WASHINGTON-A recently released report from congressional auditors shows that an FBI unit created in 1998 to warn of cyber-security threats and infrastructure protection risks has had challenges getting off the ground.
The successes and challenges of the National Infrastructure Protection Center are detailed in a General Accounting Office report, “Critical Infrastructure Protection: Significant challenges in developing national capabilities.” The report was released in May.
GAO said the center’s progress in developing national capabilities for analyzing vulnerabilities and threats, and issuing timely warnings of computer-based attacks has been limited. NIPC also has had limited success in assessing the threat to private-sector industries such as telecommunications. While it has initiated an assessment of the telecom industry, it was still in draft form when GAO finished its review. The telecom assessment was meant to develop relevant products and to encourage the telecom industry to participate more fully in cyber-security and infrastructure protection efforts.
With the exception of the electric-power industry, no other sectors have been assessed by the NIPC. The FBI unit was to use these assessments in combination with foreign intelligence, information from law enforcement investigations and operations, and voluntary private-sector reports to develop comprehensive strategic assessments or risk. Such comprehensive assessments are important because they will form the basis for identifying indicators or potentially malicious or damaging activity and developing related intelligence collection requirements, said GAO.
On the positive side, NIPC has laid a foundation for further government efforts in these areas. One effort initiated by NIPC is Project La Resistance, which is a strategic effort to analyze information gathered from disparate sources, including law enforcement and intelligence agencies, private industry, and other open sources, to identify linkages and commonalties among incidents and perpetrators.
The GAO report itself is a bit confusing in its conclusions. At one point the report says progress in establishing information-sharing partnerships between NIPC, the private sector and government has been mixed. Later, GAO says these partnerships have been hindered because there is no generally accepted methodology for threat analysis and data on infrastructure vulnerabilities have not been provided by industry sectors.
This confusion is reflected in industry’s reaction to the report. The nation’s largest wireline and wireless telecommunications company said it is working with the government on ways to better share information.
“It looks like a balanced report, said Susan Cavendar Butta, director of public affairs for government relations for Verizon Communications Inc., in general reaction to the report. “The industry-and specifically Verizon-has been working with the government on ways to share information better.”
This was a different view than held by Alfred W. Arsenault, Jr. of Diversinet Corp., a Toronto-based company that manufactures wireless security products.
Arsenault, Diversinet’s chief security architect, who worked for the National Security Agency for 17 years, said there is a mistrust that makes coordination and cooperation between the public and private sectors difficult.
“When I worked in the government, we didn’t trust private industry, now that I am in private industry there are many that do not trust government,” said Arsenault.
Arsenault said he was not surprised by the report since GAO had been saying essentially the same thing for several years. GAO itself references several other reports in the document. What is missing from both this report and previous GAO reports, he said, is the progress that has been made to date.
“GAO has done a good job of pointing out the risks that shouldn’t have been taken. Hopefully the managers then get together and assess the issue. I think it is getting better, but GAO doesn’t write about what is good. The reports that come out now leave out what has been fixed,” said Arsenault.
This industry difference of opinion is also reflected within government. GAO reports that its discussions with officials in the defense, intelligence, and civilian agencies involved in critical infrastructure protection, and with the Office of Management and Budget and the National Security Council showed that their views of the NIPC’s roles and responsibilities differ from one another.
The national coordinator for security, infrastructure protection and counter-terrorism-a member of the National Security Council-said there is a conflict between NIPC’s responsibilities to broadly gather, analyze, and share information on computer-based threats and supporting FBI investigative activities, which usually preclude sharing of information associated with cases under investigation.
OMB officials told GAO they did not view NIPC as the national focal point for gathering information on cyber-security threats.
Officials in the intelligence community said they were uncertain what role the NIPC was supposed to play since they viewed NIPC as a second-tier participant that primarily received finished intelligence, rather than an organization that generated original analytical products.
The exact role of being a warning beacon of cyber-security threats would be challenging for anyone, according to Defense Department officials who told GAO that establishing more comprehensive and effective mechanisms for detecting computer-based attacks are likely to take significant effort. These DoD officials noted it took decades to come up with an adequate warning system for threats of nuclear attacks.
NIPC officials did not seem surprised by these disparate views. According to GAO, NIPC officials said, that in their view, some agency officials say NIPC’s role is not defined properly either as an excuse for not providing support or because the agencies believe that parts of the NIPC’s mission should be performed elsewhere.
Lack of staffing means the center has not always functioned at full-manpower strength. Initially the unit operated five days a week, 16 hours a day, while the goal was a 24 hour-seven-day-a-week-operation. NIPC’s goal is to have four people on each of two 12-hour shifts. NIPC officials said that they have not met this goal because they have not had enough staff who possess an understanding of the Internet and the implications of computer attack techniques to recognize potentially serious incidents.
