Available: According to the Federal Bureau of Investigation, terrorists, transnational criminals, and intelligence services are quickly becoming aware of and using tools such as computer viruses, Trojan horses, worms, logic bombs, and eavesdropping programs ("sniffers") that can deny access, degrade the integrity of, intercept, or destroy data (see table 3). Table 3: Types of Cyber Attacks: Type of attack: Denial of service; Description: A method of attack from a single source that denies system access to legitimate users by overwhelming the target computer with messages and blocking legitimate traffic. It can prevent a system from being able to exchange data with other systems or use the Internet. Type of attack: Distributed denial of service; Description: A variant of the denial-of-service attack that uses a coordinated attack from a distributed system of computers rather than from a single source. It often makes use of worms to spread to multiple computers that can then attack the target. Type of attack: Exploit tools; Description: Publicly available and sophisticated tools that intruders of various skill levels can use to determine vulnerabilities and gain entry into targeted systems. Type of attack: Logic bombs; Description: A form of sabotage in which a programmer inserts code that causes the program to perform a destructive action when some triggering event occurs, such as terminating the programmer's employment. Type of attack: Phishing; Description: The creation and use of e-mails and Web sites--designed to look like those of well-known legitimate businesses, financial institutions, and government agencies--in order to deceive Internet users into disclosing their personal data, such as bank and financial account information and passwords. The phishers then take that information and use it for criminal purposes, such as identity theft and fraud. Type of attack: Sniffer; Description: Synonymous with packet sniffer. A program that intercepts routed data and examines each packet in search of specified information, such as passwords transmitted in clear text. Type of attack: Trojan horse; Description: A computer program that conceals harmful code. A Trojan horse usually masquerades as a useful program that a user would wish to execute. Type of attack: Virus; Description: A program that infects computer files, usually executable programs, by inserting a copy of itself into the file. These copies are usually executed when the infected file is loaded into memory, allowing the virus to infect other files. Unlike the computer worm, a virus requires human involvement (usually unwitting) to propagate. Type of attack: War dialing; Description: Simple programs that dial consecutive telephone numbers looking for modems. Type of attack: War driving; Description: A method of gaining entry into wireless computer networks using a laptop, antennas, and a wireless network adaptor that involves patrolling locations to gain unauthorized access. Type of attack: Worm; Description: An independent computer program that reproduces by copying itself from one system to another across a network. Unlike computer viruses, worms do not require human involvement to propagate. Source: GAO analysis of reports by the Department of Justice and GAO. [End of table] Viruses and worms are commonly used to launch denial-of-service attacks, which generally flood targeted networks and systems by transmitting so much data that regular traffic is either slowed or stopped. Such attacks have been used ever since the groundbreaking Morris worm, which brought 10 percent of the systems connected to the Internet to a halt in November 1988. In 2001, the Code Red worm used a denial-of-service attack to affect millions of computer users by shutting down Web sites, slowing Internet service and disrupting business and government operations.[Footnote 5] As the number of individuals with computer skills has increased, intrusion tools have become more readily available and relatively easy to use. Frequently, skilled hackers develop exploitation tools and post them on Internet hacking sites. These tools are then readily available for others to download, allowing even inexperienced programmers to create a computer virus or to literally point and click to launch an attack. According to the National Institute of Standards and Technology, 30 to 40 new attack tools are posted on the Internet every month.[Footnote 6] Experts also agree that there has been a steady advance in the sophistication and effectiveness of attack technologies. Intruders quickly develop attacks to exploit vulnerabilities that have been discovered in products, use these attacks to compromise computers, and share them with other attackers. In addition, they can combine these attacks with other forms of technology to develop programs that automatically scan the network for vulnerable systems, attack them, compromise them, and use them to spread the attack even further. Cyber Vulnerabilities Have Increased: In addition to the growing threat from terrorists, transnational criminals, foreign intelligence services, and hackers, there has been a growing number of software vulnerabilities. Flaws in software code that could cause a program to malfunction generally result from programming errors that occur during software development. The increasing complexity and size of software programs contribute to an increase in software flaws. For example, Microsoft Windows 2000 reportedly contains about 35 million lines of code, compared with about 15 million lines for Windows 95. As reported by the National Institute of Science and Technology, based on studies of code inspections, there can be as many as 20 flaws per thousand lines of software code. While most flaws do not create security vulnerabilities,[Footnote 7] the potential for these errors reflects the difficulty and complexity of delivering trustworthy code.[Footnote 8] By exploiting software vulnerabilities, hackers and others who spread malicious code can cause significant damage, ranging from defacing Web sites to taking control of entire systems and thereby being able to read, modify, or delete sensitive information; disrupt operations; launch attacks against other organizations' systems; or destroy systems. Between 1995 and 2004, the Software Engineering Institute's CERT® Coordination Center (CERT/CC)[Footnote 9] reported that 16,726 security vulnerabilities had resulted from software flaws. Figure 1 illustrates the increase in security vulnerabilities over these years. Figure 1: Security Vulnerabilities, 1995-2004: [See PDF for image] [End of figure] Taking Advantage of Vulnerabilities, Attackers Are Able to Cause Serious Consequences: The growing number of known vulnerabilities increases the potential number of attacks. As vulnerabilities are discovered, attackers attempt to exploit them. Attacks can be launched against specific targets or widely distributed through viruses and worms. The risks posed by this increasing and evolving threat are demonstrated in media and other reports of actual and potential attacks and disruptions, such as those cited below. * In March 2005, security consultants within the electric industry reported that hackers were targeting the U.S. electric power grid and had gained access to U.S. utilities' electronic control systems. Computer security specialists reported that, in a few cases, these intrusions had "caused an impact." While officials stated that hackers had not caused serious damage to the systems that feed the nation's power grid, the constant threat of intrusion has heightened concerns that electric companies may not have adequately fortified their defenses against a potential catastrophic strike. * In January 2005, a major university reported that a hacker had broken into a database containing 32,000 student and employee Social Security numbers, potentially compromising their finances and identities. In similar incidents during 2003 and 2004, it was reported that hackers had attacked the systems of other universities, exposing the personal information of over 1.8 million people. * On August 11, 2003, the Blaster worm was launched, and it infected more than 120,000 computers in its first 36 hours. The worm was programmed to launch a denial-of-service attack against Microsoft's Windows Update Web site, and it affected a wide range of systems and caused slowdowns and disruptions in users' Internet services. For example, the Maryland Motor Vehicle Administration was forced to shut down its computer systems. * In June 2003, the U.S. government issued a warning concerning a virus that specifically targeted financial institutions. Experts said the BugBear.b virus was programmed to determine whether a victim had used an e-mail address for any of the roughly 1,300 financial institutions listed in the virus's code. If a match was found, the software attempted to collect and document user input by logging keystrokes and then provide this information to a hacker, who could use it in attempts to break into the banks' networks. * In May 2004, we reported that according to a preliminary study coordinated by the Cooperative Association for Internet Data Analysis, on January 25, 2003, the SQL Slammer worm (also known as "Sapphire" and "SQL Hell") infected more than 90 percent of vulnerable computers worldwide within 10 minutes of its release on the Internet.[Footnote 10] As the study reports, exploiting a known vulnerability for which a patch had been available since July 2002, Slammer doubled in size every 8.5 seconds and achieved its full scanning rate (55 million scans per second) after about 3 minutes, causing considerable harm through network outages. Further, the study emphasized that the effects would likely have been more severe had Slammer carried a malicious payload, exploited a more widespread vulnerability, or targeted a more popular service. Despite its lack of malicious payload, Slammer caused significant damage, exacting a toll on several large companies and municipalities that found their internal networks deluged with data from the virus. Major financial institutions reported problems; for example, one reported that a majority of its automatic teller machines were unable to process customer transactions for several hours. The attack disrupted operations for several hours at a 911 call center that served two suburban police departments and at least 14 fire departments. A commercial airline had flights delayed or canceled because of online ticketing and electronic check-in problems. * In November 2002, a British computer administrator was indicted on charges that he accessed and damaged 98 computers in 14 states between March 2001 and March 2002, causing some $900,000 in damage. These networks belonged to the Department of Defense, the National Aeronautics and Space Administration, and private companies. The indictment alleges that the attacker was able to gain administrative privileges on military computers, copy password files, and delete critical system files. The attacks rendered the networks of the Earle Naval Weapons Station in New Jersey and the Military District of Washington inoperable. The CERT/CC has noted that attacks that once took weeks or months to propagate over the Internet now take just hours--or even minutes-- because automated tools are now available. For instance, while Code Red achieved an infection rate of over 20,000 systems within 10 minutes in July 2001, about a year and a half later, in January 2003, the Slammer worm successfully attacked at least 75,000 systems, infecting more than 90 percent of vulnerable systems within 10 minutes. According to CERT/CC, due to the widespread use of automated tools that have made attacks against Internet-connected systems so commonplace, it no longer publishes the number of incidents that are reported. For historical perspective, the number of computer security incidents reported to CERT/CC rose from just under 10,000 in 1999 to over 52,000 in 2001, to about 82,000 in 2002, and to 137,529 in 2003--when CERT/CC stopped reporting the number of incidents. Moreover, the Director of the CERT Centers stated that he estimates that as much as 80 percent of security incidents go unreported, in most cases because (1) the organization was unable to recognize that its systems had been penetrated or there were no indications of penetration or attack or (2) the organization was reluctant to report. Concerns Regarding the Impact of Cyber Threats on Infrastructure Control Systems Are Growing: Since September 11, 2001, the critical link between cyberspace and physical space has been increasingly recognized. In July 2002, the National Infrastructure Protection Center reported that the potential for compound cyber and physical attacks, referred to as "swarming attacks," is an emerging threat to our nation's critical infrastructures. Swarming attacks can slow down or complicate the response to a physical attack. For instance, a cyber attack that disabled the water supply or the electrical system, in conjunction with a physical attack, could deny emergency services the necessary resources to manage the consequences of the physical attack--such as controlling fires, coordinating actions, and generating light. There is a general consensus--and increasing concern--among government officials and experts on control systems, about potential cyber threats to the control systems that govern our critical infrastructures. In his November 2002 congressional testimony, the Director of the CERT Centers at Carnegie Mellon University noted that supervisory control and data acquisition systems and other forms of networked computer systems had been used for years to control power grids, gas and oil distribution pipelines, water treatment and distribution systems, hydroelectric and flood control dams, oil and chemical refineries, and other physical infrastructure systems.[Footnote 11] These control systems are increasingly being connected to communications links and networks to enhance performance and to reduce operational costs by supporting remote maintenance, remote control, and remote update functions. They are potential targets for individuals intent on causing massive disruption and physical damage. The use of commercial-off-the-shelf technologies for these systems--without adequate security enhancements-- can significantly limit available approaches to protection and may increase the number of potential attackers. As components of control systems increasingly make critical decisions that were once made by humans, the potential effect of a cyber attack becomes more devastating. For example, a failed control system was a contributing factor in the widespread east coast electrical blackout of August 2003. While investigations later found that this incident was not the result of a deliberate attack, DHS officials stated that the significant involvement of a control system highlighted the fact that a physical system or location could be accessed through a cyber connection. Another example occurred in August 2003; the Nuclear Regulatory Commission confirmed that earlier that year the Slammer worm had infected a private computer network at a nuclear power plant, disabling a safety monitoring system for nearly 5 hours. The plant's process computer failed, and it took about 6 hours for it to become available again. The worm reportedly also affected communications on the control networks of at least five other utilities by propagating so quickly that control system traffic was blocked. Looking ahead, 66 percent of the technology experts and scholars who responded to a 2004 survey on the future of the Internet believe that at least one devastating cyber attack will occur on the networked information infrastructure or the country's power grid within the next 10 years.[Footnote 12] In March 2004, we reported on the significant challenges of securing controls systems, including technical limitations, perceived lack of economic justification, and conflicting organizational priorities.[Footnote 13] We recommended that the Secretary of DHS develop and implement a strategy for coordinating with the private sector and other government agencies to improve the security of control systems. This strategy was issued in December 2004. Critical Infrastructure Protection Policy Has Continued to Evolve Since the Mid-1990s: Over the years, the federal government and critical infrastructure representatives have sponsored working groups, written reports, issued policies, and created organizations to address CIP. To provide a historical perspective, table 4 summarizes the key developments in federal CIP policy since 1997. Table 4: Federal Government Actions in Developing CIP Policy: Policy action: Critical Foundations: Protecting America's Infrastructures[A]; Date: Oct. 1997; Description: Described the potentially devastating effects of poor information security on the nation and recommended measures to achieve a higher level of CIP that included industry cooperation and information sharing, a national organizational structure, a revised program of research and development, a broad program of awareness and education, and a reconsideration of related laws. Policy action: Presidential Decision Directive 63; Date: May 1998; Description: Established CIP as a national goal and presented a strategy for cooperative efforts by government and the private sector to protect the physical and cyber-based systems essential to the minimum operations of the economy and the government; Established government agencies to coordinate and support CIP efforts; Identified lead federal agencies to work with coordinators in eight infrastructure sectors and five special functions; Encouraged the development of information-sharing and analysis centers; Required every federal department and agency to be responsible for protecting its own critical infrastructures, including both cyber-based and physical assets; Superseded by HSPD-7 (see details on HSPD-7 below). Policy action: National Plan for Information Systems Protection[B]; Date: Jan. 2000; Description: Provided a vision and framework for the federal government to prevent, detect, and respond to attacks on the nation's critical cyber-based infrastructure and to reduce existing vulnerabilities by complementing and focusing existing federal computer security and information technology requirements. Policy action: Executive Order 13228; Date: Oct. 2001; Description: Established the Office of Homeland Security, within the Executive Office of the President, to develop and coordinate the implementation of a comprehensive national strategy to secure the United States from terrorist threats or attacks; Established the Homeland Security Council to advise and assist the President with all aspects of homeland security and to ensure coordination among executive departments and agencies. Policy action: Executive Order 13231; Date: Oct. 2001; Description: Established the President's Critical Infrastructure Protection Board to coordinate cyber-related federal efforts and programs associated with protecting our nation's critical infrastructures and to recommend policies and coordinating programs for protecting CIP-related information systems. Policy action: National Strategy for Homeland Security[C]; Date: July 2002; Description: Identified the protection of critical infrastructures and key assets as a critical mission area for homeland security; Expanded the number of critical infrastructures from the 8 identified in Presidential Decision Directive 63 to 13 and identified lead federal agencies for each. Policy action: Homeland Security Act of 2002[D]; Date: Nov. 2002; Description: Created the Department of Homeland Security and assigned it the following CIP responsibilities: (1) developing a comprehensive national plan for securing the key resources and critical infrastructures of the United States; (2) recommending measures to protect the key resources and critical infrastructures of the United States in coordination with other groups; and (3) disseminating, as appropriate, information to assist in the deterrence, prevention, and preemption of or response to terrorist attacks. Policy action: The National Strategy to Secure Cyberspace[E]; Date: Feb. 2003; Description: Provided the initial framework for both organizing and prioritizing efforts to protect our nation's cyberspace; Provided direction to federal departments and agencies that have roles in cyberspace security and identified steps that state and local governments, private companies and organizations, and individual Americans can take to improve our collective cybersecurity. Policy action: The National Strategy for the Physical Protection of Critical Infrastructures and Key Assets[F]; Date: Feb. 2003; Description: Provided a statement of national policy to remain committed to protecting critical infrastructures and key assets from physical attacks; Built on Presidential Decision Directive 63 with its sector-based approach and called for expanding the capabilities of information sharing and analysis centers; Outlined three key objectives: (1) identifying and assuring the protection of the most critical assets, systems, and functions; (2) assuring the protection of infrastructures that face an imminent threat; and (3) pursuing collaborative measures and initiatives to assure the protection of other potential targets. Policy action: Executive Order 13286; Date: Feb. 2003; Description: Superseded Executive Order 13231 but maintained the same national policy statement regarding the protection against disruption of information systems for critical infrastructures; Dissolved the President's Critical Infrastructure Protection Board and eliminated the board's chair, the Special Advisor to the President for Cyberspace Security; Designated the National Infrastructure Advisory Council to continue to provide the President with advice on the security of information systems for critical infrastructures supporting other sectors of the economy through the Secretary of Homeland Security. Policy action: Homeland Security Presidential Directive 7; Date: Dec. 2003; Description: Superseded Presidential Decision Directive 63 and established a national policy for federal departments and agencies to identify and prioritize U.S. critical infrastructure and key resources and to protect them from terrorist attack; Defined roles and responsibilities for the Department of Homeland Security and sector- specific agencies to work with sectors to coordinate CIP activities; Established a CIP Policy Coordinating Committee to advise the Homeland Security Council on interagency CIP issues. Source: GAO analysis of documents listed above. [A] President's Commission on Critical Infrastructure Protection, Critical Foundations: Protecting America's Infrastructures (Washington, D.C.: October 1997). [B] The White House, Defending America's Cyberspace: National Plan for Information Systems Protection: Version 1.0: An Invitation to Dialogue (Washington, D.C.: January 2000). [C] The White House, Office of Homeland Security, National Strategy for Homeland Security. [D] Homeland Security Act of 2002, Public Law 107-296 (November 25, 2002). [E] The White House, The National Strategy to Secure Cyberspace (Washington, D.C.: February 2003). [F] The White House, The National Strategy for the Physical Protection of Critical Infrastructures and Key Assets. [End of table] DHS's Roles and Responsibilities for Cybersecurity in Support of Critical Infrastructure Protection Are Many and Varied: While policies and strategies for protecting our nation's critical infrastructures have evolved over recent years, three key documents (a law, a national policy, and a national strategy) currently guide federal and nonfederal cybersecurity-related CIP efforts. The law establishes DHS's responsibilities for critical infrastructure protection, a role that includes strengthening the security of our nation's information infrastructure. The policy and strategy are consistent with the law, and reinforce and expand on it. Together, the three guiding documents contain numerous and varied requirements levied on DHS, of which 13 key responsibilities address cybersecurity. To fulfill its cybersecurity roles and responsibilities, DHS has established the National Cyber Security Division (NCSD). Federal Law and Policies Guide Critical Infrastructure Protection and Cybersecurity: Federal law and policies establish CIP as a national goal and describe a strategy for cooperative efforts by government and the private sector to protect the physical and cyber-based systems that are essential to the minimum operations of the economy and the government. These include (1) the Homeland Security Act of 2002, (2) Homeland Security Presidential Directive-7 (HSPD-7), and (3) the National Strategy to Secure Cyberspace. A discussion of each follows. The Homeland Security Act of 2002 Created the Department of Homeland Security: The Homeland Security Act of 2002, signed by the President on November 25, 2002, established DHS and gave it lead responsibility for preventing terrorist attacks in the United States, reducing the vulnerability of the United States to terrorist attacks, and minimizing the damage and assisting in recovery from attacks that do occur. To help DHS accomplish its mission, the act establishes, among other entities, five under secretaries with responsibility over directorates for management, science and technology, information analysis and infrastructure protection, border and transportation security, and emergency preparedness and response. The act also assigns the department a number of CIP responsibilities, including (1) developing a comprehensive national plan for securing the key resources and critical infrastructure of the United States; (2) recommending measures to protect the key resources and critical infrastructure of the United States in coordination with other federal agencies and in cooperation with state and local government agencies and authorities, the private sector, and other entities; and (3) disseminating, as appropriate, information analyzed by the department- -both within the department and to other federal, state, and local government agencies and private-sector entities--to assist in the deterrence, prevention, preemption of, or response to terrorist attacks. Homeland Security Presidential Directive 7 Defines Federal CIP Responsibilities: In December 2003, the President issued HSPD-7, which superseded Presidential Decision Directive-63 and established a national policy for federal departments and agencies to identify and prioritize critical infrastructures and key resources and to protect them from terrorist attack. HSPD-7 defines responsibilities for DHS, sector- specific federal agencies that are responsible for addressing specific critical infrastructure sectors, and other departments and agencies. These responsibilities are briefly discussed below. DHS--HSPD-7 requires, among other things, that the Secretary of Homeland Security: * coordinate the national effort to enhance CIP; * identify, prioritize, and coordinate the protection of critical infrastructure, emphasizing protection against catastrophic health effects or mass casualties; * establish uniform policies, approaches, guidelines, and methodologies for integrating federal infrastructure protection and risk management activities within and across sectors; * serve as the focal point for securing cyberspace, including analysis, warning, information sharing, vulnerability reduction, mitigation, and recovery efforts for critical infrastructure information systems; and: * produce a comprehensive and integrated national plan for critical infrastructure and key resources protection that outlines national goals, objectives, milestones, and key initiatives. Sector-specific agencies--HSPD-7 designated certain federal agencies as lead federal points of contact for the critical infrastructure sectors identified in the National Strategy for Homeland Security (see table 5). These agencies are responsible for infrastructure protection activities in their assigned sectors and are to coordinate and collaborate with relevant federal agencies, state, and local governments, and the private sector to carry out related responsibilities. Table 5: Infrastructure Sectors Identified by the National Strategy for Homeland Security and HSPD-7: Sector: Agriculture; Description: Provides for the fundamental need for food. The infrastructure includes supply chains for feed and crop production; Lead agency: Department of Agriculture. Sector: Banking and finance; Description: Provides the financial infrastructure of the nation. This sector consists of commercial banks, insurance companies, mutual funds, government-sponsored enterprises, pension funds, and other financial institutions that carry out transactions, including clearing and settlement; Lead agency: Department of the Treasury. Sector: Chemicals and hazardous materials; Description: Transforms natural raw materials into commonly used products benefiting society's health, safety, and productivity. The chemical industry produces more than 70,000 products that are essential to automobiles, pharmaceuticals, food supply, electronics, water treatment, health, construction, and other necessities; Lead agency: Department of Homeland Security. Sector: Commercial facilities; Description: Includes prominent commercial centers, office buildings, sports stadiums, theme parks, and other sites where large numbers of people congregate to pursue business activities, conduct personal commercial transactions, or enjoy recreational pastimes; Lead agency: Department of Homeland Security. Sector: Dams; Description: Comprises approximately 80,000 dam facilities, including larger and nationally symbolic dams that are major components of other critical infrastructures that provide electricity and water; Lead agency: Department of Homeland Security. Sector: Defense industrial base; Description: Supplies the military with the means to protect the nation by producing weapons, aircraft, and ships and providing essential services, including information technology and supply and maintenance; Lead agency: Department of Defense. Sector: Drinking water and water treatment systems; Description: Sanitizes the water supply with the use of about 170,000 public water systems. These systems depend on reservoirs, dams, wells, treatment facilities, pumping stations, and transmission lines; Lead agency: Environmental Protection Agency. Sector: Emergency services; Description: Saves lives and property from accidents and disaster. This sector includes fire, rescue, emergency medical services, and law enforcement organizations; Lead agency: Department of Homeland Security. Sector: Energy; Description: Provides the electric power used by all sectors, including critical infrastructures, and the refining, storage, and distribution of oil and gas. The sector is divided into electricity and oil and natural gas; Lead agency: Department of Energy. Sector: Food; Description: Carries out the post-harvesting of the food supply, including processing and retail sales; Lead agency: Department of Agriculture and Department of Health and Human Services. Sector: Government; Description: Ensures national security and freedom and administers key public functions; Lead agency: Department of Homeland Security. Sector: Government facilities; Description: Includes the buildings owned and leased by the federal government for use by federal entities; Lead agency: Department of Homeland Security. Sector: Information technology and telecommunications; Description: Provides communications and processes to meet the needs of businesses and government; Lead agency: Department of Homeland Security. Sector: National monuments and icons; Description: Includes key assets that are symbolically equated with traditional American values and institutions or U.S. political and economic power; Lead agency: Department of the Interior. Sector: Nuclear reactors, materials, and waste; Description: Includes 104 commercial nuclear reactors; research and test nuclear reactors; nuclear materials; and the transportation, storage, and disposal of nuclear materials and waste; Lead agency: Department of Homeland Security working with the Nuclear Regulatory Agency and Department of Energy. Sector: Postal and shipping; Description: Delivers private and commercial letters, packages, and bulk assets. The U.S. Postal Service and other carriers provide the services of this sector; Lead agency: Department of Homeland Security. Sector: Public health and healthcare; Description: Mitigates the risk of disasters and attacks and also provides recovery assistance if an attack occurs. The sector consists of health departments, clinics, and hospitals; Lead agency: Department of Health and Human Services. Sector: Transportation systems; Description: Enables movement of people and assets that are vital to our economy, mobility, and security with the use of aviation, ships, rail, pipelines, highways, trucks, buses, and mass transit; Lead agency: Department of Homeland Security in collaboration with the Department of Transportation. Source: GAO analysis based on the President's National Strategy documents and HSPD-7. [End of table] Other federal agencies--HSPD-7 instructs all federal departments and agencies to identify, prioritize, and coordinate the protection of their own critical infrastructures in order to prevent, deter, and mitigate the effects of attacks. In addition, this national policy recognizes that certain other federal entities have special functions related to critical infrastructure and key resources protection, such as the Department of Justice's law enforcement function, the State Department's foreign affairs function, and the Executive Office of the President's Office of Science and Technology's research and development policy-setting function. The National Strategy to Secure Cyberspace Provides an Initial Framework for Cybersecurity: The National Strategy to Secure Cyberspace (cyberspace strategy), a national policy issued in February 2003, provides a framework for both organizing and prioritizing efforts to protect our nation's cyberspace. It also provides direction to federal departments and agencies that have roles in cyberspace security and identifies steps that state and local governments, private companies and organizations, and individual Americans can take to improve our collective cybersecurity. In addition, the cyberspace strategy identifies DHS as the central coordinator for cyberspace security efforts. As such, DHS is responsible for coordinating and working with other federal and nonfederal entities that are involved in cybersecurity. The cyberspace strategy is organized according to five national priorities, and it identifies major actions and initiatives for each. The five priorities are (1) providing national cyber analysis, warning, and incident response; (2) reducing cyberspace threats and vulnerabilities; (3) promoting awareness and training; (4) securing governments' cyberspace; and (5) strengthening national security and international cyberspace security cooperation. DHS Has 13 Key Cybersecurity Responsibilities: Among the many CIP roles and responsibilities established for DHS identified in federal law and policy are 13 key cybersecurity-related responsibilities. These include general CIP responsibilities that have a cyber element (such as developing national plans, building partnerships, and improving information sharing) as well as responsibilities that relate to the five priorities established by the cyberspace strategy. Table 6 provides a description of each responsibility. Table 6: Thirteen DHS Cybersecurity Responsibilities: DHS cybersecurity responsibilities: General CIP responsibilities with a cyber element: Develop a national plan for critical infrastructure protection that includes cybersecurity; Description: Developing a comprehensive national plan for securing the key resources and critical infrastructure of the United States, including information technology and telecommunications systems (including satellites) and the physical and technological assets that support such systems. This plan is to outline national strategies, activities, and milestones for protecting critical infrastructures. DHS cybersecurity responsibilities: General CIP responsibilities with a cyber element: Develop partnerships and coordinate with other federal agencies, state and local governments, and the private sector; Description: Fostering and developing public/private partnerships with and among other federal agencies, state and local governments, the private sector, and others. DHS is to serve as the "focal point for the security of cyberspace.". DHS cybersecurity responsibilities: General CIP responsibilities with a cyber element: Improve and enhance public/private information sharing involving cyber attacks, threats, and vulnerabilities; Description: Improving and enhancing information sharing with and among other federal agencies, state and local governments, the private sector, and others through improved partnerships and collaboration, including encouraging information sharing and analysis mechanisms. DHS is to improve sharing of information on cyber attacks, threats, and vulnerabilities. DHS cybersecurity responsibilities: Responsibilities related to the cyberspace strategy's five priorities: Develop and enhance national cyber analysis and warning capabilities; Description: Providing cyber analysis and warnings, enhancing analytical capabilities, and developing a national indications and warnings architecture to identify precursors to attacks. DHS cybersecurity responsibilities: Responsibilities related to the cyberspace strategy's five priorities: Provide and coordinate incident response and recovery planning efforts; Description: Providing crisis management in response to threats to or attacks on critical information systems. This entails coordinating efforts for incident response, recovery planning, exercising cybersecurity continuity plans for federal systems, planning for recovery of Internet functions, and assisting infrastructure stakeholders with cyber- related emergency recovery plans. DHS cybersecurity responsibilities: Responsibilities related to the cyberspace strategy's five priorities: Identify and assess cyber threats and vulnerabilities; Description: Leading efforts by the public and private sector to conduct a national cyber threat assessment, to conduct or facilitate vulnerability assessments of sectors, and to identify cross-sector interdependencies. DHS cybersecurity responsibilities: General CIP responsibilities with a cyber element: Support efforts to reduce cyber threats and vulnerabilities; Description: Leading and supporting efforts by the public and private sector to reduce threats and vulnerabilities. Threat reduction involves working with the law enforcement community to investigate and prosecute cyberspace threats. Vulnerability reduction involves identifying and remediating vulnerabilities in existing software and systems. DHS cybersecurity responsibilities: General CIP responsibilities with a cyber element: Promote and support research and development efforts to strengthen cyberspace security; Description: Collaborating and coordinating with members of academia, industry, and government to optimize cybersecurity related research and development efforts to reduce vulnerabilities through the adoption of more secure technologies. DHS cybersecurity responsibilities: General CIP responsibilities with a cyber element: Promote awareness and outreach; Description: Establishing a comprehensive national awareness program to promote efforts to strengthen cybersecurity throughout government and the private sector, including the home user. DHS cybersecurity responsibilities: General CIP responsibilities with a cyber element: Foster training and certification; Description: Improving cybersecurity-related education, training, and certification opportunities. DHS cybersecurity responsibilities: General CIP responsibilities with a cyber element: Enhance federal, state, and local government cybersecurity; Description: Partnering with federal, state, and local governments in efforts to strengthen the cybersecurity of the nation's critical information infrastructure to assist in the deterrence, prevention, preemption of, and response to terrorist attacks against the United States. DHS cybersecurity responsibilities: General CIP responsibilities with a cyber element: Strengthen international cyberspace security; Description: Working in conjunction with other federal agencies, international organizations, and industry in efforts to promote strengthened cybersecurity on a global basis. DHS cybersecurity responsibilities: General CIP responsibilities with a cyber element: Integrate cybersecurity with national security; Description: Coordinating and integrating applicable national preparedness goals with its National Infrastructure Protection Plan. Source: GAO analysis of the Homeland Security Act of 2002, the Homeland Security Presidential Directive-7, and the National Strategy to Secure Cyberspace. [End of table] DHS Has Established an Organizational Structure to Fulfill Its Cybersecurity Requirements: In June 2003, DHS established the National Cyber Security Division (NCSD), under its Information Analysis and Infrastructure Protection Directorate, to serve as a national focal point for addressing cybersecurity issues and to coordinate implementation of the cybersecurity strategy. NCSD also serves as the government lead on a public/private partnership supporting the U.S. Computer Emergency Response Team (US-CERT) and as the lead for federal government incident response. NCSD is headed by the Office of the Director and includes a cybersecurity partnership program as well as four branches: US-CERT Operations, Law Enforcement and Intelligence, Outreach and Awareness, and Strategic Initiatives. Table 7 displays the NCSD organization chart and the major functions of each organization; it is followed by a brief description of each organization's roles and responsibilities. Figure 2: NCSD Organization Chart: [See PDF for image] [End of figure] NCSD/US-CERT Director: The NCSD/US-CERT Director is responsible for issues related to the operation of the NCSD, such as human resources, policy, and budget, as well as international coordination efforts. The director is responsible for managing US-CERT--which is a partnership between NCSD and the public and private sectors to make cybersecurity a coordinated, national effort; increase public awareness of cyber threats and vulnerabilities; and improve computer security preparedness and response to cyber threats. DHS Cyber Security Partnership Program: This program is to foster effective public/private partnership among and between industry, government, and academia. It is intended to facilitate and leverage stakeholder collaboration to drive measurable progress in addressing cybersecurity issues and mitigating cyber vulnerabilities. Under the auspices of the partnership program, DHS works jointly with software developers, academic institutions, researchers, and communities of interest--including the information sharing and analysis centers (ISAC)--as well as with DHS's federal, state, local, and international government counterparts. US-CERT Operations Branch: NCSD's US-CERT Operations branch focuses on situational awareness, analytical cells, and federal coordination. It is to provide capabilities to US-CERT and coordinate all cyber incident warnings and responses across both the government and the private sector through US- CERT. A key component of US-CERT is the National Cyber Security Response System (Response System), which provides a nationwide, real- time collaborative information-sharing network to enable communication and collaboration among DHS and federal, state, local, and international government and law enforcement entities. Components of the Response System include the following: * The US-CERT Operations Center serves as a 24-hour-a-day/7-day-a-week, real-time focal point for cybersecurity, conducting daily conference calls with U.S.-based watch and warning centers to share classified and unclassified security information. * The US-CERT Portal provides a Web-based collaborative system that allows US-CERT to share sensitive cyber-related information with members of government and industry. * The US-CERT Control Systems Security Center serves as an operational and strategic component of US-CERT's capability to address the complex security issues associated with the use of control systems. * The US-CERT public Web site provides government, the private sector, and the public with information they need to improve their ability to protect their information systems and infrastructures. * The National Cyber Alert System is to deliver targeted, timely, and actionable information to Americans to allow them to secure their computer systems. * The National Cyber Response Coordination Group brings together officials from federal agencies to coordinate public/private cyber preparedness and incident response.[Footnote 14] * The Government Forum of Incident Response and Security Teams is a community of government response teams that are responsible for securing government information technology systems. This forum works to understand and handle computer security incidents and to encourage proactive and preventative security practices. Law Enforcement and Intelligence Branch: The Law Enforcement and Intelligence branch of NCSD has two primary responsibilities: managing the National Cyber Response Coordinating Group and facilitating the coordination of law enforcement and intelligence cyber-related efforts for NCSD. This branch provides a mechanism for information sharing among the components concerned with cyber issues of law enforcement, intelligence, and the private sector. This information sharing includes all levels of information (classified, law enforcement sensitive, and unclassified). The branch coordinates clearing classified information of its sensitive content and shares it with private sector partners. Outreach and Awareness Branch: NCSD's Outreach and Awareness branch is responsible for outreach, awareness, and messaging. The branch promotes cybersecurity awareness among the general public and within key communities, maintains relationships with governmental cybersecurity professionals to coordinate and share information about cybersecurity initiatives, and develops partnerships to promote public/private coordination and collaboration on cybersecurity issues. The branch is organized into three functional areas: Stakeholder Outreach, Communications and Messaging, and Coordination. The Stakeholder Outreach team serves to build and maintain relationships among and between industry, government, and academia in order to raise cybersecurity awareness and secure cyberspace. The Communications and Messaging team focuses on coordination of internal and external communications. The Coordination team works to ensure collaboration on events and activities across NCSD and with other DHS entities, including the public affairs, legislative affairs, and private-sector offices and others, as appropriate. In addition, the team works to foster the department's role as a focal point and coordinator for securing cyberspace and implementing the National Strategy to Secure Cyberspace. Strategic Initiatives Branch: NCSD's Strategic Initiatives branch is organized into six teams with different responsibilities, as follows: * The CIP Cybersecurity team is jointly responsible (with DHS's National Communications System) for developing a CIP plan for the Information Technology (IT) Sector, including the Internet, that will identify critical assets and vulnerabilities, map interdependencies, and promote cyber awareness throughout other federal sector plans. * The Control Systems team is responsible for facilitating control system incident management and security awareness, establishing an assessment capability for vulnerability reduction and incident response, creating a self-sustaining security culture within the control systems community, focusing attention on the protection of legacy control systems, and making strategic recommendations for the future of control systems and security products. * The Software Assurance initiative presents a framework for promoting and coordinating efforts to improve the security, reliability, and safety of software. * The Training and Education team is responsible for promoting the development of an adequate number of effective cybersecurity professionals, enhancing cybersecurity capability within the federal workforce by identifying the skills and abilities necessary for specific job tasks, and working with other organizations to develop content standards for training products and for certifications. * The Exercise Plans and Programs team is charged with improving the nation's ability to respond to cyber incidents by creating, sponsoring, and learning from international, national, regional, and interagency exercises. The team is responsible for planning and coordinating cybersecurity exercises with internal and external DHS stakeholders. * The Standards and Best Practices/Research and Development Coordination team works to encourage technology innovation efforts. The team is responsible for identifying cybersecurity research and development requirements and cybersecurity standards issues and for assembling and distributing information on best practices. NCSD Collaborates with Other DHS Entities to Accomplish Its Mission: DHS has additional directorates, branches, and offices with CIP responsibilities. In its role as the cybersecurity focal point, NCSD collaborates with these other DHS entities, including the Infrastructure Coordination Division, which runs the Protected Critical Infrastructure Information program to encourage sharing of sensitive information (including cybersecurity-related information), and the National Communications System, a federal interagency group, which is responsible for, among other things, improving the effectiveness of the management and use of national telecommunications resources to support the federal government during emergencies. In appendix II, we discuss other DHS entities with responsibilities for CIP-related activities that impact cybersecurity. DHS Has Initiated Efforts That Begin to Address Its Responsibilities, but More Work Remains: DHS has initiated efforts that begin to address each of its 13 key responsibilities for cybersecurity; however, the extent of progress varies among these responsibilities, and more work remains to be done on each. For example, DHS (1) has recently issued an interim plan for infrastructure protection that includes cybersecurity plans, (2) is supporting a national cyber analysis and warning capability through its role in US-CERT, and (3) has established forums to build greater trust and to encourage information sharing among federal officials with information security responsibilities and among various law enforcement entities. However, DHS has not yet developed national cyber threat and vulnerability assessments or developed and exercised government and government/industry contingency recovery plans for cybersecurity, including a plan for recovering key Internet functions. The department also continues to have difficulties in developing partnerships, as called for in federal policy, with other federal agencies, state and local governments, and the private sector. Without such partnerships, it is difficult to develop the trusted, two-way information sharing that is essential to improving homeland security. We discuss below the steps that DHS has taken related to each of the department's 13 key responsibilities and the steps that remain. DHS Recently Issued National Plan For Improving Critical Infrastructure Protection That Includes Cybersecurity, but This Plan Is Not Yet Comprehensive and Complete: In February 2005, DHS issued a national plan for critical infrastructure protection that includes cybersecurity-related initiatives. This plan, the Interim National Infrastructure Protection Plan (Interim NIPP), addresses many of the requirements identified in federal law and policy, but it does not yet comprise a comprehensive and complete plan. Specifically, the Interim NIPP provides a strategy for protecting critical infrastructures by integrating physical security and cybersecurity in its goals, objectives, and planned actions. Key actions include developing and implementing sector-specific and cross- sector protection plans; conducting cross-sector interdependency analysis; conducting and updating vulnerability assessments at the asset, sector, and cross-sector levels; and establishing performance metrics. In addition, the Interim NIPP establishes a national organizational structure to provide effective partnerships, communications, and coordination between DHS and infrastructure stakeholders. However, the plan does not yet comprise the comprehensive national plan envisioned in federal law and policy, for several reasons, including the following. * The Interim NIPP lacks sector-specific cybersecurity plans. This plan does not yet include detailed plans for addressing cybersecurity in the infrastructure sectors. Agency officials acknowledge that many of the detailed plans for addressing cybersecurity will be included in the sector-specific annexes that are to be provided in the next version of the plan. To ensure that cybersecurity will be appropriately and consistently addressed in the next version of the plan, NCSD has provided guidance to sector-specific agencies regarding the inclusion of cybersecurity issues in their respective sector-specific plans. In addition, NCSD continues to review and provide feedback on the sector- specific plans, which will become annexes to the next NIPP. * The Interim NIPP is not yet a final plan. The development of this plan is an ongoing, evolving process that requires the participation of key stakeholders, including other federal agencies, state and local governments, the private sector, foreign countries, and international organizations. DHS expects to obtain and incorporate stakeholder comments and to issue a more complete NIPP in November 2005. * The Interim NIPP lacks required milestones. Specifically, this plan does not include any national-level milestones for completing efforts to enhance the security of the nation's critical infrastructures. According to a DHS official, these milestones will be incorporated in the sector-specific plans. DHS acknowledges the need to address these issues with the Interim NIPP and plans to do so in subsequent versions. According to DHS officials, as the NIPP evolves and as the sector-specific plans are developed, the level of specificity will increase to include key initiatives and milestones. DHS Has Taken Positive Steps Toward Building Partnerships and Improving Information Sharing, but Additional Work Is Needed: DHS has undertaken numerous initiatives to foster partnerships and enhance information sharing with other federal agencies, state and local governments, and the private sector about cyber attacks, threats, and vulnerabilities; but more work is needed to address underlying barriers to sharing information. DHS and NCSD have multiple initiatives under way to enhance partnerships and information sharing. Descriptions of selected initiatives are provided in table 7. Table 7: DHS Partnership and Information-Sharing Initiatives: Initiative: National Cyber Response and Coordination Group; Description: * Facilitates coordination of intragovernmental and public/private preparedness and operations in order to respond to and recover from incidents that have significant cyber consequences; * Brings together officials from national security, law enforcement, defense, intelligence, and other government agencies that maintain significant cybersecurity responsibilities and capabilities. Initiative: National Cyber Security Response System; Description: * Provides a nationwide, real-time, collaborative information-sharing network that enables state and local government officials, federal agencies, the private sector, international counterparts, and law enforcement entities to communicate and collaborate with DHS and each other about cyber issues; * Includes a number of different mechanisms for sharing information between and among federal and nonfederal entities, including the US- CERT operations center, the US-CERT portal, the US-CERT Control Systems Security Center, the US-CERT public Web site, and the National Cyber Alert System. Initiative: Expanded use of Cyber Warning Information Network; Description: * Expands DHS's use of the Cyber Warning Information Network, a private communications network (voice and data) with no logical dependency on the Internet or the public switched network in order to provide a backup mechanism for information sharing. Initiative: Government Forum of Incident Response and Security Teams; Description: * Brings together technical and tactical practitioners from government agency security response teams. Forum members work together to understand and handle computer security incidents reported by federal agencies and to encourage proactive and preventative security practices; * Shares specific technical details regarding incidents within a trusted U.S. government environment on an agency-to- peer level. Initiative: Chief Information Security Officers Forum; Description: * Brings together federal officials responsible for the information security of their respective agencies and provides a trusted venue for them to collaborate; leverage each other's experiences, capabilities and programs, and lessons learned; and address and discuss particularly problematic or challenging areas. Initiative: DHS Cyber Security Partnership Program; Description: * Develops and enhances strategic partnerships with 32 industry associations and hundreds of small, medium, and large enterprises, establishing an outreach channel of over 1 million constituents; * Facilitates improved information sharing, including the interchange of lessons learned and best practices. Initiative: ISAC partnerships; Description: * Enhances partnerships with the ISACs--including the ISACs for electricity, telecommunications, and states, and with information technology vendors. DHS officials reported that all of the critical infrastructure sectors' ISACs are part of the US-CERT portal and that they participate in information sharing exercises--including regularly scheduled daily or biweekly meetings. Initiative: US-CERT Control Systems Security Center Outreach; Description: * Fosters public/private collaboration to improve the security of critical infrastructure control systems. NCSD reports that it has established relationships with more than 25 potential partners for future participation in the center. Initiative: Internal DHS collaboration; Description: * Entails NCSD collaborating with the Protected Critical Infrastructure Information program office to establish procedures for the private sector to electronically submit critical infrastructure information. These offices have developed a process for companies and other entities to use to facilitate sharing protected information on a continual basis. Source: GAO analysis based on DHS information. [End of table] Although NCSD has taken steps to develop partnerships and information- sharing mechanisms, the organization has not effectively leveraged its partnerships to increase the sharing of information. For example, although the Multi-State ISAC and US-CERT have established an effective working relationship, according to officials from both organizations, their ability to share classified information has been hindered by ISAC members' lack of security clearances. Further, DHS officials reported that only limited information has been shared by the private sector under the Protected Critical Infrastructure Information program[Footnote 15] because of private sector concerns about what information DHS would share with other federal agencies. Additionally, key stakeholders in NCSD partnerships have expressed concerns about information sharing. For example, while officials from several CIP-related federal agencies found the Chief Information Security Officers forum to be valuable, officials from one agency stated that it had been largely ineffective in improving communications among federal agencies. Regarding NCSD's efforts with the private sector, one ISAC reported publicly that its information sharing with DHS was disintegrating. Further, a representative from that ISAC stated that DHS had abruptly stopped sending notices to ISAC managers and no longer called the ISAC about new terrorism activity. Further, an ISAC official stated that when the ISAC recently contacted DHS's Homeland Security Operations Center about rumors of a dirty bomb during a national event, ISAC officials were told to obtain the information from the media. Issues related to the development of partnerships and of appropriate information-sharing relationships are not new. In July 2004, we recommended actions to improve the effectiveness of DHS's information- sharing efforts.[Footnote 16] We recommended that officials within the Information Analysis and Infrastructure Protection Directorate (1) proceed with and establish milestones for developing an information- sharing plan and (2) develop appropriate DHS policies and procedures for interacting with ISACs, sector coordinators (groups or individuals designated to represent their respective infrastructure sectors' CIP activities), and sector-specific agencies and for coordination and information sharing within the Information Analysis and Infrastructure Protection Directorate and other DHS components. Moreover, we recently designated establishing appropriate and effective information-sharing mechanisms to improve homeland security as a new high-risk area.[Footnote 17] We reported that the ability to share security- related information can unify the efforts of federal, state, and local government agencies and the private sector in preventing or minimizing terrorist attacks. In its strategic plan for cybersecurity, DHS acknowledges the need to build better partnerships and information-sharing relationships. Among the actions that DHS identified are enhancing the US-CERT Operations Center's capabilities and increasing participation in information- sharing mechanisms such as the National Cyber Alert System. For the nonfederal sector, DHS's strategic plan for cybersecurity includes actions to develop effective public/private partnerships through associations, ISACs, Internet service providers, and improved international partnerships. For federal agency information security, the strategic plan identifies efforts to improve government mechanisms, such as the National Cyber Response Coordination Group and the Government Forum of Incident Response and Security Teams. In addition, the Interim NIPP acknowledges as a goal, the importance of building partnerships among stakeholders to implement critical infrastructure protection programs and identifies related objectives, including establishing mechanisms for coordination and information exchange among partners. DHS Provides National Cyber Analysis and Warning Capabilities but Has Not Yet Developed an Architecture to Support Strategic Capabilities, and Analytical Tools Require Further Maturity: DHS has collaborated on, developed, and is working to enhance tools and communication mechanisms for providing analysis and warning of occurring and potential cyber incidents, but it has not yet developed the indications and warning architecture required by HSPD-7, and important analytical tools are not yet mature. Through NCSD's involvement in US-CERT, DHS provides cyber analysis and warning capabilities by providing continuous operational support in monitoring the status of systems and networks. When a new vulnerability or exploit is identified, US-CERT evaluates its severity; determines what actions should be taken and what message should be disseminated; and provides information through NCSD's multiple communications channels, including its daily telephone call with other U.S.-based watch and warning centers, the US-CERT portal, the US-CERT public Web site, and the National Cyber Alert System. It produces the following types of warnings: * Technical cybersecurity alerts--provide real-time information about current security issues, vulnerabilities, and exploits. * Cybersecurity bulletins--provide technical audiences with weekly summaries of security issues and new vulnerabilities. * Cybersecurity alerts--provide nontechnical audiences with real-time information about current issues, vulnerabilities, and exploits and include steps and actions that nontechnical users can take. * Cybersecurity tips--describe common security issues and offer advice for nontechnical users. * Vulnerability notes--provide warnings about vulnerabilities that do not meet the severity threshold required to issue an alert. Additionally, when a situation warrants direct contact with a federal agency, an infrastructure sector, or a nonfederal entity, NCSD contacts the entity and provides relevant information prior to making public announcements about the situation. This includes collaborating with relevant software vendors on a particular vulnerability or exploit. DHS is also involved in several initiatives to enhance cyber analytical capabilities. Key initiatives are identified in table 8. Table 8: DHS Initiatives to Enhance Analytical Capabilities: Initiative: Intelligence sharing; Description: US-CERT serves as a conduit for sharing information from the intelligence and law enforcement communities to the civilian federal and nonfederal communities. According to an NCSD official, its law enforcement and intelligence branch works to share declassified information about threats, malicious activities, or vulnerabilities with US-CERT members. In addition, US-CERT can share information with the law enforcement and intelligence communities that might not reach these groups by other means. Initiative: Situational awareness tools; Description: NCSD's US-CERT Einstein Program, which is currently in pilot testing at the Department of Transportation, is to obtain network flow data from federal agencies and analyze the traffic patterns and behavior. This information is to be combined with other relevant data to (1) detect potential deviations and identify how Internet activities are likely to affect federal agencies and (2) provide insight into the health of the Internet and suspicious activities. Initiative: Malicious Code Analysis Program; Description: This program includes (1) a laboratory for analyzing malicious code and developing countermeasures and (2) a common vulnerabilities and exposures dictionary system to correlate information across vendor products. Initiative: Cyber-incident repository; Description: NCSD officials are collaborating with multiple partners (including the Department of Defense, the intelligence community, law enforcement, academia, private industry, and the public) to develop a repository for cyber-related intelligence data. Source: GAO analysis based on DHS information. [End of table] Despite its progress in providing analysis and warning capabilities, DHS has not yet developed or deployed a national indications and warning architecture for infrastructure protection that would identify the precursors to a cyber attack, and NCSD's analytical capabilities are still evolving and are not yet robust. For example, the US-CERT Einstein program, identified in table 8, is in the early stages of deployment and is currently being pilot tested at one agency. In addition, NCSD officials acknowledge that the program's current analytical capabilities are not expected to provide national-level indicators and precursors to a cyber attack, as called for in HSPD-7's requirement that DHS provide an indications and warning architecture. DHS is still facing the same challenges in developing strategic analysis and warning capabilities that we reported on 4 years ago during a review of NCSD's predecessor, the National Infrastructure Protection Center. In 2001, we reported on the analysis and warnings efforts within the center and identified several challenges that were impeding development of an effective strategic analysis and warning capability.[Footnote 18] We reported that a generally accepted methodology for analyzing strategic cyber-based threats did not exist. Specifically, there was no standard terminology, no standard set of factors to consider, and no established thresholds for determining the sophistication of attack techniques. We also reported that the Center did not have the industry-specific data on factors such as critical systems components, known vulnerabilities, and interdependencies. We therefore recommended that the responsible executive-branch officials and agencies establish a capability for strategic analysis of computer-based threats, including developing a methodology, acquiring expertise, and obtaining infrastructure data. However, officials have taken little action to establish this capability, and therefore our recommendations remain open today. In its strategic plan for cybersecurity, DHS acknowledges that it has more to do to enhance its analytical capability and to leverage existing capabilities. Specifically, it establishes objectives and activities to: * enhance the US-CERT Operations Center capability, * expand the US-CERT Einstein Program pilot to a total of six agencies, * promote consistency across federal civilian incident-response teams, * develop a vulnerability assessment methodology and compile vulnerability information, and: * improve its coordinated cyber intelligence capability. DHS Has Improved Its Ability to Coordinate Incident Response, but More Recovery Planning and Exercises Are Needed: DHS has improved its ability to coordinate a response to cyber attacks with federal, state, and local governments and private-sector entities through the communications capabilities that it has developed for US- CERT, the continued expansion of backup communication capabilities, and the establishment of collaboration mechanisms. However, DHS's plans and exercises for recovering from attacks are not yet complete and comprehensive. As a partnership between DHS and the public and private sectors to make cybersecurity a coordinated national effort, US-CERT is an essential mechanism for coordinating information and activity on a real-time basis. US-CERT's Operations Center, secure portal, public Web site, and National Cyber Alert System not only provide means for disseminating alerts and warnings--as discussed above--but they also support incident response and recovery efforts. Additionally, DHS is expanding its incident response and recovery capabilities through the use of the Critical Infrastructure Warning Information Network, a survivable communications network that does not rely on public telecommunications networks or the Internet. DHS has installed these network terminals in key government network operations centers, in several private industry network operations centers, and in the United Kingdom's National Infrastructure Security Coordination Centre. In addition, it is considering placing additional network nodes at critical government agencies, companies, and trusted foreign partners. Additional initiatives to expand incident response and recovery capabilities, including mechanisms for collaboration, are identified in table 9. Table 9: Incident Response and Recovery Initiatives: Initiative: National Cyber Response Coordination Group; Description: The National Cyber Response Coordination Group was formalized in the Cyber Annex of the National Response Plan and is cochaired by NCSD, the Department of Justice's Computer Crime and Intellectual Property Section, and the Department of Defense. In the event of a significant incident (including cyber incidents and physical incidents that affect cyber networks), this group would play a major role in coordinating responses and recovery planning. Specifically, it is expected to develop and provide a strategic assessment of the impact on the information infrastructure and a coordinated response, through its close association with others in private industry, academia, and international and local governments; The National Cyber Response Coordination Group brings together officials from all agencies that have a statutory responsibility for cybersecurity and the sector- specific agencies identified in HSPD-7. The group meets monthly and is developing cyber preparedness and response plans that will help it support the overarching mission of the DHS Interagency Incident Management Group. To date, the group has conducted two exercises to test its concept of operations and communications mechanisms and has held a workshop to analyze the thresholds for convening the group. Initiative: National Exercise Program Office; Description: DHS established the National Exercise Program Office to improve response planning and coordination between public and private incident response and recovery capabilities by having them undertake exercises; To date, NCSD has sponsored several exercises that test cyber readiness in various geographic locations and critical infrastructure sectors across the nation. In September and October 2004, regional exercises were held in Seattle and New Orleans. Both exercises highlighted dependencies between cyber and physical infrastructures and interdependencies among critical infrastructures. These exercises also identified and tested the coordination and cooperation among federal, state, and local governments and the private sector that would be necessary in the case of attacks (both physical and cyber) on the critical infrastructures in those regions of the United States. According to NCSD officials, these regional exercises have pointed out the importance of regional response capabilities and have spurred activity in both regions to develop working groups to improve response capabilities within those regions; NCSD, along with DHS's Office of Domestic Preparedness, sponsored two cyber-focused tabletop exercises[A] in Connecticut and New Jersey. According to NCSD officials, these tabletop exercises offered an opportunity for key state agencies, including information technology, emergency preparedness, and law enforcement, to address cybersecurity issues and increase coordination within their state governments as well as with the federal government. In addition, NCSD prepared the cyber- related portion for the Top Officials 3 exercise, referred to as TOPOFF 3, that occurred in March and April 2005. This exercise tested not only response to attacks, but also continuity of government and operations; emergency response at the state, regional, and local levels; and containment and mitigation of chemical, nuclear, and other attacks; Further, according to NCSD officials, the NCSD Exercise Team is working closely with the National Cyber Response Coordination Group to sponsor a series of four tabletop exercises in fiscal year 2005 that are intended to mature and refine the interagency body's Concept of Operations and to accelerate the development of detailed procedures under the Cyber Annex to the National Response Plan; The lessons learned from these and other exercises will form the building blocks for an NCSD-sponsored National Cyber Exercise, CYBER STORM, planned for November 2005, which is expected to include private-sector, as well as state government, participation. Initiative: US-CERT Control Systems Security Center; Description: NCSD established the US-CERT Control Systems Security Center to reduce vulnerabilities and to respond to threats to control systems. The center compiled a list of the control system technologies in use, including the underlying platforms, so that the US-CERT could rapidly identify the impact of cyber vulnerabilities on control systems. Initiative: Internet Disruption Working Group; Description: In order to coordinate cybersecurity contingency plans, including a plan for recovering key Internet functions, DHS formed the Internet Disruption Working Group. Among other things, this group is to determine the operational dependency of critical infrastructure sectors on the Internet, assess the consequences of the loss of Internet functionality, and work with stakeholders to identify and prioritize short-term protective measures and reconstitution measures to be used in the event of a major disruption. Source: GAO analysis of DHS information. [A] A tabletop exercise is a focused practice activity that places the participants in a simulated situation requiring them to function in the capacity that would be expected of them in a real event. Its purpose is to promote preparedness by testing policies and plans and by training personnel. [End of table] While DHS has made clear progress in planning for incident response, key steps remain to be taken in order to fulfill requirements for exercising continuity plans for federal systems and for coordinating the development of government/industry contingency recovery plans for cybersecurity--as recommended in the cyberspace strategy. Specifically, DHS does not yet have plans (or associated performance measures or milestones) for testing federal continuity plans, for recovering key Internet functions, or for providing technical assistance to both private-sector and other government entities as they develop their own emergency recovery plans. Without continuity planning exercises, federal agencies will not be able to coordinate efforts to ensure that the critical functions provided by federal systems would continue during a significant event and that recovery from such an event would occur in an effective and timely manner. In addition, without plans to address the recovery of key Internet functions, it is unclear how recovery would be performed and how federal capabilities could be used to assist with recovery. In commenting on a draft of this report, NCSD officials stated that although the division is not currently sponsoring any exercises to test other department and agencies' continuity plans or plans for recovering key Internet functions, they are participating in and offering cybersecurity expertise to already existing department and agency exercises that test continuity of operations and plans for recovery. DHS Has Begun Efforts to Identify and Assess Threats and Vulnerabilities, but Much Remains to Be Done to Complete These Assessments: DHS has participated in national efforts to identify and assess cyber threats and has begun taking steps to facilitate sector-specific vulnerability assessments, but it has not yet completed the comprehensive cyber threat and vulnerability assessments--or the identification of cross-sector interdependencies--that are called for in the cyberspace strategy. In late 2003 and early 2004, DHS assisted in coordinating the cyber- related issues for the National Intelligence Estimate of Cyber Threats to the U.S. Information Infrastructure. The resulting classified document issued in February 2004 details actors (nation-states, terrorist groups, organized criminal groups, hackers, etc.), capabilities, and, where known, associated intent. National intelligence estimates provide America's highest integrated national threat assessment and are used throughout the defense, intelligence, and homeland security communities. Regarding ongoing threat identification, DHS's Infrastructure Protection Office, Information Analysis Office, and NCSD coordinate efforts on a daily basis. For example, NCSD works closely with the Information Analysis Office to coordinate the exchange of threat information, discussions of the potential threat to critical infrastructures based on reported information, and the creation of cyber-based intelligence requirements to gather additional information. In addition, as discussed earlier, information is shared between the private sector and the intelligence community through US- CERT. According to NCSD officials, because there are restrictions on the ability of some parts of the intelligence communities to collect information within the United States, information properly shared through US-CERT could help the intelligence community to develop better situational awareness. DHS has also taken a number of foundational steps toward developing the comprehensive vulnerability assessment mandated by HSPD-7. Three key initiatives are discussed below: * Development of a Baseline Methodology for Vulnerability Assessment-- As the designated entity for fulfilling DHS's responsibility as the sector-specific agency for the IT infrastructure sector, NCSD is currently identifying the IT sector's critical assets and developing a baseline methodology for performing vulnerability assessments within the sector. To do so, NCSD is studying existing vulnerability assessment methodologies with the idea of developing a flexible baseline methodology that can be used by members of the IT sector who do not yet have established methodologies. An NCSD official stated that a secondary use for this methodology would be as baseline guidance for cyber assessments across the other critical infrastructures, to be carried out by the sector-specific agencies and their sectors. * Development of a Cyber Assessment Template--NCSD is assisting DHS's Information Analysis and Infrastructure Protection Directorate's Protective Security Division by developing a cyber assessment template for their "site assistance visits" to be used to assess the security of critical infrastructure facilities. The cyber-related segment of these visits includes an assessment of process control systems, including supervisory control and data acquisition, and business information technology. According to NCSD officials, they have developed the process control template and are currently developing the business information technology template. * Development of Sector Guidance--As the subject matter expert for the cyber aspects of the National Infrastructure Protection Plan and associated sector-specific plans, NCSD has developed and distributed guidance to assist sector-specific agencies in addressing the cyber components of their sectors. While NCSD's plans are focused on important issues, it has not yet completed the national cyber threat assessment and the sector vulnerability assessments--or the identification of cross-sector interdependencies--that are called for in the cyberspace strategy. Further, its assessment efforts are still in early stages. For example, according to an NCSD official, efforts to develop a vulnerability assessment methodology for the IT Sector are in early development. As part of its next steps, NCSD plans to involve the private sector in completing the methodology and then give a larger group of stakeholders in the IT Sector an opportunity to review and comment on it. NCSD also plans to assist the IT sector in conducting its cybersecurity-related vulnerability assessment. Once these assessments are complete, NCSD plans to coordinate a thorough analysis of the impact that interdependencies have on sectors and entities within the sectors. The Interim NIPP and DHS's strategic plan for cybersecurity acknowledge that much remains to be done in the areas of threat and vulnerability assessment. The Interim NIPP recognizes that DHS is responsible for analyzing specific threats, providing threat warnings, and conducting general threat assessments. It also reports that the Information Analysis and Infrastructure Protection Directorate's Office of Infrastructure Protection will conduct vulnerability assessments for a number of purposes, including investigating interdependencies, filling selected gaps, and testing new methodologies. Additionally, one of NCSD's strategic goals is to work with the public and private sectors to reduce vulnerabilities and to minimize the severity of cyber attacks. As part of this goal, NCSD plans to define and execute methodologies to identify critical assets and to identify and assess vulnerabilities. It established a milestone of developing a vulnerability assessment methodology for the IT Sector by the third quarter of fiscal year 2005. However, neither DHS nor NCSD has defined plans, performance measures, or milestones for completing the required national cyber-related threat and sector vulnerability assessments, or for identifying cross-sector interdependencies. In commenting on a draft of this report, NCSD officials noted that because of the IT sector's recent formation and its complexity, NCSD has not set strict milestones or performance measures for completing plans. NCSD officials noted, however, that milestones have been set for (1) defining the sector, (2) creating a public/private collaboration mechanism, and (3) developing methodologies for identifying assets and vulnerability assessments. NCSD officials stated that these steps must be fulfilled in order to ensure accurate assessments and to identify cross-sector interdependences. Performing infrastructure sector-level vulnerability assessments and developing related remedial plans have been long-standing issues that were identified as requirements in Presidential Decision Directive 63 in 1998. From a planning perspective, it is important to perform comprehensive vulnerability assessments of all of our nation's critical infrastructures because such assessments can enable authorities to evaluate the potential effects of an attack on a given sector and then invest accordingly to protect that sector. Without a vulnerability assessment and remedial plan, it will be difficult to know with any certainty that those vulnerabilities that could cause the greatest harm--or are most likely to be exploited--have been addressed. In September 2001, we reported that substantive, comprehensive analysis of infrastructure sector vulnerabilities and the development of remedial plans had not yet been performed because sector coordinators were still establishing the necessary relationships, identifying critical assets and entities, and researching and identifying appropriate methodologies.[Footnote 19] In May 2004, we reported that some sectors had taken steps to perform sector-wide vulnerability assessments or to require individual entities to perform vulnerability assessments for their facilities and operations.[Footnote 20] However, others-- including the IT sector--still have not taken such actions. Until a comprehensive threat assessment and sector-specific vulnerability assessments are completed and cross-sector dependencies are identified, DHS cannot ensure that all threats and vulnerabilities have been identified and addressed. In commenting on a draft of this report, NCSD officials stated that because of the IT sector's recent formation and its complexity, NCSD and the sector face challenges in defining the sector, developing effective partnerships, and identifying critical assets. The officials also stated that significant progress has been made in developing methodologies to identify assets and assess vulnerabilities in the IT sector; however, continued collaborative efforts are necessary to ensure that all threats and vulnerabilities are identified and addressed. DHS Has Several Threat and Vulnerability Reduction Efforts Under Way, but More Action Is Needed: DHS has initiated efforts to reduce threats by enhancing its collaboration with the law enforcement community and to reduce vulnerabilities by shoring up guidance on software and system security, but much remains to be done. To support efforts to reduce cyber threats, NCSD has restructured its organization to improve its coordination with the law enforcement community and has initiated numerous outreach initiatives. Specifically, NCSD restructured its organization to establish a law enforcement and intelligence branch. It currently has representatives from the cyber components of five different agencies: the National Security Agency, U.S. Immigration and Customs Enforcement, U.S. Secret Service, Federal Bureau of Investigation, and Central Intelligence Agency. This branch provides an information-sharing mechanism among the intelligence, law enforcement, and network security communities. For example, there have been at least two instances where the intelligence community had discovered cyber-related issues that it wanted to report to the public, but it was unable to do so because it would potentially reveal sources and methods, according to an NCSD official. In those cases, NCSD and the intelligence community collaborated to develop and release a public alert that conveyed the threat without revealing sensitive information. In addition, the law enforcement and intelligence branch has provided information from the law enforcement community to the intelligence community. For example, according to an NCSD official, in August 2004, the organization received information about a potential software vulnerability from a law enforcement partner that it shared with the intelligence community. Additionally, NSCD's law enforcement and intelligence branch has taken steps to improve its domestic and international outreach efforts to support threat reduction; and, according to an NCSD official, the interaction and coordination among the branch and other agencies on cyber-related issues have been effective. Key outreach initiatives include the following: * Within the federal government, NCSD's law enforcement and intelligence branch has developed a relationship with other law enforcement entities, including entities within the Departments of Energy and Defense and the federal inspector general community. * DHS supports the Cybercop Portal, which is a secure, internet-based information-sharing mechanism that allows members of local, state, and federal government law enforcement organizations to discuss issues related to electronic/cyber crime and threat reduction. At the time of our review, according to an NCSD official, there were over 6,000 members from the 50 states, most government agencies, and over 40 countries. * According to an NCSD official, NCSD has entered into a partnership with the Department of Justice's Bureau of Justice Statistics to conduct a joint survey to study the amount and scope of cyber crime in the United States. The survey will be distributed to 36,000 businesses, including small businesses covering all critical infrastructure sectors. * NCSD is reviewing the possibility of enhancing the U.S. computer crime statute (18 U.S.C. 1030). Specifically, according to NCSD officials, it is trying to determine the effect of criminalizing the development and possession (with criminal intent) of malicious computer code, such a change would provide law enforcement with a proactive mechanism to address certain cyber crimes. NCSD has entered into preliminary discussions with the Department of Justice's Computer Crimes and Intellectual Property Section and with other federal, state, and local law enforcement agencies. In addition, NCSD has solicited opinions from the private sector and from academia. To reduce vulnerabilities, NCSD is encouraging the development of better quality and more secure software. It has established a plan targeting four areas: (1) people (including software developers and users), (2) processes (including best practices and practical software development guidelines), (3) software evaluation tools, and (4) acquisition--creating software security improvements through acquisition specifications and guidelines. To accomplish its plans, NCSD has undertaken the following initiatives: * NCSD has hosted and cohosted various forums and workshops that focused on topics such as developing a common body of knowledge for software assurance and improving the quality, reliability, and dependability of software. For example: * NCSD has hosted three workshops, with subject matter experts from academia and the private sector, to begin the process of developing a common body of knowledge on software assurance that could be used by educators across the country to develop curricula for academic programs in software engineering, information assurance, and various other disciplines. * DHS and the Department of Defense have cosponsored two Software Assurance Forums to bring together representatives from industry, government, and academia to address the challenges in software security and quality. * NCSD is inventorying existing software assurance-related efforts in public and private industry to develop and publish practical guidance, reference materials, and best practices for training software developers. * NCSD is conducting a software assurance security tools evaluation to support and promote the development of technological advances in software assurance. In coordination with the National Institute of Science and Technology, NCSD has created a set of studies and experiments to measure the effectiveness of various tools and classes of tools. * NCSD is working with the Department of Defense and other government agencies to examine successful models and to develop and publish best practices for acquisition language and evaluation. NCSD also is working to develop and publish common or sample statement of work/procurement language, which includes provisions on liability, for federal acquisition managers. * According to an NCSD official, the organization has also formed a working group to address the issue of preventing a major disruption on the Internet. The working group is composed of federal agencies with an interest in preventing a major interruption on the Internet. These agencies are the Department of the Treasury, the Department of Defense, the National Communication System, and NCSD (including US-CERT and CERT/CC). The working group has also tried to include key private- sector individuals. The group's initiatives include efforts to (1) create various scenarios for disruptions in order to determine whom to work with to solve the problem, how to respond and what to do, and what protective measures should be put in place; and (2) determine what infrastructure sectors are functionally dependent on the Internet. While NCSD has many efforts under way to coordinate threat reduction activities, it is limited in what it can do on vulnerability reduction until the cyber-related vulnerability assessments (discussed in the previous section) are completed. Since DHS is now planning a methodology for conducting vulnerability assessments, it will likely be some time before stakeholders can conduct the assessments--and even longer before they are able to develop a comprehensive plan for reducing vulnerabilities. In its strategic plan for cybersecurity, DHS acknowledges that there is more to do to coordinate both threat and vulnerability reduction efforts. Specifically, NCSD has established a strategic goal to coordinate with the intelligence and law enforcement communities to identify and reduce threats to cyberspace. As part of this goal, NCSD identified a number of actions to improve the available information on cyber incidents, publish the results of the planned cyber incident survey, improve the Cybercop Portal, and reach out to other law enforcement entities. Regarding vulnerability reduction, NCSD has established a goal to reduce vulnerabilities and a list of action items, including actions to improve the security within the IT infrastructure sector; to address cybersecurity issues for control systems; to improve software assurance efforts; and to promote cybersecurity standards and best practices. DHS Is Collaborating on Cybersecurity Research and Development, but a Comprehensive Plan and Associated Milestones are Not Yet in Place: DHS is collaborating with the Executive Office of the President's Office of Science and Technology Policy and with many other federal departments and agencies, including the Departments of Agriculture, Commerce, Defense, and Energy, to develop a national research and development plan for CIP, including cybersecurity. However, a complete plan is not yet in place, and the milestones for key activities under this plan have not yet been developed. NCSD coordinates with DHS's Science and Technology Directorate to develop (1) the Cyber Security Research and Development Portfolio and (2) the CIP Portfolio that targets process control system security and includes some research and development projects. Research programs include efforts to develop operational analysis tools to enhance the security of domain name systems, establish secure routing protocols, and improve Internet security. In addition, NCSD participates in the Critical Information Infrastructure Protection Interagency Working Group, which is cochaired by the Executive Office of the President's Office of Science and Technology Policy and DHS's Science and Technology Directorate, to identify critical cyber research and development requirements for inclusion in the federal research and development effort. As part of this requirement identification process, NCSD determines where the private sector has already done research and development, in order to minimize overlap and wasted effort. An NCSD official reports that requirements come from software developers and from the agency's work with industry, academia, and other government agencies. Although DHS is working to identify cyber research requirements and to support and coordinate cybersecurity-related research and development projects, the working group cochaired by DHS and the Executive Office of the President's Office of Science and Technology Policy that was required to lead the effort to issue a national research and development plan for CIP (including cybersecurity) has not yet developed a comprehensive plan. Also, while the Interim NIPP acknowledges the importance of research and development to a variety of cybersecurity initiatives--including improving Internet security protocols and developing a next generation security architecture featuring autonomic, self-aware, and self-healing systems--it does not identify goals or milestones associated with developing a prioritized plan for these initiatives. In commenting on a draft of this report, DHS Science and Technology Directorate officials stated that the first public version of the national research and development plan supporting CIP had recently been released.[Footnote 21] They acknowledged, however, that this is a baseline plan and does not include an investment plan and road map that are to be added next year. In addition, these officials commented that milestones have not yet been established because planning activities are in progress. DHS Has Made Progress in Implementing an Awareness and Outreach Strategy, but More Remains to Be Done: DHS has made progress in increasing cybersecurity awareness by implementing numerous awareness and outreach initiatives, but the effectiveness of its activities is unclear because many CIP stakeholders are still uncertain of DHS's cybersecurity roles. Table 10 identifies key DHS awareness and outreach initiatives. Table 10: DHS Cybersecurity Awareness and Outreach Initiatives: Initiative: National Cyber Alert System; Description: DHS established the National Cyber Alert System (NCAS) to deliver targeted, timely, and actionable information to the public on how to secure computer systems. Information provided by the alert system is designed to be understandable by all computer users, both technical and nontechnical. More than 270,000 users have subscribed to the system and are receiving regular alerts and updates that enhance their ability to prepare for, mitigate, and respond to adverse cyber events. To date, NCAS has issued several alerts as well as "best practices" and "how-to" guidance messages. In addition, its "cyber tips" help to educate home users on basic security practices and increase overall awareness. Initiative: US-CERT public Web site; Description: DHS manages the US- CERT public Web site, which provides information on cyber incidents and cybersecurity. According to NCSD officials, it receives about 3.5 million hits per month. Initiative: National Cyber Security Awareness Month; Description: DHS partnered with the public and private sector to establish October as the National Cyber Security Awareness Month and participated in activities to raise awareness of cybersecurity nationwide. Initiative: Webcasts; Description: In partnership with the Multi-State ISAC, NCSD has hosted a series of national Webcasts that examine critical and timely cybersecurity issues. The Chair of the Multi-State ISAC stated that the recent Webcasts have been viewed by over 3,000 individuals from nine countries. Initiative: National Cyber Security Alliance/StaySafeOnline Program; Description: DHS, along with other federal and private sector organizations, sponsors the National Cyber Security Alliance, a public/private partnership to promote cybersecurity and safe behavior online. It provides tools and resources through the StaySafeOnline program, a Web site for home users, small businesses, and educational institutions. Initiative: Cybersecurity awareness brochures; Description: NCSD is developing informational materials to promote cybersecurity awareness, including brochures, fact sheets, and an electronic newsletter. Source: GAO analysis of DHS information. [End of table] Although DHS has an active awareness and outreach program under way, more remains to be done to expand awareness of the department's roles, responsibilities, and capabilities. Multiple CIP stakeholders have reported that they were unaware of DHS's cybersecurity responsibilities. For example, officials from one federal agency indicated they have not independently interacted with NCSD about their sector's cybersecurity efforts. In addition, at a recent regional security exercise, state and local government officials were not clear on DHS's role in cybersecurity. NCSD acknowledges that it has more to do to expand awareness of its cybersecurity roles and capabilities and to increase its outreach efforts. In its strategic plan for cybersecurity, DHS has outlined goals, objectives, activities, and milestones for improving in these areas. DHS Has Made Progress in Its Efforts to Encourage Cybersecurity Education but Lags in Developing Certification Standards: DHS has initiated multiple efforts to improve the education of future cybersecurity analysts, but much work remains to be done to develop certification standards. Key DHS cyber education initiatives are listed in table 11. Table 11: Key Initiatives in Cybersecurity Education: Initiative: National Centers of Academic Excellence in Information Assurance; Description: DHS and the National Security Agency cosponsor the National Centers of Academic Excellence in Information Assurance Program to reduce vulnerabilities in our national information infrastructure by promoting higher education in information assurance and producing a growing number of professionals with information assurance expertise in various disciplines. Under this program, 4-year colleges and graduate-level universities are eligible to apply to be designated as a National Center of Academic Excellence in Information Assurance Education. Colleges and universities that achieve this designation receive formal recognition from the U.S. government and are eligible to apply for scholarships and grants through the Department of Defense Information Assurance Scholarship Program and the Federal Cyber Service Scholarship for Service Program. Initiative: Scholarship for Service program; Description: DHS and the National Science Foundation cosponsor the Scholarship for Service program, which is also known as the Cyber Corps program. This program provides scholarship grant money to selected universities to fund the final 2 years of student bachelors, masters, or doctoral study in information assurance. Initiative: Job Fair; Description: In January 2005, DHS, the National Science Foundation, the federal Chief Information Officers Council, and the Office of Personnel Management cosponsored the first annual winter job fair for Scholarship for Service students in Washington, D.C. Approximately 300 students attended the job fair, representing all 26 of the colleges and universities within the Scholarship for Service program. Twenty-nine federal agencies and national laboratories, including DHS's Information Analysis and Infrastructure Protection Directorate and the Office of the Chief Information Officer, the Central Intelligence Agency, the Department of Agriculture, the National Aeronautics and Space Administration, and the Idaho National Engineering and Environmental Laboratory, attended the job fair and interviewed students. Source: GAO analysis of DHS information. [End of table] While DHS has made progress in expanding education and training in cybersecurity, it has more to do to develop baseline standards for cybersecurity certification. According to NCSD's progress report, each cyber-related industry certification currently is based on a different notion of what tasks information assurance employees perform. This leads to confusion on the part of employers when they attempt to assess what skill set they are getting when they hire a certified professional. DHS acknowledges this issue and has begun to take steps to address it. Specifically, DHS has partnered with the Department of Defense on an initiative to create a national-level job task analysis and information assurance professional skill standards. The job task analysis and skill standards are expected to identify the knowledge, skills, and abilities associated with information assurance jobs across all sectors, and to provide a clear baseline for comparing and evaluating existing industry certifications and developing future certifications. The final goal is to produce a job task analysis and skill standard that reflects all sectors, is national in scope, and can be used to compare existing professional certifications and provide for future certifications. In addition, in its strategic plan for cybersecurity, DHS identifies a number of actions and milestones for making progress in cybersecurity education, including promoting the creation of widely recognized, industry-led, vendor-neutral cybersecurity professional certifications based on a nationally recognized skill baseline. DHS Interacts with Other Entities to Enhance Intergovernmental Cybersecurity, but Concerns Exist about the Scope and Effectiveness of These Efforts: DHS supports multiple interagency groups' efforts to improve government cybersecurity through communication and collaboration, but state and local government stakeholders have expressed concerns about the scope of these efforts. DHS participates in numerous initiatives to enhance intergovernmental coordination. Key initiatives are listed in table 12. Table 12: DHS's Intergovernmental Cybersecurity Initiatives: Initiative: Chief Information Security Officers Forum; Description: NCSD created the Chief Information Security Officers Forum to "bring together federal officials responsible for the information security of their respective agencies" and provide a "trusted venue for them to collaborate, leverage one another's experiences, capabilities and programs, lessons learned, and address and discuss particularly problematic or challenging areas." This forum has established working groups to study and draft best practices for specific areas of concern, such as patch management. Initiative: National Cyber Response Coordination Group (NCRCG); Description: The National Cyber Response Coordination Group was formalized in the Cyber Annex of the National Response Plan and is cochaired by NCSD, the Department of Justice's Computer Crime and Intellectual Property Section, and the Department of Defense. It brings together agency management for response purposes during a significant national incident. The group coordinates intragovernmental and public/private preparedness and response to and recovery from national level cyber incidents and physical attacks that have significant cyber consequences. During such an incident, the NCRCG's senior level membership is responsible for ensuring that the full-range of federal capabilities are deployed in a coordinated and effective fashion. NCRCG includes members from national security, law enforcement, defense, intelligence, and other government agencies. Initiative: Government Forum of Incident Response and Security Teams (GFIRST); Description: GFIRST is a group of technical and tactical practitioners of government agency security response teams responsible for securing government information technology systems. Initiative: Federal Information Notice; Description: NCSD established Federal Information Notices to disseminate information to relevant federal authorities, such as federal chief information officers, federal chief information security officers, information system security managers and officers, system administrators, and other federal employees and contractors. The notices are to help keep federal agencies and departments aware of emerging threats and vulnerabilities, as well as to provide them with the information needed to mitigate, respond to, and recover from cyber attacks. DHS reports that the notices provide warnings of Internet security problems and offer explanations of potential problems that have not yet become serious enough to warrant public alert. Initiative: Office of Management and Budget's Security Line of Business Group; Description: NCSD is the cochair of the Office of Management and Budget's recently formed security line of business effort. It is an effort to raise the level of cybersecurity posture of federal agencies and save funds by coming up with common security solutions across the government. Initiative: Coordination with states; Description: DHS interacts with state governments through the Multi- State ISAC. Formed in 2003, this ISAC provides a central resource for gathering information on cyber threats to critical infrastructure from the states and providing two- way sharing of information between and among the states and ultimately with local government. The Multi-State ISAC also analyzes information and intelligence to support readiness and response efforts by federal, state, and local first responders and law enforcement. DHS, including NCSD, DHS's Office of State and Local Government Coordination, and US- CERT, are included in this ISAC's monthly conference calls. The ISAC also partners with NCSD on a national Webcast for increased awareness and education. Multi-State ISAC officials reported that DHS provides information that is useful and actionable for the state government sector; In addition, NCSD cosponsored a State of the State Conference with the National White Collar Crime Center that brought together state cyber enforcement officials to discuss (1) cyber activities in their respective states, (2) successful and unsuccessful mechanisms used to address cyber activities, and (3) ways that NCSD can assist states in their cybersecurity activities. Initiative: Incident support; Description: DHS supports individual government entities, providing resources and expertise during major incidents. For example, according to NCSD officials, the organization recently provided direct support to a state that had suffered a serious cybersecurity incident. NCSD's support included sending a team of experts to provide on-site resources, coordinating with federal law enforcement and intelligence communities, and providing advice for security practice improvements. In addition, NCSD officials stated that they had provided similar support to federal agencies. Source: GAO analysis of DHS information. [End of table] While DHS has made concerted efforts to form and support intergovernmental partnerships, several governmental entities have expressed concerns about the scope of these efforts and their effectiveness. For example, officials representing a state government organization noted that DHS has not provided adequate attention to the states regarding cybersecurity and has not included local government IT officials in cybersecurity-related discussions. State officials also noted that DHS's focus on cybersecurity has been secondary to its physical security efforts; for example, there have been only limited grants to assist states with cybersecurity. As a result, these representatives have reported that there is a "fundamental lack of appreciation" for cybersecurity by state and local governments. The Interim NIPP and DHS's strategic plan for cybersecurity acknowledge the importance of continually enhancing the security of federal, state, and local government systems through partnerships and information sharing. For example, the Interim NIPP includes a goal to build partnerships with federal, state, local, tribal, international, and private-sector stakeholders to implement CIP programs. In addition, DHS's strategic plan for cybersecurity establishes goals, objectives, and actions that involve securing governments' cyberspace through collaboration with key stakeholders in other federal, state, and local governments and in the private sector. DHS Has Initiated Efforts in the International Community, but More Remains to Be Done: DHS is working in conjunction with other governments to promote a global culture of security but acknowledges that more remains to be done to accomplish its goals. In recent years, NCSD has participated with its international counterparts in several initiatives to improve interaction and coordination. Table 13 lists key international cybersecurity initiatives, including multilateral and bilateral efforts. Table 13: International Cybersecurity Initiatives: Multilateral initiatives: Cybersecurity Collaboration with Close Allies; Description: NCSD established and chaired three international information sharing conference calls with government cybersecurity policymakers and emergency response operations representatives from United States, United Kingdom, Australia, Canada, and New Zealand. The purpose of these calls was to share information and to establish cooperation to help participants prepare for and manage cyber incidents globally, improve overall situational awareness, and foster collaborative efforts on common strategic initiatives. According to NCSD officials, these calls led to the five countries agreeing to undertake a collaborative effort on cybersecurity/critical information infrastructure protection. Asia Pacific Economic Committee; Description: NCSD actively participates in the Committee's Telecommunications Working Group, which has engaged in (1) an outreach program to educate member countries about computer emergency response teams and (2) a capacity-building program to provide training to member countries as they develop their own computer emergency response teams. G-8 High Tech Crime Working Group; Description: NCSD participates in the G-8 High Tech Crime Working Group. For example, it sent representatives as part of the U.S. delegation to the G-8 sponsored International Exercise in New Orleans in May 2005. Organization of American States; Description: NCSD participates in the Organization of American States' work program on cybersecurity, including a cybersecurity practitioners' workshop that was held in March 2005. The program is working toward building computer emergency response capabilities and an information sharing and watch and warning framework in the hemisphere. International Watch and Warning Framework/Multilateral Conference; Description: NCSD developed and organized a multilateral conference in Berlin, Germany, which was cohosted by DHS and the German Ministry of Interior in October 2004. The conference brought together cybersecurity policy, operations, and law enforcement representatives from 15 countries[A] to discuss vision, challenges, and watch and warning models and to consider establishing an international watch and warning framework. The conference included interactive discussions and a cyber tabletop exercise, and resulted in a set of intermediate agreements for information sharing and future work toward a more mature framework. As a follow up, a working group of the participating countries met in Paris in March 2005 to pursue the action plan from the conference and to take steps to build an International Watch and Warning Network. Bilateral initiatives: Canada and Mexico; Description: NCSD has partnered with counterpart agencies in Canada and Mexico to launch new Cyber Security Working Groups to address critical information infrastructure issues of mutual concern, under the CIP Framework for Cooperation efforts with both Canada and Mexico, which are known as the Smart Border Action Plan and Border Partnership Action Plan, respectively. US-India Cyber Security Forum; Description: NCSD participates in the U.S.-India Cyber Security Forum, established in 2002. In addition, the forum created a new Watch, Warning, and Emergency Response Working Group to reflect collaboration between US-CERT and the newly established CERT-India. According to NCSD officials, the working group's action plan includes information-sharing objectives to improve situational awareness and incident response abilities between the United States and India, and to share experience and expertise on computer emergency response. U.S.-United Kingdom Joint Contact Group; Description: NCSD participates in the U.S.-United Kingdom Joint Contact Group, established between DHS and the United Kingdom's Home Office. According to NCSD officials, its action plan for cybersecurity includes information sharing and collaboration on watch and warning, threat analysis, incident response, exercise, and outreach efforts. Source: GAO analysis of DHS information. [A] Participating countries included Australia, Canada, Finland, France, Germany, Hungary, Italy, Japan, Netherlands, New Zealand, Norway, Sweden, Switzerland, United Kingdom, and the United States. [End of table] While NCSD has initiated numerous outreach and coordination efforts with the international community, important actions remain ahead. DHS's strategic plan for cybersecurity includes two objectives related to national security and international cyberspace security cooperation, to (1) create and pursue an international strategy to secure cyberspace and (2) promote collaboration, coordination, and information sharing with international communities. In addition, NCSD's January 2005 progress report described plans to work with its counterparts in Australia, Canada, New Zealand and the United Kingdom "to formulate a framework for on-going policy and operational cooperation and collaboration" that will "incorporate shared efforts on key strategic issues to address cybersecurity over the long term, including software assurance, research and development, attribution, control systems, and others." This framework is expected to enhance the allies' current information-sharing and incident-response efforts and to foster collaboration in other international activities. In commenting on a draft of this report, DHS Science and Technology Directorate officials stated that the directorate had entered into international agreements with Canada and the United Kingdom for collaborative science and technology activities and had engaged in bilateral meetings with those countries on the topic of cybersecurity research and development. NCSD Is Working to Integrate Cybersecurity with National Security, but Important Testing Remains to Be Done: DHS formed the National Cyber Response Coordination Group to coordinate the federal response to cyber incidents of national significance. It is a forum of national security, law enforcement, defense, intelligence, and other government agencies that coordinates intragovernmental and public/private preparedness and response to and recovery from national- level cyber incidents and physical attacks that have significant cyber consequences. During a significant national incident, the coordinating group's senior level membership is responsible for ensuring that the full range of federal capabilities are deployed in a coordinated and effective fashion. However, at the time of our review, there had not been a cyber incident of national significance to activate these procedures, and, according to NCSD officials, early tests of this coordination identified some lessons and showed the need to make improvements. For example, officials learned that they need to improve communication protocols and mechanisms. DHS Continues to Face Challenges in Establishing Itself as a National Focal Point for Cyberspace Security: DHS faces a number of challenges that have impeded its ability to fulfill its cyber CIP responsibilities. Key challenges include achieving organizational stability; gaining organizational authority; overcoming hiring and contracting issues; increasing awareness about cybersecurity roles and capabilities; establishing effective partnerships with stakeholders (other federal, state, and local governments and the private sector); achieving two-way information sharing with these stakeholders; and providing and demonstrating the value DHS can provide. Organizational stability: Over the last year, multiple senior DHS cybersecurity officials--including the NCSD Director, the Deputy Director responsible for Outreach and Awareness, and the Director of the US-CERT Control Systems Security Center, the Under Secretary for the Information Analysis and Infrastructure Protection Directorate and the Assistant Secretary responsible for the Information Protection Office--have left the department. Infrastructure sector officials stated that the lack of stable leadership has diminished NCSD's ability to maintain trusted relationships with its infrastructure partners and has hindered its ability to adequately plan and execute activities. According to one private-sector representative, the importance of organizational stability in fostering strong partnerships cannot be over emphasized. Organizational authority: NCSD does not have the organizational authority it needs to effectively serve as a national focal point for cybersecurity. Accordingly, NCSD officials lack the authority to represent and commit DHS to efforts with the private sector. Infrastructure and cybersecurity officials, including the chairman of the sector coordinators and representatives of the cybersecurity industry, have expressed concern that the NCSD's relatively low position within the DHS organization hinders its ability to accomplish cybersecurity-related goals. NCSD's lack of authority has led to some missteps, including DHS canceling an important cyber event without explanation and taking almost a year to issue formal responses to private sector recommendations resulting from selected National Cyber Security Summit task forces--even though responses were drafted within months. A congressional subcommittee also expressed concern that DHS's cybersecurity office lacks the authority to effectively fulfill its role. In 2004, the subcommittee proposed legislation to elevate the head of the cybersecurity office to an assistant secretary position. Among other benefits, the subcommittee reported that such a change could: * provide more focus and authority for DHS's cybersecurity mission, * allow higher level input into national policy decisions, and: * provide a single visible point of contact within the federal government to improve interactions with the private sector. Hiring and contracting: Ineffective DHS management processes have impeded the department's ability to hire employees and maintain contracts. We recently reported that since its inception, DHS's leadership has provided a foundation for maintaining critical operations while undergoing transformation.[Footnote 22] However, in managing its transformation, we noted that DHS still needed to overcome a number of significant challenges, including addressing systemic problems in human capital and acquisition systems. Federal and nonfederal officials expressed concerns with DHS's hiring and contracting processes. For example, an NCSD official reported that the division has had difficulty in hiring personnel to fill vacant positions. These officials stated that once they found qualified candidates, some candidates decided not to apply and another withdrew his acceptance because they felt that the DHS hiring process took too long. In addition, an NCSD official stated that there had been times when DHS did not renew NCSD contracts in a timely manner, requiring that key contractors work without pay until approvals could be completed and payments could be made. In other cases, NCSD was denied services from a vendor, because DHS had repeatedly failed to pay for its services. External stakeholders, including an ISAC representative, also noted that NCSD is hampered by how long it takes DHS to award a contract. Awareness of DHS roles and capabilities: Many infrastructure stakeholders are not yet aware of DHS's cybersecurity roles and capabilities. Department of Energy critical infrastructure officials stated that the roles and responsibilities of DHS and the sector- specific agencies need to be better clarified in order to improve coordination. In addition, during a regional cyber exercise, private- sector and state and local government officials reported that the mission of NCSD and the capabilities that DHS could provide during a serious cyber-threat were not clear to them. NCSD's manager of cyber analysis and warning operations acknowledged that the organization has not done an adequate job in reaching out to the private sector regarding DHS's role and capabilities. Effective partnerships: NCSD is responsible for leveraging the assets of key stakeholders, including other federal, state, and local governments and the private sector, in order to facilitate effective protection of cyber assets. The ability to develop partnerships greatly enhances the agency's ability to identify, assess, and reduce cyber threats and vulnerabilities, establish strategic analytical capabilities, provide incident response, enhance government cybersecurity, and improve international efforts. According to one infrastructure sector representative, effective partnerships require building relationships with mutually developed goals, shared benefits and responsibilities, and tangible, measurable results. However, this individual reported that DHS has not typically adopted these principles in pursuing partnerships with the private sector, which dramatically diminishes cybersecurity gains that government and industry could otherwise achieve. For example, DHS has often informed the infrastructure sectors about government initiatives or sought input after most key decisions have been made. Also, DHS has not demonstrated that it recognizes the value of leveraging existing private sector mechanisms, such as information-sharing entities and processes already in place and working. In addition, the instability of NCSD's leadership positions to date has led to problems in developing partnerships. Representatives from two ISACs reported that turnover at NCSD has hindered partnership efforts. Additionally, IT sector representatives stated that NCSD needs continuity of leadership, regular communications, and trusted policies and procedures in order to build the partnerships that will allow the private sector to share information. Information sharing: We recently identified information sharing in support of homeland security as a high-risk area, and we noted that establishing an effective two-way exchange of information to help detect, prevent, and mitigate potential terrorist attacks requires an extraordinary level of cooperation and perseverance among federal, state, and local governments and the private sector.[Footnote 23] However, such effective communications are not yet in place in support of our nation's cybersecurity. Representatives from critical infrastructure sectors stated that entities within their respective sectors still do not openly share cybersecurity information with DHS. As we have reported in the past, much of the concern is that the potential release of sensitive information could increase the threat to an entity. In addition, sector representatives stated that when information is shared, it is not clear whether the information will be shared with other entities, such as other federal entities, state and local entities, law enforcement, or various regulators, or how it will be used or protected from disclosure. Representatives from the banking and finance sector stated that the protection provided by the Critical Infrastructure Information Act and the subsequently established Protected Critical Infrastructure Information Program is not clear and has not overcome the trust barrier. Alternatively, sector representatives have expressed concerns that DHS is not effectively communicating information with them. According to one infrastructure representative, DHS has not matched private sector efforts to share valuable information with a corresponding level of trusted information sharing. An official from the water sector noted that when representatives called DHS to inquire about a potential terrorist threat, they were told that DHS could not share any information and that they should "watch the news." Providing value: According to sector representatives, even when organizations within their sectors have shared information with NCSD, the entities do not consistently receive useful information in return. They noted that without a clear benefit, they are unlikely to pursue further information sharing with DHS. Federal officials also noted problems in identifying the value that DHS provides. According to Department of Energy officials, DHS does not always provide analysis or reports based on the information that agencies provide. Federal and nonfederal officials also stated that most of US-CERT's alerts have not been useful because the alerts lack essential details or have been based on already available information. Further, Treasury officials stated that US-CERT needed to provide relevant and timely feedback regarding the incidents reported to it. Clearly, these challenges are not mutually exclusive. That is, addressing challenges in organizational stability and authority will help NCSD build the credibility it needs in order to establish effective partnerships and achieve two-way information sharing. Similarly, effective partnerships and ongoing information sharing with its stakeholders will allow DHS to better demonstrate the value it can add. DHS has identified steps in its strategic plan for cybersecurity that can begin to address these challenges. Specifically, DHS has established goals and plans for improving human capital management, which should help stabilize the organization. Further, DHS has developed plans for communicating with stakeholders, which are intended to increase awareness of its roles and capabilities and to encourage information sharing. Also, DHS has established plans for developing effective partnerships and improving analytical and watch and warning capabilities, which could help build partnerships and begin to demonstrate added value. However, until it begins to address these underlying challenges, DHS cannot achieve significant results in coordinating cybersecurity activities and our nation will lack the effective focal point it needs to better ensure the security of cyberspace for public and private critical infrastructure systems. Conclusions: As our nation has become increasingly dependent on timely, reliable information, it has also become increasingly vulnerable to attacks on the information infrastructure that supports the nation's critical infrastructures (including the energy, banking and finance, transportation, telecommunications, and drinking water infrastructures). Federal law and policy acknowledge this by establishing DHS as the focal point for coordinating cybersecurity plans and initiatives with other federal agencies, state and local governments, and private industry. DHS has made progress in planning and coordinating efforts to enhance cybersecurity, but much more work remains to be done to fulfill its basic responsibilities--including conducting important threat and vulnerability assessments and recovery plans. As DHS strives to fulfill its mission, it faces key challenges in building its credibility as a stable, authoritative, and capable organization and in leveraging private/public assets and information in order to clearly demonstrate the value it can provide. Until it overcomes the many challenges it faces and completes critical activities, DHS cannot effectively function as the cybersecurity focal point intended by law and national policy. As such, there is increased risk that large portions of our national infrastructure are either unaware of key areas of cybersecurity risks or unprepared to effectively address cyber emergencies. Recommendations for Executive Action: In order to improve DHS's ability to fulfill its mission as an effective focal point for cybersecurity, we recommend that the Secretary of Homeland Security implement the following three steps: * engage appropriate stakeholders to prioritize key cybersecurity responsibilities so that the most important activities are addressed first, including responsibilities that are not detailed in the cybersecurity strategic plan: (1) perform a national cyber threat assessment; (2) facilitate sector cyber vulnerability assessments--to include identification of cross-sector interdependencies; and (3) establish contingency plans for cybersecurity, including recovery plans for key Internet functions; * require NCSD to develop a prioritized list of key activities for addressing the underlying challenges that are impeding execution of its responsibilities; and: * identify performance measures and milestones for fulfilling its prioritized responsibilities and for performing activities to address its challenges, and track organizational progress against these measures and milestones. We are not making new recommendations regarding cyber-related analysis and warning and cybersecurity information sharing at this time because our previous recommendations in these areas have not yet been fully implemented. Agency Comments and Our Evaluation: We received written comments on a draft of this report from DHS (see app. III). In DHS's response, the Director of the Departmental GAO/OIG Liaison Office stated that DHS agrees that strengthening cybersecurity is central to protecting the nation's critical infrastructures and that much remains to be done. In addition, DHS concurred with our recommendation to engage stakeholders in prioritizing its key cybersecurity responsibilities. The director stated that continued and expanded stakeholder involvement is critical and identified some of NCSD's significant activities--many of which are discussed in the body of this report. However, the director noted that DHS does not agree that the challenges it has experienced have prevented it from achieving significant results in improving the nation's cybersecurity posture. In addition, DHS did not concur with our recommendations to (1) develop a prioritized list of key activities for addressing the underlying challenges and (2) identify performance measures and milestones for fulfilling its prioritized responsibilities and for performing activities to address its challenges and track organizational progress. Specifically, the director reported that DHS already uses a prioritized list, performance measures, and milestones to guide and track its activities and sought additional clarification of these recommendations. The director also noted that our report makes a reference to previous recommendations involving cyber-related information sharing and strategic analysis and warning capabilities that have not been fully implemented, but he disagreed that there were any valid outstanding recommendations. Because most of the nation's information infrastructure is owned by the private-sector, developing trusted partnerships and information-sharing relationships between the federal government and the private sector are critical. We agree that DHS has initiated many efforts as a focal point for the nation's efforts to secure cyberspace and have acknowledged these in our report, but the challenges it faces- -including achieving organizational stability, achieving two-way information sharing with stakeholders, and demonstrating value--have hindered its progress to date. This view was reiterated by the federal and nonfederal stakeholders we interviewed. Regarding our recommendations, while we agree with DHS that its strategic plan for cybersecurity identifies a number of activities (along with some performance metrics and milestones) that will begin to address the challenges, this plan does not include specific initiatives that would ensure that the challenges are addressed in a prioritized and comprehensive manner. For example, the strategic plan for cybersecurity does not include initiatives to help stabilize and build authority for the organization. Further, the strategic plan does not identify the relative priority of its initiatives and does not consistently identify performance measure for completing its initiatives. As DHS moves forward in identifying initiatives to address the underlying challenges it faces, it will be important to establish performance metrics and milestones for fulfilling these initiatives. In fact, in its strategic plan for cybersecurity, DHS acknowledges that it needs to establish performance measures and milestones and to collect performance data for its key initiatives. Regarding our previous recommendations related to information sharing, DHS identified plans for fulfilling our recommendations but did not provide any evidence that these efforts were completed. For example, in November 2004, DHS reported that by June 2005, it planned to develop an information-sharing plan including the elements we recommended; however, DHS has not yet completed this plan and has not provided any evidence that this plan will include the key elements we had recommended. In addition, in regard to our recommendation that DHS develop appropriate policies and procedures for information sharing and coordination within DHS and with other federal and nonfederal entities, DHS reported that it has many information sharing initiatives and high- level documents. However, DHS did not specify any DHS-level policies or procedures for information sharing. NCSD procedures, including the US- CERT Concept of Operations and Standard Operating Procedure, were still in draft at the time of our review. Thus, these recommendations remain open. As for our previous recommendations to develop a strategic analysis and warning capability, we reported that DHS is still facing the same challenges in developing strategic analysis and warning capabilities that we reported on 4 years ago during a review of NCSD's predecessor. In 2001, we reported that a generally accepted methodology for analyzing strategic cyber-based threats did not exist. We also reported that the center did not have the industry-specific data on factors such as critical systems components, known vulnerabilities, and interdependencies. Therefore, we recommended that responsible executive- branch officials and agencies establish a capability for strategic analysis of computer-based threats, including developing a methodology and obtaining infrastructure data. In response to specific questions on these topics in April 2005, NCSD officials acknowledged that work remains to be done in developing cyber-related strategic analysis and warning capabilities. They stated that there is still no generally accepted methodology for analyzing strategic cyber-based threats and that NCSD is in the process of developing industry-specific data. In addition, these officials discussed a number of ongoing initiatives to address various aspects of the methodology. Because these efforts are incomplete, our recommendations remain open. DHS officials as well as others who were quoted in our report also provided technical corrections, which we have incorporated in this report as appropriate. We are sending copies of this report to interested congressional committees, the Secretary of Homeland Security, and other interested parties. In addition, this report will be available at no charge on GAO's Web site at [Hyperlink, http://www.gao.gov]. If you have any questions on matters discussed in this report, please contact me at (202) 512-9286, or by e-mail at [Hyperlink, pownerd@gao.gov]. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made major contributions to this report are listed in appendix IV. Signed by: David A. Powner: Director, Information Technology Management Issues: List of Congressional Requesters: The Honorable Joseph I. Lieberman: Ranking Member: Committee on Homeland Security and Governmental Affairs: United States Senate: The Honorable Christopher Cox: Chairman: The Honorable Bennie G. Thompson: Ranking Member: Committee on Homeland Security: House of Representatives: The Honorable Daniel E. Lungren: Chairman: The Honorable Loretta Sanchez: Ranking Member: Subcommittee on Economic Security, Infrastructure Protection, and Cybersecurity: Committee on Homeland Security: House of Representatives: The Honorable Tom Davis: Chairman: Committee on Government Reform: House of Representatives: The Honorable Mac Thornberry: House of Representatives: The Honorable Zoe Lofgren: House of Representatives: [End of section] Appendixes: Appendix I: Objectives, Scope, and Methodology: Our objectives were to determine (1) the Department of Homeland Security's (DHS) roles and responsibilities for cyber critical infrastructure protection (CIP) and national information security, as established in law and policy, and determine the specific organizational structures DHS has created to fulfill them; (2) the status of DHS's efforts to protect the computer systems supporting the nation's critical infrastructures and to strengthen information security both inside and outside the federal government and the extent to which such efforts and DHS's organizational structures adequately address its responsibilities; and (3) the challenges DHS faces in fulfilling its cybersecurity roles and responsibilities. To determine DHS's cyber roles and responsibilities supporting CIP, we analyzed relevant law and policy, including the Homeland Security Act of 2002, Homeland Security Presidential Directive (HSPD) 7, and the National Strategy to Secure Cyberspace. Because many of the roles and responsibilities in the law and policies are overlapping, we focused on identifying responsibilities related to cybersecurity that could be used to gauge DHS's progress and grouped them into 13 key responsibilities. We shared the 13 key responsibilities with DHS officials responsible for cybersecurity, and the officials concurred that these are important responsibilities. We also compared the key responsibilities with the activities that DHS identified in its cybersecurity plans and progress reports, to ensure that no key responsibilities were missed. To identify DHS's organizational structure for fulfilling its responsibilities, we analyzed DHS and National Cyber Security Division (NCSD) organizational charts and interviewed DHS officials. To determine the status and adequacy of DHS's efforts, we analyzed key documents, including the Interim National Infrastructure Protection Plan, NCSD's cyber strategies and plans, and NCSD's policies and procedures, and we interviewed key DHS and NCSD officials. We compared DHS's efforts and plans with the 13 responsibilities to identify what has been accomplished and what more needs to be done. In addition, we gathered documents and performed structured interviews with officials from other federal agencies with established CIP roles. We included officials responsible for each agency's efforts to enhance CIP and the officials responsible for their respective agency's information security efforts. We spoke with officials from the Departments of Agriculture; Energy; Health and Human Services (including the Food and Drug Administration); Justice (including the Federal Bureau of Investigation); the Treasury; and the Environmental Protection Agency. We also interviewed representatives from the following infrastructure sectors: banking and finance, electricity, water, and information technology. In addition, we interviewed representatives from the Information Sharing and Analysis Center (ISAC) council. We also interviewed officials from entities representing state governments, including the Multi-State ISAC and the National Association of State Chief Information Officers. To identify the challenges facing DHS and NCSD as they attempt to fulfill their cybersecurity responsibilities, we analyzed our prior work on CIP as well as reports by the cybersecurity industry that offered recommendations for improving cybersecurity and CIP. We also interviewed DHS and NCSD officials, representatives from other federal agencies with CIP roles, infrastructure sector officials, and officials of an organization representing state governments. We also observed a regional infrastructure security tabletop exercise focusing on cybersecurity and identified challenges in achieving effective collaboration among public/private partners from discussions by the participants of this exercise. We performed our work from July 2004 to April 2005 in accordance with generally accepted government auditing standards. [End of section] Appendix II: DHS Organizations with Cyber-Related Roles: DHS established NCSD as the primary organization with responsibility for cybersecurity. However, multiple other organizations have roles and responsibilities that impact cybersecurity and require close coordination with NCSD. These include the following offices and suboffices: * Information Analysis Office--which is to provide actionable intelligence essential for preventing acts of terrorism and, with timely and thorough analysis and dissemination of information about terrorists and their activities, improve the federal government's ability to disrupt and prevent terrorist acts and to provide useful warning to state and local governments, the private sector, and our citizens. * Homeland Security Operations Center--which provides real-time situational awareness and monitoring of the homeland, coordinates incidents and response activities and, in conjunction with the DHS Office of Information Analysis, issues advisories and bulletins concerning threats to homeland security, as well as specific protective measures. * Infrastructure Protection Office--which is to coordinate national efforts to secure America's critical infrastructure, including vulnerability assessments, strategic planning efforts, and exercises. * Infrastructure Protection Office's Infrastructure Coordination Division--which plays a key role in coordinating with sector coordinating mechanisms (e.g., sector coordinating councils and government coordinating councils) concerning information sharing. In addition, it operates the National Infrastructure Coordination Center. * Infrastructure Coordination Division's Protected Critical Infrastructure Information Program Office--which was established to encourage private industry and others with knowledge about the nation's critical infrastructure to share sensitive and proprietary business information about this critical infrastructure with the government in accordance with the Critical Infrastructure Information Act of 2002 (CII Act). Protected CII is designed so that members of the private sector can voluntarily submit sensitive information regarding the nation's critical infrastructure to DHS with the assurance that the information will be protected from public disclosure as long as it satisfies the requirements of the CII Act. * Infrastructure Protection Office's Protective Security Division-- which is to coordinate strategies for protecting the nation's critical physical infrastructure. * Infrastructure Protection Office's National Communications System-- which was established by executive order in 1982 as a federal interagency group responsible for national security and emergency preparedness telecommunications and was transferred to DHS by the Homeland Security Act of 2002. Its responsibilities include planning for, developing, and implementing enhancements to the national telecommunications infrastructure, which includes the Internet, to achieve effectiveness in managing and using national telecommunication resources to support the federal government during any emergency. In addition, through the National Coordinating Center for Telecommunications,[Footnote 24] the National Communications System sponsors the Telecommunications Information Sharing and Analysis Center. The National Communications System is also jointly responsible with NCSD for developing the IT infrastructure sector plan. * DHS's Science and Technology Directorate--which serves as the primary research and development arm of DHS. It uses our nation's scientific and technological resources to provide federal, state, and local officials with the technology and capabilities to protect the homeland. It focuses on catastrophic terrorism--threats to the security of our homeland that could result in large-scale loss of life and major economic impact. * Office of State and Local Coordination--which was established to serve as a single point of contact for facilitation and coordination of departmental programs that impact state, local, territorial, and tribal governments. * Private Sector Office--which works directly with individual businesses, trade associations, and other professional and nongovernmental organizations to share department information, programs, and partnership opportunities. [End of section] Appendix III: Comments from the Department of Homeland Security: [U.S. Department of Homeland Security: Washington, DC 20528: May 3, 2005: Mr. David A. Powner: Director, Information Technology Management Issues: Government Accountability Office: Washington, DC 20548: Dear Mr. Powner: Re: Draft Report GAO-05-434, Critical Infrastructure Protection: Department of Homeland Security Faces Challenges in Fulfilling Cybersecurity Responsibilities. Thank you for the opportunity to review the draft report. We agree that strengthening cybersecurity is central to protecting the nation's critical infrastructures and concur that much remains to be done. We do not, however, agree with the report's implication that the challenges experienced to date have prevented us from achieving significant results in improving the nation's cybersecurity posture. The recent (January 2005) National Cyber Security Division Progress Report detailed the significant progress that has been made across the broad spectrum of our cybersecurity responsibilities. Nevertheless, we welcome GAO's review and comments on our initial efforts. We note the report also makes a reference to "previous recommendations in these areas." We do not agree that there are any valid, outstanding recommendations in this area. The following represents the Departmental response to the recommendations contained in the draft report. Recommendation: Engage with appropriate stakeholders to prioritize key cybersecurity responsibilities so that the most important activities are addressed fast, including responsibilities that are not detailed in the cybersecurity strategic plan: (1) perform a national cyber threat assessment, (2) facilitate sector cyber vulnerability assessments-to include identification of cross-sector interdependencies, and (3) establish contingency plans for cybersecurity, including recovery plans for key Internet functions. Response: Concur. While stakeholder input has already been a contributing factor in the establishment of National Cyber Security Division's (NCSD) priorities, continued and expanded stakeholder involvement is critical in reviewing and revising these priorities in the future. Some of the significant NCSD activities in this area are noted below: NCSD has made significant progress toward completing comprehensive threat assessments and sector specific vulnerability assessments, but we agree that more must be done. Establishing and formalizing the 1T Sector, as the Sector Specific Agency/Responsibility (SSA/R) under the National Infrastructure Protection Plan (NIPP), has been challenging, given its breadth, complexity, and relative maturity. It is important to recognize the nature of these challenges, as it helps to understand the considerable progress made to date. The challenges include defining the boundaries of the Sector, developing effective partnerships, and identifying critical IT assets. This work is charting new territory in government and private sector collaboration. Because most of the IT Sector is privately owned, the government must ensure that the collaboration includes all the principal actors and that the collaboration is maintained and strengthened over time. It is important that the work of the IT Sector be deliberate and comprehensive. Failing to identify and address all threats and vulnerabilities can have serious consequences. However, significant progress has been made, specifically in the development of appropriate IT Sector asset identification and vulnerability assessment methodologies, in establishing the IT Sector Government Coordinating Council (IT-GCC), and assisting the IT Sector in its efforts to establish the IT Sector Coordinating Council (IT-SCC). For cross-sector interdependencies, NCSD has worked with the Sector Specific Agencies (SSA) to ensure the thoroughness of the cyber aspects of their Sector Specific Plans (SSP), and is improving the IT Sector asset identification and vulnerability assessment methodologies to address SSA cross-sector cyber efforts. NCSD is working with each SSA to ensure the quality and effectiveness of its cyber planning, and to ensure cross-sector consistency. In addition, NCSD has been fully engaged with OMB, as subject matter expert, to ensure the quality, consistency, and effectiveness of the federal agency Critical Infrastructure Protection plans. Lastly, NCSD has established a Control Systems Security program to identify control systems in critical infrastructure across all sectors, to understand their vulnerabilities and interdependencies, and develop and recommend effective near-term protective measures for legacy systems. With respect to recovery, the Office of Infrastructure Protection (IP) has formed a strategic partnership in the form of the Internet Disruption Working Group (IDWG) that will leverage past efforts of the federal government and the private sector while combining resources and avoiding duplication and conflict. Currently, IDWG is building on past efforts of IP, reaching out to key Internet companies in the private sector, and drawing on US Computer Emergency Readiness Team (US-CERT) resources to determine: (1) the degree of critical infrastructure sectors' business and operational dependency on the Internet; (2) which private sector companies the government needs to work with to prevent a major disruption; and (3) what surge capabilities would be needed to assist the National Cyber Response Coordination Group (NCRCG) in managing a crisis and reconstituting service in the event of a significant disruption. These efforts contribute to and will measure progress through the Interagency Security Planning Effort for FY 2005, within the Risk Management/Protective Measures Working Group of the National Infrastructure Protection Plan Senior Leadership Council. Recommendation: Develop a prioritized list of key activities for addressing the underlying challenges that are impeding NCSD's execution of its responsibilities. Response: Non-concur. NCSD's strategic plan already provides a prioritized list of key activities that are reviewed, updated, and revised on a quarterly basis. Through regular communication with the Assistant Secretary for Infrastructure Protection, obstacles are already being identified and prioritized. This recommendation, as written, does not explain why these efforts are insufficient or what specific additional actions GAO would like to see accomplished. Pending further definition of GAO's intent, we non-concur with this recommendation. Recommendation: Identify performance measures and milestones for fulfilling its prioritized responsibilities and for performing activities to address its challenges, and track organizational progress against these measures and milestones. Response: Non-concur. Performance measures and milestones are already identified in NCSD's strategic plan. Unlike organizations that have been in place for a significant period of time, the milestones facing NCSD are primarily the development of new programs and establishment of a system for monitoring the success of these programs. In its initial strategic plan, NCSD has defined milestones that are measurable, although often not in quantitative terms. That is, the initial milestones direct the implementation of programs within a specified period of time, or the implementation of stages in program development in a specified time. The initial measure of success is whether or not the programs got off the ground in a timely manner and are moving ahead on schedule. As the programs become more established, performance measures will increasingly shift towards quantitative measures to evaluate the relative success of the program. In addition to already having identified its performance measures and milestones in its strategic plan, NCSD has already implemented procedures to systematically track organizational progress. Early in each quarter NCSD program managers are reminded of impending deadlines at the end of the quarter. Action is taken at the start of each quarter to ensure that a milestone is met or that obstacles to success are addressed and overcome. This recommendation, as written, does not explain why these efforts are insufficient or what specific additional actions GAO would like to see accomplished. Pending further definition of GAO's intent, we non-concur with this recommendation. We thank you again for the opportunity to review the report and provide comments. Sincerely, Signed by: Steven J. Pecinovsky: Director: Departmental GAO/OIG Liaison Office: [End of section] Appendix IV: GAO Contact and Staff Acknowledgments: GAO Contact: David A. Powner, (202) 512-9286 or [Hyperlink, pownerd@gao.gov]. Staff Acknowledgments: In addition to those named above, Joanne Fiorino, Michael Gilmore, Barbarol James, Colleen M. Phillips, and Nik Rapelje made key contributions to this report. (310543): FOOTNOTES [1] This includes the Homeland Security Act of 2002, Homeland Security Presidential Directive 7, and the National Strategy to Secure Cyberspace. [2] Testimony of Robert S. Mueller, III, Director, Federal Bureau of Investigation, before the Senate Select Committee on Intelligence (Feb. 16, 2005). [3] CSO magazine, "2004 E-Crime Watch--Survey Shows Significant Increase in Electronic Crime" (Framingham, MA: May 25, 2004). [4] Computer Security Institute, 2003 CSI/FBI Computer Crime and Security Survey (2003). [5] GAO, Information Security: Code Red, Code Red II, and SirCam Attacks Highlight Need for Proactive Measures, GAO-01-1073T (Washington, D.C.: Aug. 29, 2001). [6] GAO, Information Security: Weaknesses Place Commerce Data and Operations at Serious Risk, GAO-01-751 (Washington, D.C.: Aug. 13, 2001). [7] A vulnerability is a flaw or weakness in hardware or software that can be exploited, resulting in a violation of an implicit or explicit security policy. [8] National Institute for Standards and Technology, Procedures for Handling Security Patches: Recommendations of the National Institute of Standards and Technology, National Institute of Science and Technology Special Publication 800-40 (Gaithersburg, MD: August 2002). [9] The CERT/CC is a center of Internet security expertise at the Software Engineering Institute, a federally funded research and development center operated by the Carnegie Mellon University. CERT and CERT® Coordination Center are registered in the U.S. Patent and Trademark Office by Carnegie Mellon University. [10] GAO, Technology Assessment: Cybersecurity for Critical Infrastructure Protection, GAO-04-321 (Washington, D.C.: May 28, 2004). [11] Testimony of Richard D. Pethia, Director, CERT Centers, Software Engineering Institute, Carnegie Mellon University, before the House Committee on Government Reform, Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations (November 19, 2002). [12] Pew Internet and American Life Project, "The Future of the Internet: In a survey, technology experts and scholars evaluate where the network is headed in the next 10 years." (Washington, D.C.: January 9, 2005) [13] GAO, Critical Infrastructure Protection: Challenges and Efforts to Secure Control Systems, GAO-04-354 (Washington, D.C.: March 15, 2004). [14] This group, operating under the authority granted by the Cyber Annex to the National Response Plan, is a forum of national security, law enforcement, defense, intelligence, and other government agencies that coordinates intragovernment and public/private preparedness and response to and recovery from national level cyber incidents and physical attacks that have significant cyber consequences. [15] The Protected Critical Infrastructure Information program was established to encourage private industry to share sensitive and proprietary business information about its critical infrastructures with the government with the assurance that the information would be protected from public disclosure, in accordance with the Critical Infrastructure Information Act of 2002. [16] GAO, Critical Infrastructure Protection: Improving Information Sharing with Infrastructure Sectors, GAO-04-780 (Washington, D.C.: July 9, 2004). [17] GAO, High-Risk Series: An Update, GAO-05-207 (Washington, D.C.: January 2005). [18] GAO, Critical Infrastructure Protection: Significant Challenges in Developing National Capabilities, GAO-01-323 (Washington, D.C.: Apr. 25, 2001). [19] GAO, Combating Terrorism: Selected Challenges and Related Recommendations, GAO-01-822 (Washington, D.C.: Sept. 20, 2001). [20] GAO-04-321. [21] The Executive Office of the President, Office of Science and Technology Policy and The Department of Homeland Security Science and Technology Directorate, The National Plan for Research and Development In Support of Critical Infrastructure Protection, 2004 (Washington, D.C.: Apr. 8, 2005). [22] GAO-05-207. [23] GAO-05-207. [24] The National Coordinating Center for Telecommunications is open to companies that provide telecommunications or network services, equipment, or software to the communications and information sector; select, competitive local exchange carriers; Internet service providers; vendors; software providers; telecommunications professional organizations and associations; or companies with participation or presence in the communications and information sector. Membership is also allowed for National Coordinating Center member federal departments and agencies, and for national security/emergency preparedness users. GAO's Mission: The Government Accountability Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: