Skip to main content

Internet Infrastructure: DHS Faces Challenges in Developing a Joint Public/Private Recovery Plan

GAO-06-672 Published: Jun 16, 2006. Publicly Released: Jul 28, 2006.
Jump To:
Skip to Highlights

Highlights

Since the early 1990s, growth in the use of the Internet has revolutionized the way that our nation communicates and conducts business. While the Internet was originally developed by the Department of Defense, the vast majority of its infrastructure is currently owned and operated by the private sector. Federal policy recognizes the need to prepare for debilitating Internet disruptions and tasks the Department of Homeland Security (DHS) with developing an integrated public/private plan for Internet recovery. GAO was asked to (1) identify examples of major disruptions to the Internet, (2) identify the primary laws and regulations governing recovery of the Internet in the event of a major disruption, (3) evaluate DHS plans for facilitating recovery from Internet disruptions, and (4) assess challenges to such efforts.

Recommendations

Matter for Congressional Consideration

Matter Status Comments
Given the importance of the Internet as a critical infrastructure supporting our nation's communications and commerce, Congress may wish to consider clarifying the legal framework that guides roles and responsibilities for Internet recovery in the event of a major disruption. This effort could include providing specific authorities for Internet recovery as well as examining potential roles for the federal government, such as providing access to disaster areas, prioritizing selected entities for service recovery, and using federal contracting mechanisms to encourage more secure technologies. This effort also could include examining the Stafford Act to determine if there would be benefits in establishing specific authority for the government to provide for-profit companies--such as those that own or operate critical communications infrastructures--with limited assistance during a crisis.
Closed – Implemented
Consistent with this matter for consideration, Congress has taken action that considered clarifying the legal framework that guides roles and responsibilities for Internet recovery. Specifically, in April 2010 the Senate introduced S.773, the Cybersecurity Act of 2009. This bill would require the President to designate an agency to be responsible for coordinating the response and restoration of any Federal Government or United States critical infrastructure information system or network affected by a cybersecurity emergency declaration. In addition, in 2006 the Senate Committee on Homeland Security and Governmental Affairs reported S.3721 out to the full Senate. Section 533 of this bill would have required a Department of Homeland Security entity to develop model standards or guidelines that states could adopt in conjunction with critical infrastructure owners and operators to permit access to restricted areas in the event of an emergency or major disaster. The 109th Congress took no further action on this legislation.

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Homeland Security To improve DHS's ability to facilitate public/private efforts to recover the Internet in case of a major disruption, the Secretary of the Department of Homeland Security should establish dates for revising the National Response Plan and finalizing the National Infrastructure Protection Plan--including efforts to update key components relevant to the Internet.
Closed – Implemented
In response to our recommendation, DHS finalized the National Infrastructure Protection Base Plan in June 2006 and updated the National Response Framework (formerly the National Response Plan) in January 2008. Also in January 2008, DHS finalized Emergency Response Function #2, which is the Communications Annex to the National Response Plan. This Annex provides for the restoration of the public communications infrastructure and ensures the provision of federal communications support to response efforts during incidents of national significance. In addition, in August 2010, DHS officials stated that the National Response Framework's Cyber Incident Annex would be replaced by the National Cyber Incident Response Plan, which would describe how the United States will respond to significant cyber incidents. DHS officials also stated that the National Cyber Incident Response Plan would be finalized following testing during Cyberstorm III, which is scheduled for September 2010.
Department of Homeland Security To improve DHS's ability to facilitate public/private efforts to recover the Internet in case of a major disruption, the Secretary of the Department of Homeland Security should use the planned revisions to the National Response Plan and the National Infrastructure Protection Plan as a basis, draft public/private plans for Internet recovery, and obtain input from key Internet infrastructure companies.
Closed – Not Implemented
In August 2010, DHS officials stated that DHS no longer concurred with this recommendation. Specifically, they stated that DHS is not responsible for working with the private sector to draft public-private Internet recovery plans. DHS officials noted that public-private forums such as the Cross-Sector Cyber Security Working Group (CSCSWG) and the Information Technology Sector Coordinating Council (ITSCC) can be used to discuss cybersecurity risks, interdependencies, and plans for recovery in the event of a significant cyber incident.
Department of Homeland Security To improve DHS's ability to facilitate public/private efforts to recover the Internet in case of a major disruption, the Secretary of the Department of Homeland Security should review the National Communications System (NCS) and the National Cyber Security Division (NCSD) organizational structures and roles in light of the convergence of voice and data communications.
Closed – Implemented
In April of 2007, DHS commissioned a task force that reviewed National Communication System (NCS) and National Cyber Security Division (NCSD) organizational structures and roles. The task force recommended that NCS and NCSD be physically and functionally merged. Since then, DHS has taken steps to implement the recommendation by, for example, physically co-locating NCS and NCSD personnel in the same office space. In addition, the department said it plans to address other merger-related issues as part of an ongoing strategic planning effort for the area but did not provide a date when this effort is to be finalized.
Department of Homeland Security To improve DHS's ability to facilitate public/private efforts to recover the Internet in case of a major disruption, the Secretary of the Department of Homeland Security should identify the relationships and interdependencies among the various Internet recovery-related activities currently under way in NCS and NCSD, including initiatives by the United States Computer Emergency Readiness Team, the National Cyber Response Coordination Group, the Internet Disruption Working Group, the North American Incident Response Group, and the groups responsible for developing and implementing cyber recovery exercises.
Closed – Implemented
In August 2010, DHS officials stated that National Cybersecurity and Communications Integration Center (NCCIC) co-locates organizations that are responsible for developing and implementing cyber recovery activities, including US-CERT and the National Communication System's National Coordinating Center for Telecommunications. The center has been designed to serve as a 24-hour, DHS-led coordinated watch and warning center to address threats and incidents affecting the nation's critical information technology and cyber infrastructure. According to DHS officials, the NCCIC concept-of-operations, which is still being drafted, will define the relationships and interdependencies between NCCIC-participating organizations.
Department of Homeland Security To improve DHS's ability to facilitate public/private efforts to recover the Internet in case of a major disruption, the Secretary of the Department of Homeland Security should establish time lines and priorities for key efforts identified by the Internet Disruption Working Group.
Closed – Not Implemented
In August 2010 DHS officials stated that the Internet Disruption Working Group disbanded sometime after 2006 and that other DHS entities were no longer implementing the working group's key efforts.
Department of Homeland Security To improve DHS's ability to facilitate public/private efforts to recover the Internet in case of a major disruption, the Secretary of the Department of Homeland Security should identify ways to incorporate lessons learned from actual incidents and during cyber exercises into recovery plans and procedures.
Closed – Implemented
As a result of its first national-level cyber exercise conducted in February 2006, called Cyber Storm, DHS identified eight lessons that had significant impact across sectors, agencies, and exercise participants. These lessons involved improving (1) the interagency coordination groups; (2) contingency planning, risk assessment, and roles and responsibilities; (3) integration of incidents across infrastructures; (4) access to information; (5) coordination of response activities; (6) strategic communications and public relations; (7) processes, tools, and technology; and (8) the exercise program. Since then DHS has begun implementing these lessons learned, as we recently reported in September 2008 (see GAO-08-825).
Department of Homeland Security To improve DHS's ability to facilitate public/private efforts to recover the Internet in case of a major disruption, the Secretary of the Department of Homeland Security should work with private-sector stakeholders representing the Internet infrastructure to address challenges to effective Internet recovery by further defining needed government functions in responding to a major Internet disruption.
Closed – Implemented
DHS participates in multiple public-private initiatives such as the Cross-Sector Cyber Security Working Group (CSCSWG) and the Information Technology Sector Coordinating Council (ITSCC) that may be used to discuss cybersecurity risks, interdependencies, and plans for recovery in the event of a significant cyber incident. To date, DHS has not yet documented specific governmental functions that it would provide in responding to a major Internet disruption.
Department of Homeland Security To improve DHS's ability to facilitate public/private efforts to recover the Internet in case of a major disruption, the Secretary of the Department of Homeland Security should work with private-sector stakeholders representing the Internet infrastructure to address challenges to effective Internet recovery by defining a trigger for government involvement in responding to such a disruption.
Closed – Implemented
DHS provided GAO with a March 2010 draft revision of the National Cyber Incident Response Plan. Consistent with our recommendation, the draft plan defines the conditions that would trigger heightened levels of coordination among government agencies and with the private sector to respond to a cyber incident. DHS officials stated that the draft plan would be finalized following testing during Cyberstorm III, which is scheduled for September 2010.
Department of Homeland Security To improve DHS's ability to facilitate public/private efforts to recover the Internet in case of a major disruption, the Secretary of the Department of Homeland Security should work with private-sector stakeholders representing the Internet infrastructure to address challenges to effective Internet recovery by documenting assumptions and developing approaches to deal with key challenges that are not within the government's control.
Closed – Implemented
Consistent with this recommendation, DHS released the Information Technology Sector Baseline Risk Assessment in August 2009. According to this document, DHS collaborated with members of the private and public sectors to develop and document a risk assessment methodology for the Information Technology sector. The document identifies assumptions, such as the sufficiency of an IT-sector member's emergency power capacity, which could pose a challenge to Internet recovery. The document also identifies multiple risks that could affect Internet recovery efforts and references general mitigation strategies that currently exist, are being enhanced, or which could be considered for the future. By documenting these assumptions and developing strategies to manage key challenges outside of the government's control, DHS is better able to facilitate public/private efforts to recover the Internet in case of a major disruption.

Full Report

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs

Public Inquiries

Topics

Continuity of operations planCritical infrastructureCritical infrastructure protectionDisaster planningDisaster recoveryDisaster recovery plansEmergency preparednessFederal lawFederal legislationInternetIT contingency plansIT legislationE-governmentprivate partnerships