Congress’ investigative arm, the General Accounting Office (GAO), has given
the Federal Bureau of Investigation’s National Infrastructure Protection
Center (NIPC) a failing grade when it comes to issuing warnings about
electronic attacks.
The NIPC was formed in 1998 to protect businesses and government from
hackers and cyber-terrorists. But a report expected to be released Tuesday
by the GAO found that NIPC warnings often come after attacks are well under
way.
“To provide a warning capability, the NIPC established a Watch and Warning
Unit that monitors the Internet and other media 24 hours a day to identify
reports of computer-based attacks,” the report said. “Since 1998, the unit
has issued 81 warnings and related products, many of which were posted on
the NIPCs Internet Web site. While some warnings were issued in time to
avert
damage, most of the warnings, especially those related to viruses, pertained
to attacks underway.”
Because the warnings did not come until attacks were underway the warnings
were often too late to prevent wide-spread damage.
The GAO identified a number of reasons for the NIPC’s failure to develop
more than rudimentary analysis and warning capabilities.
One problem is a lack of private sector cooperation. Security experts and
industry groups have been critical of the organization, and businesses have
been slow to cooperate because many would prefer not to disclose information
concerning security breaches to the public.
“[Ronald Dick, director of the NIPC] cited several reasons why some
private-sector organizations have been reluctant to share information with
the government, including the NIPC,” the report said. “The reasons cited
include (1) a lack of understanding or confidence in the exceptions found in
the Freedom of Information Act, (2) concerns about whether Justice would
pursue prosecutions at the expense of private-sector business interests, and
(3) concerns about disclosing proprietary information to an entity beyond
their control.”
The NIPC has also had trouble cooperating with government agencies. The
report found that government agencies have not routinely reported
information to the NIPC, and some organizations, like the Secret Service,
have even pulled out their NIPC representatives because they felt agents
were not being assigned appropriate duties.
The center, which costs tax-payers $27 million a year, also suffers from
chronic staffing shortages, according to the report.
The report does not call for the dissolution of the center, and even praises
it for its work with the FBI in investigating cyber-crimes. However, it did
make several recommendations.
First it recommended that the Assistant to the President for National
Security Affairs direct federal agencies and encourage the private sector to
better define the types of information that need to be shared to protect
against computer-based attacks.
It also recommended the development of a strategy for identifying assets of
national significance, and the resolution of discrepancies between
Presidential Decision Directive 63 (which established the NIPC) requirements
and guidance by the federal Chief Information Officers Council regarding
computer incident reporting by federal agencies.
Finally, it recommended that the Attorney General direct the FBI Director to
direct the NIPC Director to formalize relationships between the NIPC and
other federal entities like the Department of Defense and the Secret
Service, and develop plans for a two-way exchange of information with
private sector ISACs (Information Sharing and Analysis Centers).