TAUZIN, DINGELL FAULT AGENCIES FOR POOR CRITICAL INFRASTRUCTURE PROTECTION

The order in question is Presidential Decision Directive 63 (PDD 63), issued by President Bill Clinton in 1998 and updated by President Bush shortly after the Sept. 11 attacks to increase attention on cybersecurity. The GAO report found that agencies such as the Dept. of Commerce, which has had oversight responsibilities for telecom networks and IT infrastructure, still were in the process of identifying exactly what constituted a critical infrastructure, and thus what needed protecting.

“It has now been 5 years since these agencies were instructed to determine where their own critical infrastructure systems were vulnerable,” Tauzin and Dingell said. They called on Congress to support the President’s FY 2004 requested increase for critical infrastructure protection (CIP) spending to more than $800 million from $177 million in FY 2003. That funding would be directed to the Dept. of Homeland Security, where much of the critical infrastructure oversight has been transferred.

The GAO told Tauzin and Dingell that the Internet had greatly increased risk to everything from telecom networks to power plants. Despite the Internet’s convenience, GAO said, “this widespread interconnectivity also poses enormous risks to our computer systems and, more important, to the critical operations and infrastructures they support, such as telecommunications, power distribution, national defense, law enforcement and critical government services.”

GAO said that since it first focused on the issue in 1996 “poor information security is a widespread federal government problem with potentially devastating consequences,” adding “cyber CIP activities are perhaps the most critical component of a federal government or agency’s overall information security program.” GAO cited the National Security Agency in arguing that “foreign governments already have or are developing computer attack capabilities, and potential adversaries are developing a body of knowledge about U.S. systems and methods to attack these systems.” The report also cited statistics from CERT that said computer security breaches increased to 82,094 in 2002 from 52,658 in 2001 and a mere 9,859 in 1999. GAO said CERT estimated that 80% of breaches actually went unreported.

Information Sharing & Analysis Centers (ISACs) also were faulted by GAO for having “mixed progress.” ISACs were created under PDD 63, and among the existing ISACs were one for Telecommunications Infrastructure, affiliated with the National Communications System (being transferred to DHS from Commerce) and one for Information Technology, run as a managed liability corporation. Those private-sector groups are designed to gather information and assist the govt. in critical infrastructure protection, but GAO said a reluctance to share information with the govt. out of fear of exposure through a Freedom of Information Act (FOIA) request had stymied information sharing. (The DHS Act created a safe harbor from FOIA for voluntary disclosures from the private sector to DHS.) GAO found the sharing issue to be a concern with the IT ISAC, while the telecom ISAC was faulted for not completing establishing baseline statistics or providing a library for both the private sector and govt. agencies.

The House Commerce Committee held an oversight hearing on critical infrastructure protection in April 2001, and Tauzin and Dingell said it was “disappointing” at that time to learn agencies still were struggling to comply with PDD 63. The GAO report, they said, served to “confirm the need for all federal agencies to redouble their efforts in this area.”