NIPC cyberdefense vision blurred

NIPC home page

The federal government's efforts to protect agencies against cyberthreats are severely hampered by a lack of experienced personnel and disagreement about the roles of the organizations involved, according to officials.

A yearlong General Accounting Office review of the National Infrastructure Protection Center at the FBI found that the organization has been unable to truly fulfill the Clinton administration's vision of "a national focal point" for critical infrastructure protection.

Clinton formally established the protection effort in May 1998 with Presidential Decision Directive 63, which requires federal agencies to secure the systems that support the nation's critical infrastructure, such as electric power and transportation. PDD 63 established that the NIPC "will provide the principal means of facilitating and coordinating the federal government's response to an incident, mitigating attacks, investigating threats and monitoring reconstitution efforts."

However, the NIPC is often missing key leadership for long periods, GAO found. And the center's staff, which is supposed to be enhanced by workers on detail from other agencies, is operating with only 13 of the 24 analysts necessary.

Representatives from the defense and intelligence communities are key missing members, said Ronald Dick, director of the NIPC, in his written testimony for Tuesday's hearing before the Senate Judiciary Committee's Technology, Terrorism and Government Affairs Subcommittee.

Because of the Senate's insistence on passing the president's tax cut bill by Tuesday afternoon, Sen. Jon Kyl (R-Ariz.), chairman of the subcommittee, accepted all the written testimony for the record and closed the hearing without any oral statements.

The NIPC also is missing much private-sector information about the vulnerabilities of key infrastructure segments, and it has been unable to form two-way information sharing practices with all but one of the industry centers established to share vulnerability data, the report found.

But the major underlying problem is that "the NIPC's roles and responsibilities have not been fully defined and are not consistently interpreted by other entities involved in the government's broader critical infrastructure protection strategy," wrote Robert Dacey, director of information security issues at GAO, in a testimony.

Indeed, GAO found that there is much disagreement among the many organizations involved in the federal critical infrastructure protection effort — such as the National Security Council and the Federal Computer Incident Response Center — about which group should take the lead. This disagreement includes the Office of Management and Budget's statement that the NIPC's focus "was to be on law enforcement, as indicated by its placement within the FBI," according to the report.

Dick is developing a "rudimentary vision" that will soon become a full-fledged strategic plan for the center.

This vision includes three elements:

* Rather than focusing on improving alerts during attacks, the NIPC will introduce forecasts, similar to the National Weather Service's severe-weather warnings.

* The NIPC's analysis will address broader critical infrastructure protection issues, such as the increasing threat of integrated cyber- and physical attacks on critical infrastructure.

* The NIPC will develop a more active partnership with other intelligence collectors across government and the private sector.