Page images
PDF
EPUB

Attachment A

Critical Infrastructure Protection: Department of Homeland Security Faces Challenges in Fulfilling Cyber Security Responsibilities

GOVERNMENT ACCOUNTABILITY OFFICE REPORT GAO-05-434

http://www.gao.gov/new.items/d05434.pdf

Excerpt: Results in Brief

As the focal point for critical infrastructure protection, DHS has many cyber security-related roles and responsibilities that are called for in law and policy. These responsibilities include developing plans, building partnerships, and improving information sharing, as well as implementing activities related to the five priorities in the national cyberspace strategy: (1) developing and enhancing national cyber analysis and warning, (2) reducing cyberspace threats and vulnerabilities, (3) promoting awareness of and training in security issues, (4) securing governments' cyberspace, and (5) strengthening national security and international cyberspace security cooperation. To fulfill its cyber security role, in June 2003, DHS established the National Cyber Security Division to serve as a national focal point for addressing cyber security and coordinating the implementation of cyber security efforts.

While DHS has initiated multiple efforts, it has not fully addressed any of the 13 key cyber security-related responsibilities that we identified in federal law and policy, and it has much work ahead in order to be able to fully address them. For example, DHS (1) has recently issued the Interim National Infrastructure Protection Plan, which includes cyber security elements; (2) operates the United States Computer Emergency Readiness Team to address the need for a national analysis and warning capability; and (3) has established forums to foster information sharing among federal officials with information security responsibilities and among various law enforcement entities. However, DHS has not yet developed national threat and vulnerability assessments or developed and exercised government and government/ industry contingency recovery plans for cyber security, including a plan for recovering key Internet functions. Further, DHS continues to have difficulties in developing partnerships-as called for in federal policy-with other federal agencies, State and local governments, and the private sector.

DHS faces a number of challenges that have impeded its ability to fulfill its cyber CIP responsibilities. Key challenges include achieving organizational stability; gaining organizational authority; overcoming hiring and contracting issues; increasing awareness about cyber security roles and capabilities; establishing effective partnerships with stakeholders (other federal agencies, State and local governments, and the private sector); achieving two-way information sharing with these stakeholders; and demonstrating the value DHS can provide. In its strategic plan for cyber security, DHS has identified steps that can begin to address these challenges. However, until it effectively confronts and resolves these underlying challenges, DHS will have difficulty achieving significant results in strengthening the cyber security of our nation's critical infrastructures, and our nation will lack the strong cyber security focal point envisioned in federal law and policy.

We are making recommendations to the Secretary of Homeland Security to strengthen the Department's ability to implement key cyber security responsibilities by completing critical activities and resolving underlying challenges.

DHS provided written comments on a draft of this report (see app. III). In brief, DHS agreed that strengthening cyber security is central to protecting the Nation's critical infrastructures and that much remains to be done. In addition, DHS concurred with our recommendation to engage stakeholders in prioritizing its key cyber security responsibilities. However, DHS did not concur with our recommendations to identify and prioritize initiatives to address the challenges it faces, or to establish performance metrics and milestones for these initiatives. Specifically, DHS reported that its strategic plan for cyber security already provides a prioritized list, performance measures, and milestones to guide and track its activities. The department sought additional clarification of these recommendations. While we agree with DHS that its plan identifies activities (along with some performance measures and milestones) that will begin to address the challenges, this plan does not include specific initiatives that would ensure that the challenges are addressed in a prioritized and comprehensive manner. For example, the strategic plan for cyber security does not include initiatives to help stabilize and build authority for the organization. Fur

ther, the strategic plan does not identify the relative priority of its initiatives and does not consistently identify performance measures for completing its initiatives. As DHS moves forward in identifying initiatives to address the underlying challenges it faces, it will be important to establish performance measures and milestones for fulfilling these initiatives.

DHS officials (as well as others who were quoted in our report) also provided detailed technical corrections, which we have incorporated in this report as appropriate.

Chairman BOEHLERT. The Committee will come to order.

Before we proceed with today's hearing, the Committee must first dispense, very briefly, with some administrative business.

I recognize Mr. Gordon to offer a request regarding Democratic subcommittee membership.

Mr. GORDON. Thank you, Mr. Chairman.

By direction of the Democratic caucus of the Science Committee, I ask unanimous consent to ratify the election of Representative Dennis Moore of Kansas to the Subcommittee on Research, thereby filling one of the existing Democratic vacancies.

Chairman BOEHLERT. Without objection, so ordered.

That concludes the Committee's organizational business.
And we will now proceed with the hearing.

And incidentally, I can't imagine any hearing any place on this Hill, including what our colleagues in the Senate are doing with the Roberts nomination, that exceeds the importance of the topic being discussed here today. And I am so appreciative of the witnesses who have agreed to share with us and enlighten us on a very important subject matter. And I want you to know how much we welcome your appearance, because you are facilitators. We learn from you. We like to think all Members of Congress, we are all alike. We like to think we have got all of the answers. We don't even know some of the questions. But I do know this, that cyber security is critically important. And what we are about today takes us further down the path of dealing in a responsible way with this very important subject.

So I want to welcome everyone to this morning's hearing on cyber security, a subject that has long been the focus of the Science Committee.

The Nation has been making progress in developing ways to fend off and respond to cyber attacks. For example, federal agencies have been implementing our Cyber Security Research and Development Act, and when I say "our," I say it proudly. That is the result of this committee's work, albeit at funding levels significantly below what we would wish, and quite frankly, what is needed.

Homeland Security Secretary Michael Chertoff, responding to calls from industry and the Congress, has created the position of Assistant Secretary for Cyber Security. But as our witnesses today will make clear, we still have a very long way to go. We still pay inadequate attention to cyber security research operations in both the government and private sector. We shouldn't have to wait for the cyber equivalent of Hurricane Katrina to realize that we are inadequately prepared to prevent, detect, and respond to cyber attacks. And a cyber attack can affect a far larger area at a single stroke than can any hurricane. Not only that, given the increasing reliance of critical infrastructures on the Internet, a cyber attack could result in deaths as well as in massive, massive disruption to our economy and daily life.

There is another lesson we should take from Katrina beyond the need to prepare for real dangers that have not been recently experienced, and that is not to focus exclusively on terrorism. Cyber attacks could occur from any number of sources and motivations, even from error, not just from foreign or domestic terrorists who would do us harm.

So our goal this morning is to help develop a cyber security agenda for the Federal Government, especially to provide assistance for the new Assistant Secretary. I never want to sit on a special committee set up to investigate why we were unprepared for a cyber attack. We know we are vulnerable. It is time to act.

And I look forward to hearing from our witnesses and the guidance that they might give us to do just that.

With that, I am pleased to recognize my partner, my colleague, my friend, Mr. Gordon from Tennessee.

[The prepared statement of Chairman Boehlert follows:]

PREPARED STATEMENT OF CHAIRMAN SHERWOOD L. BOEHLERT

I want to welcome everyone to this morning's hearing on cyber security, a subject that has long been a focus of the Science Committee.

The Nation has been making progress in developing ways to fend off and respond to cyber attacks. For example, federal agencies have been implementing our Cyber Security Research and Development Act, albeit at funding levels significantly below what we would wish. Homeland Security Secretary Michael Chertoff, responding to calls from industry and the Congress, has created the position of Assistant Secretary for Cyber Security.

But as our witnesses today will make clear, we still have a very long way to go. We still pay inadequate attention to cyber security research and operations in both the government and private sector.

We shouldn't have to wait for the cyber equivalent of a Hurricane Katrina-or even and Hurricane Ophelia might serve to realize that we are inadequately prepared to prevent, detect and respond to cyber attacks.

And a cyber attack can affect a far larger area at a single stroke that can any hurricane. Not only that, given the increasing reliance of critical infrastructures on the Internet, a cyber attack could result in deaths as well as in massive disruption to the economy and daily life.

There's another lesson we should take from Katrina beyond the need to prepare for real dangers that have not been recently experienced. And that is not to focus exclusively on terrorism. Cyber attacks could occur from any number of sources and motivations-even from error-not just from foreign or domestic terrorists.

So our goal this morning is to help develop a cyber security agenda for the Federal Government, especially for the new Assistant Secretary. I never want to have to sit on a special committee set up to investigate why we were unprepared for a cyber attack. We know we are vulnerable, it's time to act.

I look forward to hearing our witnesses' guidance on how to do just that.

Mr. GORDON. Thank you, Mr. Chairman.

As usual, I want to concur with your remarks, particularly in context to the urgency and the seriousness of this issue.

Today's hearing has two important purposes: to assess the progress in improving the security of computer systems on which critical industries rely, and to explore why progress has been so slow.

Networked information systems are key components of many of the Nation's critical infrastructures, including electrical power distribution, banking, finance, water supply, and telecommunications. Computer system vulnerabilities persist worldwide, and the initiators of random cyber attacks that plague the Internet remain largely unknown.

But we know that many international terrorist groups now actively use computers and the Internet to communicate, and they are clearly capable of developing or acquiring the technical skills to direct a coordinated attack against networked computers in the United States.

The disruptions and economic damages that could result from a successful cyber attack to one or more of our critical infrastructures

could be substantial. And damage to water supply systems or to the chemical processing plants, for example, could also create lifethreatening consequences.

Following the events of 9/11, ensuring that security of critical infrastructure has become a national priority, but progress in securing the cyber infrastructure has simply been too slow.

A presidential directive from the Clinton Administration, PDD63, instituted policies and established a new organization to improve the Nation's ability to detect and respond to cyber attacks, including mechanisms to improve communications between the public and the private sectors regarding cyber security matters. Subsequently, the new Department of Homeland Security was charged to be the government's focal point for cyber security.

And yet, in a report released this summer, GAO found that the Department of Homeland Security has not yet developed national cyber threat and vulnerability assessments or government/industry contingencies to recovery plans for cyber security. This is simply not good enough.

Recent events make all too clear that inadequate recovery plans, either by design or execution, have dire consequences for the citizens' health and well being. Inaction can be an enemy just as lethal as terrorists.

GAO stressed that to be successful in meeting its responsibilities, the Department will need to achieve organizational stability for cyber security activities, including the elevation of its function within the Department.

In addition, GAO indicates the Department must work to develop effective partnerships with stakeholders, and then achieve two-way information sharing with those stakeholders.

Today, we have an opportunity to hear from some of those stakeholders about what is being done within their industry sectors-to improve cyber security, where they now stand, and what could be done to accelerate progress.

I am interested in hearing about their relationship to and interactions with the Department of Homeland Security and in their views on how the government can be more effective in achieving the overall goal of cyber security for critical infrastructures.

We need to understand what the fundamental impediments are to securing cyberspace and to take appropriate action to overcome them.

And let me just conclude by saying this. As I was reviewing the briefing material for this hearing, it is inevitable that you look at it in context to Katrina. And some might say, "Well, the financial services, you know, if a bank in New Orleans or electrical power or a telecommunication outfit has several pipes that burst and they are flooded, well, you know, at least an inconvenience, but the private sector will come in and, through competition, will take care of those customers."

But what if all of the banks, what if all of the power systems go out of order? Well, it goes beyond just being a regional concern. It becomes a national concern. It means heartache and distraughtness for those individuals there, but for the American public, it means a big bill. We are spending $200 billion or more to clean up the mess from Katrina.

« PreviousContinue »