GAO: Fed cyber center falls short

Disagreements among agencies over who is responsible for what when U.S. critical systems come under cyberattack shows that the Bush administration needs to speed its efforts to develop a central plan for protection, according to a new government study.

Presidential Decision Directive 63, signed by President Clinton in May 1998, lays out the responsibilities for different organizations. It requires agencies to secure the systems that support the nation's critical infrastructure, such as telecommunications and transportation.

PDD 63 also created organizations to lead various efforts under the initiative, including the FBI's National Infrastructure Protection Center. But according to the General Accounting Office, the NIPC has yet to fulfill its mandate to become "a national focal point" for cyberattack warnings because it lacks consis.tent leadership and an experienced staff and has failed to get cooperation from public- and private-sector groups.

Much of the lack of agency cooperation stems from last year's directive from the Office of Management and Budget to turn first to the Federal Computer Incident Response Center (FedCIRC) under the General Services Administration, said Robert Dacey, director of information security issues at GAO, in prepared testimony for the Senate Judiciary Committee's Subcommittee on Technology, Terrorism and Government Information.

While the NIPC covers both the public and private sectors, FedCIRC serves as the central organization for civilian cyberattack warnings and response, and the GSA office it is under serves as the PDD 63 federal-sector lead.

A fundamental impediment to evaluating the NIPC's progress is that the government's strategy is still evolving, and as the directive from OMB shows, "the entities involved in the government's critical infrastructure protection efforts do not share a common interpretation of the NIPC's roles and responsibilities," Dacey said.

The Bush administration is reviewing PDD 63 and the government's process for dealing with critical infrastructure protection issues. Much of that review will center on ensuring that every organization understands its place within the overall structure, said officials close to the discussion.

The NIPC's placement at the FBI — and the fact that the majority of the center's staff members are FBI agents — has created a conflict between its analysis and warning responsibilities and its law enforcement ties. Richard Clarke, national coordinator for security, infrastructure protection and counterterrorism at the National Security Council, told GAO that this situation has "diminished the level of support it has received from other agencies and the private sector."

Clarke believes the NIPC's role should be limited to investigating incidents, but NIPC Director Ronald Dick said he believes the center should continue covering all the areas outlined under PDD 63.

Both the NIPC and FedCIRC have new leaders. Dick took over in March, and GSA named Sallie McDonald assistant commissioner of the Office of Information Assurance and Critical Infrastructure Protection in December.

Officials at the NIPC did not return phone calls seeking comment, but when the two leaders met for the first time last week, they agreed to work more closely to overcome the organizational disagreements, McDonald said.

"We need to work with the NIPC to develop a process so that the NIPC gets the information they need and the agencies understand the need to report to both the NIPC and FedCIRC," she said.