Threat Warning For Americas Critical Infrastructures

The President's Commission on Critical Infrastructure Protection, Critical Foundations, was a report of a multi-agency effort to "study the critical infrastructures that constitute the life support systems of (the United States), determine their vulnerabilities, and propose a strategy for protecting them in the future".2 Spurred by this report, the President signed Presidential Decision Directive 63 which built upon the PCCIP's recommendations. In signing PDD-63, the President's intent was for the United States to "take all necessary measures to swiftly eliminate any significant vulnerability to both physical and cyber attacks on our critical infrastructures, including especially our cyber systems".3 One of the goals of PDD-63 was to create a national center to warn of significant infrastructure attacks, to include the detection and analysis of such attacks, with maximum participation from the private sector. This task fell to the FBI's National Infrastructure Protection Center (NIPC) to provide threat assessment, warning, vulnerability assessment, and law enforcement investigation and response.4 Now, nearly two years hence, these encompassing tasks are largely going undone while the NIPC focuses nearly all its resources on law enforcement investigation and response, with only minor Information Sharing and Analysis Center (ISAC) coordination. It is the purpose of this paper to show that national cyber threat warning measuresare important for protecting critical infrastructures. Further, this paper asserts that tactical and strategic cyber threat warning is inadequate and needs to be reassessed vis- -vis the role of the Department of Defense, the Intelligence Community, and the Justice Department.

"In summary, all of us need to recognize that the cyber revolution brings us into a new age as surely as the industrial revolution did two centuries ago. Now, as then, our continued security requires a reordering of national priorities and new understanding about our respective roles in support of the national goals. The relationships that have stood us in such good stead through the end of the second millennium must give way to new ones better suited to the third."--Page xi.

On June 18, the President transmitted draft legislation to Congress for the creation of a Department of Homeland Security to prevent terrorist attacks within the United States, reduce America's vulnerability to terrorism, and minimize the damage and recovery from attacks that do occur. As proposed, functions of the Homeland Security Department's Information Analysis and Infrastructure Protection Division would include (1) receiving and analyzing law enforcement information, intelligence, and other information to detect and identify potential threats; (2) assessing the vulnerabilities of the key resources and critical infrastructures; (3) developing a comprehensive national plan for securing these resources and infrastructures; and (4) taking necessary measures to protect these resources and infrastructures, in coordination with other executive agencies, state and local governments, and the private sector. To create this division, six federal organizations that currently play a pivotal role in the protection of national critical infrastructures would be transferred to the new department. Potential benefits for this division include more efficient, effective, and coordinated programs; better control of funding through a single appropriation for the new department and through establishing budget priorities for transferred functions based on their homeland security mission; and the consolidation of points of contact for federal agencies, state and local government, and the private sector in coordinating activities to protect the homeland. Finally, the new department will also face challenges, such as developing a national critical infrastructure protection strategy, improving analytical and warning capabilities, improving information sharing on threats and vulnerabilities, and addressing pervasive weaknesses in federal information security.

The Commission spent 15 months evaluating America's critical infrastructures, assessing their vulnerabilities, & deliberating assurance alternatives. The nation is so dependent on our infrastructures that we must view them through a nat. security lens -- they are essential to the nation's security, econ. health, & social well being. There is a very real & growing cyber dimension assoc. with infrastructure assurance. Contents: (I) The Case for Action: Acting Now to Protect the Future; The New Geography; New Vulnerabilities, Shared Threats, Shared Responsibility; (II) A Strategy for Action; Onward: Initial recommend. toward preparing our critical infrastructure -- & our gov't.--to deal with our nation's cultural change. Appendices: Sector Summary Reports.

Pervasive and sustained computer-based attacks pose a potentially devastating impact to systems and operations and the critical infrastructures they support. Addressing these threats depends on effective partnerships between the government and private sector owners and operators of critical infrastructure. Federal policy, including the Department of Homeland Securitys (DHS) National Infrastructure Protection Plan, calls for a partnership model that includes public and private councils to coordinate policy and information sharing and analysis centers to gather and disseminate information on threats to physical and cyber-related infrastructure. GAO was asked to determine (1) private sector stakeholders expectations for cyber-related, public-private partnerships and to what extent these expectations are being met and (2) public sector stakeholders expectations for cyber-related, public-private partnerships and to what extent these expectations are being met. To do this, GAO conducted surveys and interviews of public and private sector officials and analyzed relevant policies and other documents.Private sector stakeholders reported that they expect their federal partners to provide usable, timely, and actionable cyber threat information and alerts; access to sensitive or classified information; a secure mechanism for sharing information; security clearances; and a single centralized government cybersecurity organization to coordinate government efforts. However, according to private sector stakeholders, federal partners are not consistently meeting these expectations. For example, less than one-third of private sector respondents reported that they were receiving actionable cyber threat information and alerts to a great or moderate extent. (See table below.) Federal partners are taking steps that may address the key expectations of the private sector, including developing new information-sharing arrangements. However, while the ongoing efforts may address the public sectors ability to meet the private sectors expectations, much work remains to fully implement improved information sharing.Private Sector Expected Services and the Extent to Which They Are MetServicesGreatly or moderately expectedGreatly or moderately receivedTimely and actionable cyber threat information98%27%Timely and actionable cyber alerts96%27%Access to actionable classified or sensitive information (such as intelligence and law enforcement information)87%16%A secure information-sharing mechanism78%21%Source: GAO analysis based on survey data of 56 private sector respondents.Public sector stakeholders reported that they expect the private sector to provide a commitment to execute plans and recommendations, timely and actionable cyber threat information and alerts, and appropriate staff and resources. Four of the five public sector councils that GAO held structured interviews with reported that their respective private sector partners are committed to executing plans and recommendations and providing timely and actionable information. However, public sector council officials stated that improvements could be made to the partnership, including improving private sector sharing of sensitive information. Some private sector stakeholders do not want to share their proprietary information with the federal government for fear of public disclosure and potential loss of market share, among other reasons.Without improvements in meeting private and public sector expectations, the partnerships will remain less than optimal, and there is a risk that owners of critical infrastructure will not have the information necessary to thwart cyber attacks that could have catastrophic effects on our nations cyber-reliant critical infrastructure.

Critical Infrastructure Protection and Risk Management covers the history of risk assessment, crtical infrastructure protection, and the various structures that make up the homeland security enterprise. The authors examine risk assessment in the public and private sectors, the evolution of laws and regulations, and the policy challenges facing the 16 critical infrastructure sectors. The book will take a comprehensive look at the issues surrounding risk assessment and the challenges facing decision makers who must make risk assessment choices.

To better protect the nation's critical computer-dependent infrastructures from computer-based attacks and disruption, the President issued a directive in 1998 that established the National Infrastructure Protection Center as a national focal point for gathering information on threats and facilitating the federal government's response to computer-based incidents. This testimony discusses the center's progress in (1) developing national capabilities for analyzing cyber threat and vulnerability data and issuing warnings, (2) enhancing its capabilities for responding to cyber attacks, and (3) developing outreach and information-sharing initiatives with government and private-sector entities. GAO found that although the center has taken some steps to develop analysis and warning capabilities, the strategic capabilities described in the presidential directive have not been achieved. By coordinating investigations and providing technical assistance the center has provided important support that has improved the Federal Bureau of Investigations' ability to investigate computer crimes. The center has also developed crisis management procedures and drafted an emergency law enforcement sector plan, which is now being reviewed by sector members. The center's information-sharing relationships are still evolving and will probably have limited effectiveness until reporting procedures and thresholds are defined and trust relationships are established. This testimony summarized an April 2001 report (GAO-01-323).