Note. In February 2001, the Critical Infrastructure Coordination Group was replaced by the Information Infrastructure Protection and Assurance Group under the Policy Coordinating Committee on Counter-terrorism and National Preparedness. In October 2001, the National Infrastructure Assurance Council was replaced by the National Infrastructure Advisory Council, and cyber CIP functions performed by the national coordinator were assigned to the chair of the President's Critical Infrastructure Protection Board. Source: CIAO.

Implementing PDD 63 Has
Not Been Completely
Successful

In response to PDD 63, in January 2000 the White House issued its
"National Plan for Information Systems Protection "The national plan
provided a vision and framework for the federal government to prevent,
detect, respond to, and protect the nation's critical cyber-based
infrastructure from attack and reduce existing vulnerabilities by
complementing and focusing existing federal computer security and
information technology requirements. Subsequent versions of the plan
were expected to (1) define the roles of industry and state and local
governments working in partnership with the federal government to
protect physical and cyber-based infrastructures from deliberate attack
and (2) examine the international aspects of CIP.

The most recent federal CIP guidance was issued in October 2001, when
President Bush signed Executive Order 13231, establishing the President's
Critical Infrastructure Protection Board to coordinate cyber-related
federal efforts and programs associated with protecting our nation's
critical infrastructures. The Special Advisor to the President for
Cyberspace Security chairs the board. Executive Order 13231 tasks the
board with recommending policies and coordinating programs for
protecting CIP-related information systems. The executive order also
established 10 standing committees to support the board's work on a wide
range of critical information infrastructure efforts. The board is intended
to coordinate with the Office of Homeland Security in activities relating to
the protection of and recovery from attacks against information systems
for critical infrastructure, including emergency preparedness
communications that were assigned to the Office of Homeland Security by
Executive Order 13228, dated October 8, 2001. The board recommends
policies and coordinates programs for protecting information systems for
critical infrastructure, including emergency preparedness
communications, and the physical assets that support such systems. In
addition, the chair coordinates with the Assistant to the President for
Economic Policy on issues relating to private-sector systems and
economic effects and with the Director of OMB on issues relating to
budgets and the security of federal computer systems. Further, the Special
Advisor reports to the Assistant to the President for National Security
Affairs and to the Assistant to the President for Homeland Security.

Both GAO and the inspectors general have issued reports highlighting concerns about PDD 63 implementation. As we reported in September 2001, efforts to perform substantive, comprehensive analyses of infrastructure sector vulnerabilities and development of related remedial plans had been limited. Further, a March 2001 report by the President's

'The White House, Defending America's Cyberspace. National Plan for Information Systems Protection. Version 10: An Invitation to a Dialogue (Washington, DC. 2000).

GAO-02-918T

We identified several other factors that had impeded federal agency efforts to comply with PDD 63. First, no clear definitions had been developed to guide development and implementation of agency plans and measure performance. For example, PDD 63 established December 2000 as the deadline for achieving an initial operating capability and May 2003 for achieving full operational capability of key functions. However, the specific capabilities to be achieved at each milestone had not been defined. The PCIE/ECIE report noted that agencies had used various interpretations of initial operating capability and stated that, without a definition, there is no consistent measure of progress toward achieving full security preparedness. In addition, several agency officials said that funding and staffing constraints contributed to their delays in

Cyber Threats Are
Increasing

implementing PDD 63 requirements. Further, the availability of adequate technical expertise to provide information security has been a continuing concem to agencies.

Dramatic increases in computer interconnectivity, especially in the use of the Internet, are revolutionizing the way our government, our nation, and much of the world communicate and conduct business. The benefits have been enormous. Vast amounts of information are now literally at our fingertips, facilitating research on virtually every topic imaginable; financial and other business transactions can be executed almost instantaneously, often on a 24-hour-a-day basis; and electronic mail, Internet web sites, and computer bulletin boards allow us to communicate quickly and easily with a virtually unlimited number of individuals and groups.

In addition to such benefits, however, this widespread interconnectivity poses significant risks to our computer systems and, more important, to the critical operations and infrastructures they support. For example, telecommunications, power distribution, water supply, public health services, and national defense (including the military's warfighting capability), law enforcement, government services, and emergency services all depend on the security of their computer operations. The speed and accessibility that create the enormous benefits of the computer age likewise, if not properly controlled, allow individuals and organizations to inexpensively eavesdrop on or interfere with these operations from remote locations for mischievous or malicious purposes, including fraud or sabotage.

Government officials are increasingly concerned about attacks from
individuals and groups with malicious intent, such as crime, terrorism,
foreign intelligence gathering, and acts of war. According to the FBI,
terrorists, transnational criminals, and intelligence services are quickly
becoming aware of and using information exploitation tools such as
computer viruses, Trojan horses, worms, logic bombs, and eavesdropping
sniffers that can destroy, intercept, degrade the integrity of, or deny access
to data. As greater amounts of money are transferred through computer
systems, as more sensitive economic and commercial information is
exchanged electronically, and as the nation's defense and intelligence
communities increasingly rely on commercially available information
technology, the likelihood increases that information attacks will threaten
vital national interests. In addition, the disgruntled organization insider is
a significant threat, since such individuals often have knowledge that
allows them to gain unrestricted access and inflict damage or steal asset:
without possessing a great deal of knowledge about computer intrusions.

Reports of attacks and disruptions abound. The 2002 report of the "Computer Crime and Security Survey," conducted by the Computer Security Institute and the FBI's San Francisco Computer Intrusion Squad, showed that 90 percent of respondents (primarily large corporations and government agencies) had detected computer security breaches within the last 12 months. In addition, the number of computer security incidents reported to the CERT® Coordination Center rose from 9,859 in 1999 to 52,658 in 2001 and 26,829 for just the first quarter of 2002. And these are only the reported attacks. The CERT® Coordination Center estimates that as much as 80 percent of actual security incidents go unreported, in most cases because the organization was unable to recognize that its systems had been penetrated or because there were no indications of penetration or attack.

Since the September 11 attacks, warnings of the potential for terrorist cyber attacks against our critical infrastructures have also increased. For example, earlier this year, the Special Advisor to the President for Cyberspace Security stated in a Senate briefing that although to date none of the traditional terrorist groups such as al Qaeda have used the Internet to launch a known attack on the United States infrastructure, information on computerized water systems was recently discovered on computers found in al Qaeda camps in Afghanistan. Further, in his October congressional testimony, Governor James Gilmore, Governor of the Commonwealth of Virginia and Chairman of the Advisory Panel to Assess Domestic Response Capabilities for Terrorism Involving Weapons of Mass Destruction (commonly known as the "Gilmore Commission"), warned that systems and services critical to the American economy and the health of our citizens-such as banking and finance, "just-in-time delivery systems for goods, hospitals, and state and local emergency services could all be shut down or severely handicapped by a cyber attack or a physical attack against computer hardware."