NIPC coordination still a concern

NIPC home page

The National Infrastructure Protection Center is slowly improving its ability to provide warnings and analysis on computer security threats, but Congress is still concerned that its greater mission is hurt by a lack of coordination with other agencies and industry.

Between gaining additional workers from the Defense Department and moving forward with a new data mining project for its analysis, the NIPC has made improvements since a General Accounting Office review last year, said Ronald Dick, the director of the center. Dick testified July 25 before the Senate Judiciary Committee's Technology, Terrorism and Government Information Subcommittee.

In their report, GAO officials said the NIPC was hindered by a lack of analysis, staff members and information from industry. But the biggest problem, and one that still has not been addressed, is the lack of agreement within government on the role the center should play in the larger critical infrastructure protection environment, said Robert Dacey, director of information security issues at GAO.

Presidential Decision Directive 63 requires agencies to protect the systems that support the nation's critical infrastructures, such as telecommunications and electric power. The NIPC is intended to form the bridge between government and industry for incident warnings and analysis. However, confusion over how its mission fits with other entities created by PDD 63, such as the Critical Infrastructure Assurance Office, is keeping the NIPC from realizing its full potential, Dacey said.

Subcommittee Chairwoman Dianne Feinstein (D-Calif.) called on NIPC leaders to provide a thorough accounting of the progress it has made on the recommendations from GAO. But she and ranking member Sen. Jon Kyl (R-Ariz.), were most concerned that the NIPC does not have the tools to form partnerships with industry and other agencies to get the information it needs to make informed analyses.

Feinstein and Kyl suggested that they and the rest of Congress should support the NIPC through legislation such as proposed bills from Rep. Tom Davis (R-Va.) and Sen. Robert Bennett (R-Utah) to create a new exemption to the Freedom of Information Act. Those bills would exempt industry cybersecurity information from FOIA requests, providing a comfort level for companies that have been unwilling to share all of their information with organizations such as the NIPC.