U.S. cybersecurity policy and the protection of critical infrastructure is being hampered by a failure to communicate between the large number of federal organizations which have responsibilities in the area, as well as by ill-defined relationships between the groups, according to a new report released Monday by the U.S. General Accounting Office (GAO).
“Without a strategy that identifies responsibilities and relationships for all cyber (critical infrastructure protection) efforts, our nation risks not having the appropriate structure to deal with the growing threat of computer-based attacks on its critical infrastructures,” the report concluded.
The GAO, which acts as the investigative arm of Congress, found that there are at least 50 federal organizations that have responsibilities related to cyber critical infrastructure protection (CIP), including five advisory committees, six Executive Office of the President organizations, 38 executive branch organizations associated with departments, agencies or intelligence organizations and three other organizations.
These bodies come from a wide range of government organizations, including the Office of Management and Budget, the U.S. Federal Communication Commission, the U.S. Department of Defense, the U.S. Department of Justice, the U.S. Environmental Protection Agency, the Federal Emergency Management Agency, the U.S. General Services Administration, the report said.
Communications channels are not adequately established between the organizations, according to the report. Though some of the bodies were able to identify their relationship to other organizations generally, “relationships among all organizations performing similar activities were not consistently established,” the report found.
One example of the confusion about the function of different organizations among the various groups cited in the report concerns the National Infrastructure Protection Center (NIPC), the cybersecurity wing of the U.S. Federal Bureau of Investigation.
“Discussions with officials in defense, intelligence and civilian agencies involved in CIP … showed that their views of the NIPC’s roles and responsibilities differed from one another,” though the NIPC’s role should be clear, according to the report.
The communication issue and the definition of roles is set to be addressed by the President’s Critical Infrastructure Protection Board in a national cyber CIP strategy set to be released in September, the report said.
In its report, the GAO recommended that the strategy should define “key federal agencies’ roles and responsibilities associated with each sector, and (define) the relationships among key CIP organizations.”
The GAO has been a constant proponent of better cybersecurity in recent years through the audits of a number of government agencies. In February, it released a report that called the Department of the U.S. Treasury’s security measures “ineffective in identifying, deterring and responding to computer control weaknesses promptly.”
The GAO also criticized the NIPC in May 2001, saying that the body failed to provide timely warnings of computer attacks.
The full GAO report can be found on the organization’s Web site at http://www.gao.gov/new.items/d02474.pdf.
