Coordination called key to NIPC improvements

NIPC home page

The National Infrastructure Protection Center is slowly improving its ability to provide warnings and analysis on computer security threats, but Congress remains concerned that its greater mission is hurt by a lack of coordination with other agencies and industry.

President Clinton formally established the center in May 1998 with Presidential Decision Directive 63, which requires federal agencies to secure the systems that support the nation's critical infrastructure, such as telecommunications. The NIPC is intended to form a bridge between government and industry for incident warnings and analysis.

The center has made improvements since a General Accounting Office review last year, said Ronald Dick, the center's director. Gains have resulted from adding workers from the Defense Department and moving forward with a new data-mining project for its analysis. Dick testified July 25 before the Senate Judiciary Committee's Technology, Terrorism and Government Information Subcommittee.

In their report, GAO officials said the NIPC was hindered by a lack of analysis, staff members and information from industry. But the biggest problem — and one that still has not been addressed — is the lack of agreement within government on the role the center should play in the larger critical infrastructure protection environment, said Robert Dacey, director of information security issues at GAO.

Subcommittee members said they were most concerned that the NIPC is not receiving appropriate support from agencies and industry. The NIPC should consist of workers from civilian and Defense agencies, but so far, many agencies have not provided the needed personnel. Sen. Jon Kyl (R-Ariz.), ranking member of the subcommittee, suggested that Congress help encourage agencies, through money or mandates, to assign those workers.

But agencies cannot afford to lose precious information security talent, Dick said. "We're stretching our resources as thin as they can be." He said the center's new workers from DOD include a new deputy director.

Subcommittee Chairwoman Dianne Feinstein (D-Calif.) also called on the NIPC to rely on expertise from agencies such as the Secret Service, which works closely with the financial community to combat cybercrime. The Secret Service has developed an extensive training course through its Electronic Crimes Special Agent Program and trains other agencies, state and local governments, and even the private sector, according to James Savage, deputy special agent in charge of the Secret Service's Financial Crimes Division.

The subcommittee also encouraged the NIPC to continue its work to form formal partnerships with industry to gather the information needed to make informed analyses of incidents.

Both Feinstein and Kyl suggested that Congress support the NIPC through legislation, such as a bill introduced recently by Rep. Tom Davis (R-Va.) to create a new exemption to the Freedom of Information Act. Davis' bill, along with another to be co-introduced by Sen. Robert Bennett (R-Utah) and Kyl, would exempt industry cybersecurity information from FOIA requests.