RealTime IT News

NIPC Gets Failing Grade in Warning of Hacker Attacks

Congress' investigative arm, the General Accounting Office (GAO), has given the Federal Bureau of Investigation's National Infrastructure Protection Center (NIPC) a failing grade when it comes to issuing warnings about electronic attacks.

The NIPC was formed in 1998 to protect businesses and government from hackers and cyber-terrorists. But a report expected to be released Tuesday by the GAO found that NIPC warnings often come after attacks are well under way.

"To provide a warning capability, the NIPC established a Watch and Warning Unit that monitors the Internet and other media 24 hours a day to identify reports of computer-based attacks," the report said. "Since 1998, the unit has issued 81 warnings and related products, many of which were posted on the NIPCs Internet Web site. While some warnings were issued in time to avert damage, most of the warnings, especially those related to viruses, pertained to attacks underway."

Because the warnings did not come until attacks were underway the warnings were often too late to prevent wide-spread damage.

The GAO identified a number of reasons for the NIPC's failure to develop more than rudimentary analysis and warning capabilities.

One problem is a lack of private sector cooperation. Security experts and industry groups have been critical of the organization, and businesses have been slow to cooperate because many would prefer not to disclose information concerning security breaches to the public.

"[Ronald Dick, director of the NIPC] cited several reasons why some private-sector organizations have been reluctant to share information with the government, including the NIPC," the report said. "The reasons cited include (1) a lack of understanding or confidence in the exceptions found in the Freedom of Information Act, (2) concerns about whether Justice would pursue prosecutions at the expense of private-sector business interests, and (3) concerns about disclosing proprietary information to an entity beyond their control."

The NIPC has also had trouble cooperating with government agencies. The report found that government agencies have not routinely reported information to the NIPC, and some organizations, like the Secret Service, have even pulled out their NIPC representatives because they felt agents were not being assigned appropriate duties.

The center, which costs tax-payers $27 million a year, also suffers from chronic staffing shortages, according to the report.

The report does not call for the dissolution of the center, and even praises it for its work with the FBI in investigating cyber-crimes. However, it did make several recommendations.

First it recommended that the Assistant to the President for National Security Affairs direct federal agencies and encourage the private sector to better define the types of information that need to be shared to protect against computer-based attacks.

It also recommended the development of a strategy for identifying assets of national significance, and the resolution of discrepancies between Presidential Decision Directive 63 (which established the NIPC) requirements and guidance by the federal Chief Information Officers Council regarding computer incident reporting by federal agencies.

Finally, it recommended that the Attorney General direct the FBI Director to direct the NIPC Director to formalize relationships between the NIPC and other federal entities like the Department of Defense and the Secret Service, and develop plans for a two-way exchange of information with private sector ISACs (Information Sharing and Analysis Centers).