Internet Infrastructure
DHS Faces Challenges in Developing a Joint Public/Private Recovery Plan Gao ID: GAO-06-672 June 16, 2006Since the early 1990s, growth in the use of the Internet has revolutionized the way that our nation communicates and conducts business. While the Internet was originally developed by the Department of Defense, the vast majority of its infrastructure is currently owned and operated by the private sector. Federal policy recognizes the need to prepare for debilitating Internet disruptions and tasks the Department of Homeland Security (DHS) with developing an integrated public/private plan for Internet recovery. GAO was asked to (1) identify examples of major disruptions to the Internet, (2) identify the primary laws and regulations governing recovery of the Internet in the event of a major disruption, (3) evaluate DHS plans for facilitating recovery from Internet disruptions, and (4) assess challenges to such efforts.
A major disruption to the Internet could be caused by a cyber incident (such as a software malfunction or a malicious virus), a physical incident (such as a natural disaster or an attack that affects key facilities), or a combination of both cyber and physical incidents. Recent cyber and physical incidents have caused localized or regional disruptions but have not caused a catastrophic Internet failure. Federal laws and regulations addressing critical infrastructure protection, disaster recovery, and the telecommunications infrastructure provide broad guidance that applies to the Internet, but it is not clear how useful these authorities would be in helping to recover from a major Internet disruption. Specifically, key legislation on critical infrastructure protection does not address roles and responsibilities in the event of an Internet disruption. Other laws and regulations governing disaster response and emergency communications have never been used for Internet recovery. DHS has begun a variety of initiatives to fulfill its responsibility for developing an integrated public/private plan for Internet recovery, but these efforts are not complete or comprehensive. Specifically, DHS has developed high-level plans for infrastructure protection and incident response, but the components of these plans that address the Internet infrastructure are not complete. In addition, the department has started a variety of initiatives to improve the nation's ability to recover from Internet disruptions, including working groups to facilitate coordination and exercises in which government and private industry practice responding to cyber events. However, progress to date on these initiatives has been limited, and other initiatives lack time frames for completion. Also, the relationships among these initiatives are not evident. As a result, the government is not yet adequately prepared to effectively coordinate public/private plans for recovering from a major Internet disruption. Key challenges to establishing a plan for recovering from Internet disruptions include (1) innate characteristics of the Internet (such as the diffuse control of the many networks making up the Internet and private sector ownership of core components) that make planning for and responding to disruptions difficult, (2) a lack of consensus on DHS's role and when the department should get involved in responding to a disruption, (3) legal issues affecting DHS's ability to provide assistance to restore Internet service, (4) reluctance of many in the private sector to share information on Internet disruptions with DHS, and (5) leadership and organizational uncertainties within DHS. Until these challenges are addressed, DHS will have difficulty achieving results in its role as a focal point for helping to recover the Internet from a major disruption.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-06-672, Internet Infrastructure: DHS Faces Challenges in Developing a Joint Public/Private Recovery Plan
This is the accessible text file for GAO report number GAO-06-672
entitled 'Internet Infrastructure: DHS Faces Challenges in Developing a
Joint Public/Private Recovery Plan' which was released on July 28,
2006.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to Congressional Requesters:
June 2006:
Internet Infrastructure:
DHS Faces Challenges in Developing a Joint Public/Private Recovery
Plan:
GAO-06-672:
GAO Highlights:
Highlights of GAO-06-672, a report to congressional requesters
Why GAO Did This Study:
Since the early 1990s, growth in the use of the Internet has
revolutionized the way that our nation communicates and conducts
business. While the Internet was originally developed by the Department
of Defense, the vast majority of its infrastructure is currently owned
and operated by the private sector. Federal policy recognizes the need
to prepare for debilitating Internet disruptions and tasks the
Department of Homeland Security (DHS) with developing an integrated
public/private plan for Internet recovery. GAO was asked to (1)
identify examples of major disruptions to the Internet, (2) identify
the primary laws and regulations governing recovery of the Internet in
the event of a major disruption, (3) evaluate DHS plans for
facilitating recovery from Internet disruptions, and (4) assess
challenges to such efforts.
What GAO Found:
A major disruption to the Internet could be caused by a cyber incident
(such as a software malfunction or a malicious virus), a physical
incident (such as a natural disaster or an attack that affects key
facilities), or a combination of both cyber and physical incidents.
Recent cyber and physical incidents have caused localized or regional
disruptions but have not caused a catastrophic Internet failure.
Federal laws and regulations addressing critical infrastructure
protection, disaster recovery, and the telecommunications
infrastructure provide broad guidance that applies to the Internet, but
it is not clear how useful these authorities would be in helping to
recover from a major Internet disruption. Specifically, key legislation
on critical infrastructure protection does not address roles and
responsibilities in the event of an Internet disruption. Other laws and
regulations governing disaster response and emergency communications
have never been used for Internet recovery.
DHS has begun a variety of initiatives to fulfill its responsibility
for developing an integrated public/private plan for Internet recovery,
but these efforts are not complete or comprehensive. Specifically, DHS
has developed high-level plans for infrastructure protection and
incident response, but the components of these plans that address the
Internet infrastructure are not complete. In addition, the department
has started a variety of initiatives to improve the nation‘s ability to
recover from Internet disruptions, including working groups to
facilitate coordination and exercises in which government and private
industry practice responding to cyber events. However, progress to date
on these initiatives has been limited, and other initiatives lack time
frames for completion. Also, the relationships among these initiatives
are not evident. As a result, the government is not yet adequately
prepared to effectively coordinate public/private plans for recovering
from a major Internet disruption.
Key challenges to establishing a plan for recovering from Internet
disruptions include (1) innate characteristics of the Internet (such as
the diffuse control of the many networks making up the Internet and
private sector ownership of core components) that make planning for and
responding to disruptions difficult, (2) a lack of consensus on DHS‘s
role and when the department should get involved in responding to a
disruption, (3) legal issues affecting DHS‘s ability to provide
assistance to restore Internet service, (4) reluctance of many in the
private sector to share information on Internet disruptions with DHS,
and (5) leadership and organizational uncertainties within DHS. Until
these challenges are addressed, DHS will have difficulty achieving
results in its role as a focal point for helping to recover the
Internet from a major disruption.
What GAO Recommends:
GAO is suggesting that Congress consider clarifying the legal framework
guiding Internet recovery. GAO is also making recommendations to the
Secretary of the Department of Homeland Security to strengthen the
department‘s ability to serve as a focal point for helping to recover
from Internet disruptions by completing key plans and activities and
addressing challenges. In written comments, DHS agreed with GAO‘s
recommendations and provided information on activities it was taking to
implement them.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-672].
To view the full product, including the scope and methodology, click on
the link above. For more information, contact David Powner at (202) 512-
9286 or pownerd@gao.gov.
[End of Section]
Contents:
Letter:
Results in Brief:
Background:
Although Both Cyber and Physical Incidents Have Caused Disruptions, the
Internet Has Not Yet Suffered a Catastrophic Failure:
Existing Laws and Regulations Apply to the Internet, but Numerous
Uncertainties Exist in Using Them for Internet Recovery:
DHS Initiatives Supporting Internet Recovery Planning Are under Way,
but Much Remains to Be Done and the Relationships among Initiatives Are
Not Evident:
Multiple Challenges Exist to Planning for Recovery from Internet
Disruptions:
Conclusions:
Matters for Congressional Consideration:
Recommendations for Executive Action:
Agency Comments:
Appendixes:
Appendix I: Objectives, Scope, and Methodology:
Appendix II: Legislation and Regulations Govern Critical Infrastructure
Protection, Disaster Response, and the Telecommunications
Infrastructure:
Multiple Laws and Regulations Govern Protection of Critical
Infrastructure:
Multiple Laws Govern Federal Response to Disasters and Incidents of
National Significance:
Specific Laws and Regulations Govern the Telecommunications
Infrastructure That Supports the Internet:
Appendix III: Two Task Forces Have Assessed NCS Roles and Mission :
Next Generation Network Task Force:
National Coordinating Center Task Force:
Appendix IV: DHS Has Conducted Disaster Response Exercises That Include
Cyber Incidents:
DHS Has Conducted Regional Exercises Involving Cyber Attacks:
Cyber Storm Was DHS's First National Exercise Focused on Cyber Attacks:
Appendix V: Comments from the Department of Homeland Security:
Appendix VI: GAO Contacts and Staff Acknowledgments:
Tables:
Table 1: Critical Infrastructure Sectors:
Table 2: Sources of Cyber Threats Identified by the U.S. Intelligence
Community:
Table 3: Examples of Collaborative Groups:
Table 4: DHS's Key Cybersecurity Responsibilities:
Table 5: Examples of Potential Internet Disruptions:
Table 6: Potential DHS Roles:
Table 7: Selected Lessons Learned from DHS Regional Exercises with
Cyber Components:
Figures:
Figure 1: Example of an E-mail Transiting the Internet:
Figure 2: How the Domain Name System Translates a Web Site Name into a
Numerical Address:
Figure 3: Example of Dynamic Routing Using Border Gateway Protocol:
Figure 4: Case Study--The Slammer Worm:
Figure 5: Case Study--A Root Server Attack:
Figure 6: Case Study--The Baltimore Train Tunnel Fire:
Figure 7: Case Study--The September 11, 2001, Terrorist Attack on the
World Trade Center:
Figure 8: Case Study--Hurricane Katrina:
Abbreviations:
DHS: Department of Homeland Security:
IP: Internet Protocol:
NCS: National Communications System:
NCSD: National Cyber Security Division:
US-CERT: United States Computer Emergency Readiness Team:
June 16, 2006:
Congressional Requesters:
Since the early 1990s, increasing computer interconnectivity--most
notably growth in the use of the Internet--has revolutionized the way
that our government, our nation, and much of the world communicate and
conduct business. Our country has come to rely on the Internet as a
critical infrastructure supporting commerce, education, and
communication. While the benefits of this technology have been
enormous, this widespread interconnectivity poses significant risks to
the government's and our nation's computer systems and, more
importantly, to the critical operations and infrastructures they
support.
Federal regulation establishes the Department of Homeland Security
(DHS) as the focal point for the security of cyberspace--including
analysis, warning, information sharing, vulnerability reduction,
mitigation, and recovery efforts for public and private critical
infrastructure systems.[Footnote 1] To accomplish this mission, DHS is
to work with federal agencies, state and local governments, and the
private sector. Federal policy also recognizes the need to be prepared
for the possibility of debilitating disruptions in cyberspace and,
because the vast majority of the Internet infrastructure is owned and
operated by the private sector, tasks DHS with developing an integrated
public/private plan for Internet recovery.[Footnote 2] Last year, we
reported on DHS efforts to fulfill its cybersecurity responsibilities
and noted that the department had not developed key cybersecurity
recovery plans--including a plan for recovering key Internet
functions.[Footnote 3]
Because of your interest in DHS's efforts to develop a joint plan for
recovering the Internet in case of a major disruption, you asked that
we (1) identify examples of major disruptions to the Internet, (2)
identify the primary laws and regulations governing recovery of the
Internet in the event of a major disruption, (3) evaluate DHS's plans
for facilitating recovery from Internet disruptions, and (4) assess
challenges to such efforts.
To accomplish these objectives, we assessed documentation of
disruptions to the Internet and compiled case studies of incidents that
have affected the Internet. We also reviewed relevant laws and
regulations related to critical infrastructure protection, disaster
response, and the telecommunications infrastructure. We assessed DHS
progress and plans for handling Internet disruptions. In order to
identify challenges to effective Internet recovery planning, we also
interviewed officials from DHS, other federal agencies, and
representatives of the private sector who have a role in operating the
Internet infrastructure. Appendix I provides additional details on our
objectives, scope, and methodology. We performed our work from August
2005 to May 2006 in accordance with generally accepted government
auditing standards.
Results in Brief:
A major disruption to the Internet could be caused by a cyber incident
(such as a software malfunction or a malicious virus), a physical
incident (such as a natural disaster or an attack that affects
facilities and other assets), or a combination of both cyber and
physical incidents. Recent cyber and physical incidents have caused
localized or regional disruptions, highlighting the importance of
recovery planning. For example, a 2002 root server attack highlighted
the need to plan for increased server capacity at Internet exchange
points in order to manage the high volumes of data traffic during an
attack. However, recent incidents also have shown the Internet as a
whole to be flexible and resilient. Even in past severe circumstances,
the Internet did not suffer a catastrophic failure.
Several federal laws and regulations provide broad guidance that
applies to the Internet, but it is not clear how useful these
authorities would be in helping to recover from a major Internet
disruption. Specifically, the Homeland Security Act of 2002 and
Homeland Security Presidential Directive 7 provide guidance on
protecting our nation's critical infrastructures. However, they do not
specifically address roles and responsibilities in the event of an
Internet disruption. In addition, the Defense Production Act and the
Stafford Act provide authority to federal agencies to plan for and
respond to incidents of national significance, such as disasters and
terrorist attacks. However, the Defense Production Act has never been
used for Internet recovery and the Stafford Act does not authorize the
provision of resources to for-profit companies--such as those that own
and operate core Internet components. The Communications Act of 1934
and the National Communications System authorities govern the
telecommunications infrastructure and help ensure communications during
national emergencies, but they have never been used for Internet
recovery. Thus, it is not clear how effective they would be in
assisting Internet recovery.
DHS has begun a variety of initiatives to fulfill its responsibility
for developing an integrated public/private plan for Internet recovery,
but these efforts are not yet complete or comprehensive. Specifically,
DHS has developed high-level plans for infrastructure protection and
incident response, but the components of these plans that address the
Internet infrastructure are not complete. In addition, DHS has started
a variety of initiatives to improve the nation's ability to recover
from Internet disruptions, including working groups to facilitate
coordination and exercises in which government and private industry
practice responding to cyber events. However, progress to date on these
initiatives has been limited and other initiatives lack time frames for
completion. Also, the relationships among these initiatives are not
evident. As a result, risk remains that the government is not yet
adequately prepared to effectively coordinate public/private plans for
recovering from a major Internet disruption.
Key challenges to establishing a plan for recovering from an Internet
disruption include (1) innate characteristics of the Internet (such as
the diffuse control of the many networks that make up the Internet and
the private-sector ownership of core components) that make planning for
and responding to disruptions difficult, (2) lack of consensus on DHS's
role and when the department should get involved in responding to a
disruption, (3) legal issues affecting DHS's ability to provide
assistance to entities working to restore Internet service, (4)
reluctance of many in the private sector to share information on
Internet disruptions with DHS, and (5) leadership and organizational
uncertainties within DHS. Until these challenges are addressed, DHS
will have difficulty achieving results in its role as a focal point for
helping to recover the Internet from a major disruption.
Given the importance of the Internet infrastructure to our nation's
communications and commerce, we are suggesting that Congress consider
clarifying the legal framework guiding Internet recovery. We are also
making recommendations to the Secretary of the Department of Homeland
Security to strengthen the department's ability to effectively serve as
a focal point for helping to recover from Internet disruptions by
establishing clear milestones for completing key plans, coordinating
various Internet recovery-related activities, and addressing key
challenges to Internet recovery planning.
DHS provided written comments on a draft of this report in which it
agreed with our recommendations and provided information on initial
activities it is taking to implement them (see app. V). DHS officials,
as well as others who were quoted in our report, also provided
technical corrections, which we have incorporated in this report as
appropriate.
Background:
The Internet: An Overview:
The Internet is a vast network of interconnected networks. It is used
by governments, businesses, research institutions, and individuals
around the world to communicate, engage in commerce, do research,
educate, and entertain. While most Americans are familiar with Internet
service providers--such as America Online and EarthLink--that provide
consumers with a pathway, or "on-ramp," to the Internet, many are less
familiar with how the Internet was developed, the underlying structure
of the Internet, and how it works.
In the late 1960s and the 1970s, the Department of Defense's Advanced
Research Projects Agency developed a network to allow multiple
universities to communicate and share computing resources. In the
ensuing decades, this project grew to become a large network of
networks and was joined with an array of scientific and academic
computers funded by the National Science Foundation. This expanded
network provided the backbone infrastructure of today's Internet. In
1995, the federal government began to turn the backbone of the Internet
over to a consortium of commercial backbone providers. From that point
on, the Internet infrastructure was owned and operated by private
companies--including telecommunications companies, cable companies, and
Internet service providers.
Today's Internet connects millions of small, medium, and large
networks. When an Internet user wants to access a Web site or to send
an e-mail to someone who is connected to the Internet through a
different Internet service provider, the data must be transferred
between networks. Transit across the Internet is provided by either
national backbone providers, regional network operators, or a
combination of both. National backbone providers are companies that own
and operate high-capacity, long-haul backbone networks. These providers
transmit data traffic over long distances using high-speed, fiber-optic
lines. Because national backbone operators do not service all locations
worldwide, regional network providers supplement the long-haul traffic
by providing regional service. Data cross between networks at Internet
exchange points--which can be either hub points where multiple networks
exchange data or private interconnection points arranged by transit
providers. At these exchange points, computer systems called routers
determine the optimal path for the data to reach their destination. The
data then continue their path through the national and regional
networks and exchange points, as necessary, to reach the recipient's
Internet service provider and the recipient (see fig. 1).
Figure 1: Example of an E-mail Transiting the Internet:
[See PDF for image]
Source: GAO.
[End of figure]
The networks that make up the Internet communicate via standardized
rules called protocols. These rules can be considered voluntary because
there is no formal institutional or governmental mechanism for
enforcing them. However, if any computer deviates from accepted
standards, it risks losing the ability to communicate with other
computers that follow the standards. Thus, the rules are essentially
self enforcing. One critical set of rules is the Transmission Control
Protocol/Internet Protocol suite. These protocols define a detailed
process that a sender and receiver agree upon for exchanging data. They
describe the flow of data between the physical connection to the
network and on to the end-user application. Specifically, these
protocols control the addressing of a message by the sender, its
division into packets, its transmission across networks, and its
reassembly and verification by the receiver. This protocol suite has
become the de facto communication standard of the Internet because many
standard services (including mail transfer, news, and Web pages) are
available on systems that support these protocols.[Footnote 4]
Another critical set of protocols, collectively known as the Domain
Name System, ensures the uniqueness of each e-mail and Web site
address. This system links names like www.senate.gov with the
underlying numerical addresses that computers use to communicate with
each other. It translates names into addresses and back again in a
process invisible to the end user. This process relies on a system of
servers, called domain name servers, which store data linking names
with numbers. Each domain name server stores a limited set of names and
numbers. They are linked by a series of 13 root servers, which
coordinate the data and allow users to find the server that identifies
the sites they want to reach. Domain name servers are organized into a
hierarchy that parallels the organization of the domain names. For
example, when someone wants to reach the Web site at www.senate.gov,
his or her computer will ask one of the root servers for help.[Footnote
5] The root server will direct the query to a second server that knows
the location of names ending in the .gov top-level domain.[Footnote 6]
If the address includes a subdomain, the second server refers the query
to a third server--in this case, one that knows the addresses for all
names ending in senate.gov. The third server will then respond to the
request with a numerical address, which the original requester uses to
establish a direct connection with the www.senate.gov site. Figure 2
illustrates this example.
Figure 2: How the Domain Name System Translates a Web Site Name into a
Numerical Address:
[See PDF for image]
Source: GAO.
[End of figure]
Another critical set of rules is called the Border Gateway Protocol--a
protocol for routing packets between autonomous systems.[Footnote 7]
This protocol is used by routers located at network nodes to direct
traffic across the Internet. Typically, routers that use this protocol
maintain a routing table that lists all feasible paths to a particular
network. They also determine metrics associated with each path (such as
cost, stability, and speed), so that the best available path can be
chosen. This protocol is important because if a certain path becomes
unavailable, the system will send data over the next best path (see
fig. 3).
Figure 3: Example of Dynamic Routing Using Border Gateway Protocol:
[See PDF for image]
Source: GAO.
[End of figure]
The Internet Is a Critical Information Infrastructure:
From its origins in the 1960s as a research project sponsored by the
U.S. government, the Internet has grown increasingly important to both
American and foreign businesses and consumers, serving as the medium
for hundreds of billions of dollars of commerce each year. According to
the U.S. Census Bureau, retail e-commerce sales in the United States
were an estimated $86 billion in 2005. The Internet has also become an
extended information and communications infrastructure, supporting
vital services such as power distribution, health care, law
enforcement, and national defense.
Federal regulation recognizes the need to protect critical
infrastructures. In December 2003, the President updated a national
directive for federal departments and agencies to identify and
prioritize critical infrastructure sectors and key resources and to
protect them from terrorist attack. (See: table 1 for a list of
critical infrastructure sectors.)[Footnote 8] This directive recognized
that since a large portion of these critical infrastructures is owned
and operated by the private sector, a public/ private partnership is
crucial for the successful protection of these critical
infrastructures.
Table 1: Critical Infrastructure Sectors:
Sector: Agriculture;
Description: Provides for the fundamental need for food. The
infrastructure includes supply chains for feed and crop production.
Sector: Banking and finance;
Description: Provides the financial infrastructure of the nation. This
sector consists of commercial banks, insurance companies, mutual funds,
government-sponsored enterprises, pension funds, and other financial
institutions that carry out transactions, including clearing and
settlement.
Sector: Chemicals and hazardous materials;
Description: Transforms natural raw materials into commonly used
products benefiting society's health, safety, and productivity. The
chemical industry produces more than 70,000 products that are essential
to automobiles, pharmaceuticals, food supply, electronics, water
treatment, health, construction, and other necessities.
Sector: Commercial facilities;
Description: Includes prominent commercial centers, office buildings,
sports stadiums, theme parks, and other sites where large numbers of
people congregate to pursue business activities, conduct personal
commercial transactions, or enjoy recreational pastimes.
Sector: Dams;
Description: Comprises approximately 80,000 dam facilities, including
larger and nationally symbolic dams that are major components of other
critical infrastructures that provide electricity and water.
Sector: Defense industrial base;
Description: Supplies the military with the means to protect the nation
by producing weapons, aircraft, and ships and providing essential
services, including information technology and supply and maintenance.
Sector: Drinking water and water treatment systems;
Description: Sanitizes the water supply through about 170,000 public
water systems. These systems depend on reservoirs, dams, wells,
treatment facilities, pumping stations, and transmission lines.
Sector: Emergency services;
Description: Saves lives and property from accidents and disasters.
This sector includes fire, rescue, emergency medical services, and law
enforcement organizations.
Sector: Energy;
Description: Provides the electric power used by all sectors and the
refining, storage, and distribution of oil and gas. This sector is
divided into electricity and oil and natural gas.
Sector: Food;
Description: Carries out the postharvesting of the food supply,
including processing and retail sales.
Sector: Government;
Description: Ensures national security and freedom and administers key
public functions.
Sector: Government facilities;
Description: Includes the buildings owned and leased by the federal
government for use by federal entities.
Sector: Information technology;
Description: Produces hardware, software, and services that enable
other sectors to function.
Sector: National monuments and icons;
Description: Includes key assets that are symbolically equated with
traditional American values and institutions or U.S. political and
economic power.
Sector: Nuclear reactors, materials, and waste;
Description: Includes 104 commercial nuclear reactors;
research and test nuclear reactors;
nuclear materials;
and the transportation, storage, and disposal of nuclear materials and
waste.
Sector: Postal and shipping;
Description: Delivers private and commercial letters, packages, and
bulk assets. The United States Postal Service and other carriers
provide the services of this sector.
Sector: Public health and healthcare;
Description: Mitigates the risk of disasters and attacks and also
provides recovery assistance if an attack occurs. This sector consists
of health departments, clinics, and hospitals.
Sector: Telecommunications;
Description: Provides wired, wireless, and satellite communications to
meet the needs of businesses and governments.
Sector: Transportation;
Description: Enables movement of people and assets that are vital to
our economy, mobility, and security, using aviation, ships, rail,
pipelines, highways, trucks, buses, and mass transit.
Sources: Homeland Security Presidential Directive 7 and the National
Strategy for Homeland Security.
[End of table]
In its plan for protecting these critical infrastructures, DHS
recognizes that the Internet is a key resource composed of assets
within both the information technology and the telecommunications
sectors.[Footnote 9] It notes that the Internet is used by all sectors
to varying degrees, and that it provides information and communications
to meet the needs of businesses, government, and the other critical
infrastructure sectors. Similarly, the national cyberspace strategy
states that cyberspace is the nervous system supporting our nation's
critical infrastructures and recognizes the Internet as the core of our
information infrastructure.[Footnote 10]
It is also important to note that there are critical interdependencies
between sectors. For example, the telecommunications and information
technology sectors, like many other sectors, depend heavily on the
energy sector.
Attacks on the Information Infrastructure Are Increasing:
In recent years, cyber attacks involving malicious software or hacking
have been increasing in frequency and complexity. These attacks can
come from a variety of actors. Table 2 lists sources of cyber threats
that have been identified by the U.S. intelligence community.
Table 2: Sources of Cyber Threats Identified by the U.S. Intelligence
Community:
Threat: Bot-network operators;
Description: Bot-network operators are hackers;
however, instead of breaking into systems for the challenge or bragging
rights, they take over multiple systems to enable them to coordinate
attacks and to distribute phishing[A] schemes or malwareb attacks.
Threat: Criminal groups;
Description: Criminal groups attack systems for monetary gain.
Specifically, organized crime groups are using spam, phishing, and
spyware/malware to commit identity theft and online fraud.
International corporate spies and organized crime organizations also
pose a threat to the United States through their ability to conduct
industrial espionage and large-scale monetary theft and to hire or
develop hacker talent.
Threat: Foreign intelligence services;
Description: Foreign intelligence services use cyber tools as part of
their information- gathering and espionage activities. In addition,
several nations are aggressively working to develop information warfare
doctrine, programs, and capabilities. Such capabilities would enable a
single entity to have a significant and serious impact by disrupting
the supply, communications, and economic infrastructures that support
military power--impacts that could affect the daily lives of U.S.
citizens across the country.
Threat: Hackers;
Description: Hackers break into networks for the thrill of the
challenge or for bragging rights within the hacker community. Although
remote cracking once required a fair amount of skill or computer
knowledge, hackers can now download attack scripts and protocols from
the Internet and launch them against victim sites. Thus, while attack
tools have become more sophisticated, they also have become easier to
use. According to the Central Intelligence Agency, the large majority
of hackers do not have the requisite tradecraft to threaten difficult
targets, such as critical U.S. networks. Nevertheless, the worldwide
population of hackers poses a relatively high threat of causing an
isolated or brief disruption that results in serious damage.
Threat: Insiders;
Description: The disgruntled organization insider is a principal source
of computer crime. Insiders may not need a great deal of knowledge
about computer intrusions because their knowledge of a target system
often allows them to gain unrestricted access to cause damage to the
system or to steal system data. The insider threat also includes
outsourcing vendors as well as employees who accidentally introduce
malware into systems.
Threat: Spyware/Malware authors;
Description: Individuals or organizations with malicious intent carry
out attacks against users by producing and distributing spyware and
malware. Several destructive computer viruses and worms have harmed
files and hard drives, including the Melissa Macro Virus, the
Explore.Zip worm, the CIH (Chernobyl) Virus, NIMDA, Code Red, Slammer,
and Blaster.
Threat: Terrorists;
Description: Terrorists seek to destroy, incapacitate, or exploit
critical infrastructures in order to threaten national security, cause
mass casualties, weaken the U.S. economy, and damage public morale and
confidence. Terrorists may use malicious software to gather sensitive
information.
Source: GAO analysis of data from the Federal Bureau of Investigation,
the Central Intelligence Agency, and the Software Engineering
Institute's CERTŪ Coordination Center.
[A] Phishing involves the creation and use of e-mail and Web sites that
are designed to look like the e-mail and Web sites of well-known
legitimate businesses or government agencies, in order to deceive
Internet users into disclosing their personal data for criminal
purposes, such as identity theft and fraud.
[B] Spyware/Malware is software designed with a malicious intent, such
as a virus.
[End of table]
An intelligence report on global trends[Footnote 11] forecast that
terrorists may develop capabilities to conduct both cyber and physical
attacks against nodes of the world's information infrastructure--
including the Internet and other systems that control critical
industrial processes--such as electricity grids, refineries, and flood
control mechanisms. The report stated that terrorists already have
specified the U.S. information infrastructure as a target and currently
are capable of physical attacks that would cause at least brief,
isolated disruptions.
According to a Congressional Research Service report, the annual
worldwide cost of major cyber attacks was, on average, $13.5 billion
from 2000 to 2003. A more recently published report estimated that the
worldwide financial impact of virus attacks was $17.5 billion in 2004
and $14.2 billion in 2005.
Multiple Organizations Could Help in Recovering the Internet from a
Major Disruption:
In the event of a major Internet disruption, multiple organizations
could help recover Internet service. These organizations include
private industry, collaborative groups, and government organizations.
Private industry is central to Internet recovery because private
companies own the vast majority of the Internet's infrastructure and
often have response plans. Collaborative groups--including working
groups and industry councils--provide information-sharing mechanisms to
allow private organizations to restore services. Additionally,
government initiatives could facilitate responding to major Internet
disruptions.
Private Industry:
Private industry organizations are critical to recovering Internet
services in the event of a major disruption because they own and
operate the vast majority of the Internet's infrastructure. This group
of Internet infrastructure owners and operators includes
telecommunications companies (such as AT&T and Verizon Communications),
cable companies (such as Cox Communications and Time Warner Cable),
Internet service providers (such as AOL and EarthLink), and root server
operators (such as VeriSign and the University of Maryland). These
entities own or operate cable lines; telephone lines; fiber-optic
cables; or critical core systems, such as network routers and domain
name servers.
These private companies currently deal with cyber attacks and physical
disruptions on the Internet on a regular basis. According to
representatives of Internet infrastructure owners and operators, these
firms typically have disaster recovery plans in place. For example, a
representative from a major telecommunications company stated that the
company has emergency response plans for its primary and secondary
emergency operations centers. Similarly, representatives of a cable
trade association reported that most cable companies have standard
disaster recovery plans and a network operations center from which they
can monitor recovery operations.
Infrastructure representatives also noted that in the event of a
network disruption, companies that are competitors work together to
resolve the disruption. They said that although the companies are
competitors, they have a business interest in cooperating because it is
common to rely on each other's networks. For example, a representative
of a major telecommunications company noted that the company has
"mutual-aid" agreements with its competitors to exchange technicians
and hardware in the event of an emergency.
Collaborative Groups:
Collaborative groups--working groups and industry councils that the
private and public sectors have established to allow technical
information sharing--help handle and recover from Internet disruptions.
These collaborative groups are usually composed of individuals and
experts from separate organizations. In the event of a major Internet
disruption, these groups allow individuals from different companies to
exchange information in order to assess the scope of the disruption and
to restore services. Table 3 provides descriptions of selected
collaborative groups.
Table 3: Examples of Collaborative Groups:
Group: North American Network Operators Group;
Description: This group of network operators coordinates and
disseminates technical information related to backbone/enterprise
networking technologies and operational practices. It was originally
established to discuss operational issues regarding the National
Science Foundation's high-speed research and education network, which
became the Internet. In the mid-1990s, the group revised its charter to
include a broader base of network service providers. Although the
National Science Foundation originally funded the group, it is now
funded by conference registration fees and donations from vendors:
Through the group's mailing list, members collaborate and assist each
other in resolving network operating issues. In the event of a major
Internet disruption, these information- sharing mechanisms are used to
resolve issues related to the disruption. For example, group members
used their mailing list to collaborate with each other when the Slammer
worm hit in January 2003, causing significant Internet congestion.
Through the mailing list, members were able to corroborate events and
share mitigation strategies.
Group: Network Service Providers Security Consortium;
Description: This group was originally established in 2001 to allow
individuals in the network service provider community to coordinate on
network security issues and problems. Its primary information-sharing
mechanism is through its e-mail list. Members of the list who observe
disruptions or malicious activity can post their observations or
concerns to the list, and other members can take action or provide
assistance. Membership in the list is only available to those who have
been identified by other group members as having a relevant need for
the information on the list. As of March 2006, approximately 500 people
subscribe to the list. If the list were not available or an issue
needed to be addressed immediately, the group's organizer would be able
to coordinate collaboration between the necessary parties:
According to the group's organizer, the closed nature of the list is
crucial to its value. The limited membership allows the building of
trusted relationships and gives each member confidence that information
posted to the list will not be misused. The organizer stated that the
list has been very effective at resolving disruption issues. For
example, the consortium's mailing list played a major role in resolving
the root Domain Name System server attacks that occurred in October
2002.
Group: Packet Clearing House;
Description: The Packet Clearing House is a nonprofit research
institute that supports operations and analyses in the areas of
Internet traffic exchange, routing economics, and global network
development. It hosts a hotline telephone system, called the Inter-
Network Operations Center Dial-By-Autonomous System Number (a unique
identifier for autonomous systems on the Internet). This system is a
global voice telephony network that connects the network operations
centers and security incident response teams of critical Internet
infrastructure owners and operators, such as backbone providers,
Internet service providers, and Internet exchange point operators. The
hotline also connects critical individuals within the policy,
regulatory, Internet governance, security, and vendor communities. The
hotline is a closed system, ensuring secure and authenticated
communications. It uses a combination of mechanisms to create a
resilient, high-survivability network. Additionally, the hotline
telephone system carries both routine operational traffic and emergency-
response traffic. Representatives of several Internet service providers
noted that they use this system to contact other network operators in
order to resolve problems quickly.
Group: Information Technology Information Sharing and Analysis Center;
Description: This center is made up of representatives of companies
from across the information technology industry. It helps facilitate
operational information sharing, communication with other
infrastructure sectors, and crisis response:
The center works to improve security, reliability, and disaster
recovery in information technology. The center identifies threats and
vulnerabilities to information technology infrastructure (including the
Internet) and shares best practices for how to quickly and properly
address them. The representatives also stated that the Information
Technology Information Sharing and Analysis Center facilitates
information sharing and participates in exercises to test its ability
to respond to incidents such as a major Internet disruption. For
example, the center assisted with DHS's recent Cyber Storm exercise in
February 2006. The center took a leadership role in Cyber Storm and
prepared a concept of operations that addressed incident response to
cyber or physical attacks.
Group: Telecommunications Information Sharing and Analysis Center;
Description: In 1984, following the divestiture of AT&T, the National
Coordinating Center for Telecommunications was established to allow
information sharing between representatives of the telecommunications
companies. In January 2000, the center was designated the information
sharing and analysis center for the telecommunications industry. The
center is unique among information sharing and analysis centers in that
it is actually a joint government/industry operation:
According to a center representative, the main role of the
Telecommunications Information Sharing and Analysis Center during an
Internet disruption is to provide a protected forum in which industry
members can collaborate and freely share information. In turn, this
coordination effort will help expedite the overall Internet recovery.
The industry chair of the center noted that this forum enables members
to form trusted relationships with each other where they otherwise may
not exist between competitors. An example of this cooperation occurred
during the Code Red and NIMDA cyber attacks. Center members coordinated
to understand and mitigate the attacks.
Group: National Security Telecommunications Advisory Committee;
Description: This committee provides industry-based analyses and
recommendations to the President and the executive branch regarding
telecommunications policy and proposals for enhancing national security
and emergency preparedness. The committee is made up of 30
Presidentially appointed industry leaders, usually chief executive
officers of companies in the telecommunications industry. Since the
committee is composed of telecommunications executives, their role in
Internet recovery is strategic as opposed to operational:
Members of the committee have long established relationships with DHS's
National Communications System and National Coordinating Center for
Telecommunications. Committee representatives reported that the
committee works closely with these entities during response and
recovery activities following a terrorist attack or natural disaster.
The committee and these entities also share information related to a
variety of other issues, including modifications to federal policy
associated with telecommunications in support of national security and
emergency preparedness and changes in the commercial telecommunications
marketplace:
Additionally, the committee publishes reports that cover topics related
to Internet recovery. In an October 2005 report, the committee provides
an industry perspective on lessons learned in responding to the
September 11, 2001, terrorist attacks. In the October report, the
committee deemed Internet services to be increasingly important in
disaster response and central to the mission-critical operations of
business and government agencies, and it identified steps the
government could take to help the coordination center better address
potential network security issues, such as distributed denial- of-
service attacks and software viruses.
Source: GAO.
[End of table]
Government Organizations--DHS:
Federal policies and plans[Footnote 12] assign DHS lead responsibility
for facilitating a public/private response to and recovery from major
Internet disruptions. Within DHS, responsibilities reside in two
divisions within the Preparedness Directorate: the National Cyber
Security Division (NCSD) and the National Communications System (NCS).
NCSD operates the U.S. Computer Emergency Readiness Team (US-CERT),
which coordinates defense against and response to cyber attacks. The
other division, NCS, provides programs and services that ensure the
resilience of the telecommunications infrastructure in times of crisis.
National Cyber Security Division:
In June 2003, DHS created NCSD to serve as a national focal point for
addressing cybersecurity issues and to coordinate the implementation of
the National Strategy to Secure Cyberspace. Its mission is to secure
cyberspace and America's cyber assets in cooperation with public,
private, and international entities.
NCSD is the government lead on a public/private partnership supporting
the US-CERT, an operational organization responsible for analyzing and
addressing cyber threats and vulnerabilities and disseminating cyber-
threat warning information. In the event of an Internet disruption, US-
CERT facilitates coordination of recovery activities with the network
and security operations centers of owners and operators of the Internet
and with government incident response teams.
NCSD also serves as the lead for the federal government's cyber
incident response through the National Cyber Response Coordination
Group. This group is the principal federal interagency mechanism for
coordinating the preparation for, and response to, significant cyber
incidents--such as a major Internet disruption. In the event of a major
disruption, the group convenes to facilitate intragovernmental and
public/private preparedness and operations. The group brings together
officials from national security, law enforcement, defense,
intelligence, and other government agencies that maintain significant
cybersecurity responsibilities and capabilities. Members use their
established relationships with the private sector and with state and
local governments to help coordinate and share situational awareness,
manage a cyber crisis, develop courses of action, and devise response
and recovery strategies.
NCSD also recently formed the Internet Disruption Working Group, which
is a partnership between NCSD, NCS, the Department of the Treasury, the
Department of Defense, and private-sector companies, to plan for ways
to improve DHS's ability to respond to and recover from major Internet
disruptions. The goals of the working group are to identify and
prioritize the short-term protective measures necessary to prevent
major disruptions to the Internet or reduce their consequences and to
identify reconstitution measures in the event of a major disruption.
National Communications System:
NCS is responsible for ensuring a communications infrastructure for the
federal government under all conditions--ranging from normal situations
to national emergencies and international crises. NCS is composed of
members from 23 federal departments and agencies.[Footnote 13] Although
originally focused on traditional telephone service, due to the
convergence of the Internet and telecommunications NCS has taken a
larger role in Internet-related issues and has partnered with NCSD and
private companies to address issues related to major Internet
disruptions. For example, NCS now helps manage issues related to
disruptions of the Internet backbone (e.g., high-capacity data routes).
The National Coordinating Center for Telecommunications (National
Coordinating Center), which serves as the operational component of NCS,
also has a role in Internet recovery. The center has eight resident
industry members (representing companies that were originally telephone
providers) as well as additional nonresident members, including
representatives of newer, more Internet-oriented companies. During a
major disruption to telecommunications services, the center
communicates with both resident and nonresident members, with the goal
of restoring service as soon as possible. In the event of a major
Internet disruption, the National Coordinating Center plays a role in
the recovery effort through its partnerships and collaboration with
telecommunications and Internet-related companies.
Government Organizations--Federal Communications Commission:
The Federal Communications Commission can support Internet recovery by
coordinating resources for restoring the basic communications
infrastructures over which Internet services run. For example, after
Hurricane Katrina, the commission granted temporary authority for
private companies to set up wireless Internet communications supporting
various relief groups; federal, state, and local government agencies;
businesses; and victims in the disaster areas.
The commission also sponsors the Network Reliability and
Interoperability Council. A primary goal of the council is to prevent
Internet disruptions from occurring in the first place. The council has
developed a list of best practices for Internet disaster recovery that
provides guidance on strategic issues (such as exercising disaster
recovery plans) as well as operational issues (such as how to restore a
corrupt domain name server).[Footnote 14]
Prior Evaluations of DHS's Cybersecurity Responsibilities Have
Highlighted Issues and Challenges Facing the Department:
In May 2005, we issued a report on DHS's efforts to fulfill its
cybersecurity responsibilities.[Footnote 15] We noted that while DHS
had initiated multiple efforts to fulfill its responsibilities, it had
not fully addressed any of the 13 key cybersecurity responsibilities
(see table 4) noted in federal law and policy. For example, we noted
that the department established US-CERT as a public/private partnership
to make cybersecurity a coordinated national effort, and it established
forums to build greater trust and information sharing among federal
officials with information security responsibilities and with law
enforcement entities. However, DHS had not yet developed national cyber
threat and vulnerability assessment or government/industry
cybersecurity recovery plans--including a plan for recovering key
Internet functions.
We also noted in our May 2005 report that DHS faced a number of
challenges that have impeded its ability to fulfill its cyber
responsibilities. These challenges included achieving organizational
stability, gaining organizational authority, overcoming hiring and
contracting issues, increasing awareness of cybersecurity roles and
capabilities, establishing effective partnerships with stakeholders,
achieving two-way information sharing with stakeholders, and
demonstrating the value that DHS can provide. We made recommendations
to the department to strengthen its ability to implement key
responsibilities by completing critical activities and resolving
underlying challenges. DHS agreed that strengthening cybersecurity is
central to protecting the nation's critical infrastructures and that
much remained to be done, but it has not yet addressed our
recommendations. We continue to evaluate DHS's progress in implementing
our recommendations.
Table 4: DHS's Key Cybersecurity Responsibilities:
* Develop a national plan for critical infrastructure protection,
including cybersecurity.
* Develop partnerships and coordinate with other federal agencies,
state and local governments, and the private sector.
* Improve and enhance public/private information sharing involving
cyber attacks, threats, and vulnerabilities.
* Develop and enhance national cyber analysis and warning capabilities.
* Provide and coordinate incident response and recovery planning
efforts;
* Identify and assess cyber threats and vulnerabilities.
* Support efforts to reduce cyber threats and vulnerabilities.
* Promote and support research and development efforts to strengthen
cyberspace security.
* Promote awareness and outreach.
* Foster training and certification.
* Enhance federal, state, and local government cybersecurity.
* Strengthen international cyberspace security.
* Integrate cybersecurity with national security.
Source: GAO analysis of law and policy.
[End of table]
Although Both Cyber and Physical Incidents Have Caused Disruptions, the
Internet Has Not Yet Suffered a Catastrophic Failure:
The Internet's infrastructure is vulnerable to disruptions in service
due to terrorist and other malicious attacks, natural disasters,
accidents, technological problems, or a combination of the above.
Disruptions to Internet service can be caused by cyber and physical
incidents--both intentional and unintentional. Private network
operators routinely deal with Internet disruptions of both types.
Recent cyber and physical incidents have caused localized or regional
disruptions, highlighting the importance of recovery planning. However,
these incidents have also shown the Internet as a whole to be flexible
and resilient. Even in severe circumstances, the Internet has not yet
suffered a catastrophic failure.
Internet Disruptions Have Been Caused by Both Cyber and Physical
Incidents:
The Internet can be disrupted by either cyber or physical incidents, or
by a combination of the two. These incidents can be intentional (such
as a cyber attack or a terrorist attack on our nation's physical
infrastructure) or unintentional (such as a software malfunction or a
natural disaster). Table 5 provides examples of intentional and
unintentional cyber and physical incidents.
Table 5: Examples of Potential Internet Disruptions:
Intentional act;
Cyber incident:
* malicious code (virus, worm, or other attack);
* hacking;
* distributed denial-of-service attack;
* insider manipulating systems (changing router configurations);
Physical incident:
* terrorist bomb;
* foreign nation attack;
* intentional cutting of fiber-optic cables.
Unintentional act;
Cyber incident:
* software glitch;
* hardware malfunction;
* improper configuration of software or hardware;
Physical incident:
* severe natural event (hurricane, earthquake, or flood);
* accidental cutting of fiber-optic cables;
* other industrial accidents (chemical spill or fire).
Source: GAO.
[End of table]
A cyber incident could cause a disruption if it affects a network
protocol or an application that is integral to the working of the
Internet. A cyber incident could be unintended (such as a software
problem) or intended (such as an attack using malicious software or
hacking that causes a disruption of service). Unintended incidents have
caused significant disruptions in the past. For example, in 1998, a
major Internet backbone provider had a massive outage due to a software
flaw in the infrastructure that caused systems to crash;
in 2002, a different provider had an outage due to a router with a
faulty configuration.
Intentional incidents, or malicious attacks, have been increasing in
frequency and complexity and recently have been linked to organized
crime. Examples of malicious attacks include viruses and worms. Viruses
and worms are often used to launch denial-of-service attacks, which
flood targeted networks and systems with so much data that regular
traffic is either slowed or stopped. Such attacks have been used ever
since the groundbreaking Morris worm in November 1988, which brought 10
percent of the systems connected to the Internet to a halt. More
recently, in 2001, the Code Red worm used a denial-of-service attack to
affect millions of computer users by shutting down Web sites, slowing
Internet service, and disrupting business and government
operations.[Footnote 16]
Cyber attacks can also cause Internet disruptions by targeting specific
protocols, such as the Border Gateway Protocol or the Domain Name
System. If a vulnerability in the Border Gateway Protocol was
exploited, the ability of Internet traffic to reach its destination
could be limited or halted. Some experts believe that it could take
weeks to recover from a major attack on the Border Gateway Protocol.
The Domain Name System is also susceptible to various attacks,
including the corruption of stored domain name information and the
misdirection of addresses. Recently, hackers have used domain name
servers to launch denial-of-service attacks--thereby amplifying the
strength of the attacks. A network security expert stated that there
have been numerous attacks of this type recently, and that some attacks
have targeted top-level domains[Footnote 17] and Internet service
providers. Attacks against top-level domain servers could disrupt
users' capability to connect to various Internet addresses. It could
take several days to recover from a massive disruption of the domain
name server system.
As the number of individuals with computer skills has increased, more
intrusion, or hacking, tools have become readily available and
relatively easy to use. Frequently, skilled hackers develop
exploitation tools and post them on Internet hacking sites. These tools
are then readily available for others to download, allowing even
inexperienced programmers to create a computer virus or to literally
point and click to launch an attack. According to the National
Institute of Standards and Technology, 30 to 40 new attack tools are
posted on the Internet every month. Experts also agree that there has
been a steady advance in the sophistication and effectiveness of attack
technology.
In the case of insider incidents, these tools may not even be
necessary, because insiders often have unfettered access to their
employers' computer systems. In one incident, an insider installed
unauthorized backdoor access to his employer's systems. After his
termination, the insider used these back doors to gain access to the
systems and to delete accounts, change passwords, and delete security
logs. While this is a case of an insider disrupting a single network,
an insider could also use this knowledge to disrupt the operation of an
Internet service provider. For example, an insider at a company that
develops critical routing hardware might be able to use specific
technical knowledge of the products to create an attack that could
disrupt networks that use that particular equipment.
To date, cyber attacks have caused various degrees of damage. The
following case studies provide examples of cyber attacks;
the effects of these attacks;
and the government's role, if any, in recovery (see figs. 4 and 5).
Figure 4: Case Study--The Slammer Worm:
On Saturday, January 25, 2003, the Slammer worm infected more than 90
percent of vulnerable computers worldwide within 10 minutes of its
release on the Internet by exploiting a known vulnerability for which a
patch had been available since July 2002. Slammer caused network
outages, canceled airline flights, and automated teller machine
failures. In addition, the Nuclear Regulatory Commission confirmed that
the Slammer worm had infected a private computer network at a nuclear
power plant, disabling a safety monitoring system for nearly 5 hours
and causing the plant's process computer to fail. The worm reportedly
also affected communications on the control networks of at least five
utilities by propagating so quickly that control system traffic was
blocked. In addition, on Monday, January 27, the worm infected more
networks when U.S. and European business hours started. Cost estimates
on the impact of the worm range from $1.05 billion to $1.25 billion.
Slammer resulted in temporary loss of Internet access to some users and
increased network traffic worldwide. Postincident studies noted that if
the worm had been malicious or had exploited more widespread
vulnerabilities, it would have caused a significant disruption to
Internet traffic.
Responses to Slammer were quick. Within 1 hour, Web site operators were
able to filter the worm. The disruption was partly resolved by network
operators blocking the main communication channel that the worm was
using, which helped control the spread of the worm. Security experts
advised network operators to use firewalls to block the channel and to
apply the patch before reconnecting services. In addition, private-
sector network operators used the North American Network Operators
Group mailing list to collaborate with each other in restoring infected
networks. The federal government coordinated with security companies
and Internet service providers and released an advisory recommending
that federal departments and agencies patch and block access to the
affected channel. However, most of these activities occurred after the
worm had stopped spreading because it had propagated so quickly.
Source: GAO analysis of GAO and other published reports.
[End of Figure]
Figure 5: Case Study--A Root Server Attack:
On Monday, October 21, 2002, a coordinated denial-of-service attack was
launched against all of the root servers in the Domain Name System. All
13 root servers, located around the world, were targeted. The root
servers experienced an unusually high volume of traffic. Two root
server operators reported that traffic was 3 times the normal level,
while another reported that traffic was 10 times the normal level. The
attacks lasted for approximately 1 hour and 15 minutes. While reports
of the attack differ, they all agreed that at least 9 of the servers
experienced degradation in service. Specifically, 7 failed to respond
to legitimate network traffic and 2 others failed intermittently during
the attack.
Some root servers were unreachable from many parts of the global
Internet because of traffic congestion from the attack. While all of
the servers continued to answer any queries they received (because of
their substantial backup capacity), many did not receive all of the
queries that had been routed to them due to the high volume of traffic.
However, average end users hardly noticed the attack. The attack became
visible only as a result of various Internet health- monitoring
projects. According to experts, the root name servers would have to be
down for several hours before the effects would be noticeable to end
users.
The response to these attacks was handled by the server operators and
their service providers. The Domain Name System servers worked as they
were designed to, and demonstrated robustness against a concerted,
synchronized attack. However, the attack pointed to a need to increase
the capacity of servers at Internet exchange points in order to manage
the high volumes of data traffic that occur during an attack. The
attacks led to systems receiving faster-than-normal upgrades. According
to experts familiar with the attack, the government did not have a role
in recovering from this attack.
Source: GAO analysis of interviews and published reports from sources,
including root name server operators and current and former government
officials.
[End of Figure]
A physical incident could be caused by an intentional attack, a natural
disaster, or an accident. For example, terrorist attacks, storms,
earthquakes, and unintentional cutting of cables can all cause physical
disruptions. Physical incidents causing Internet and telecommunications
disruptions occur regularly--often as a result of the accidental
cutting of cable lines. Physical incidents could affect various aspects
of the Internet infrastructure, including underground or undersea
cables and facilities that house telecommunications equipment, Internet
exchange points, or Internet service providers. Such incidents could
also disrupt the power infrastructure--leading to an extended power
outage and thereby disrupting telecommunications and Internet service.
The following case studies provide examples of physical incidents that
caused Internet disruptions and the effect of these incidents (see
figs. 6 to 8).
Figure 6: Case Study--The Baltimore Train Tunnel Fire:
On July 18, 2001, a 60-car freight train derailed in a Baltimore
tunnel, causing a fire that interrupted Internet and data services
between Washington and New York. The tunnel housed fiber-optic cables
that served seven of the biggest U.S. Internet service providers. The
fire burned and severed fiber-optic cables, causing backbone slowdowns
for at least three major Internet service providers. There were
sporadic reports from across the Northeast corridor about service
disruptions and delays. For example, users in Baltimore did not suffer
disrupted service, while users in Washington D.C. did suffer
disruptions. In addition, there were selected impacts far outside the
disaster zone. For example, the U.S. embassy in Lusaka, Zambia,
experienced problems with e-mail. Two of the service providers had
service restored within 2 days. Despite the outages caused by the fire,
the Internet continued to operate.
Efforts to recover Internet service were handled by the affected
Internet service providers. City officials also worked with
telecommunications and networking companies to reroute cables. Other
federal and local government efforts to resolve the disruption
consisted of responding to the immediate physical issues of
extinguishing the fire, maintaining safety in the surrounding area, and
rerouting traffic.
Source: GAO analysis of a Department of Transportation report.
[End of Figure]
Figure 7: Case Study--The September 11, 2001, Terrorist Attack on the
World Trade Center:
[See PDF for image]
Source: GAO analysis of report entitled The Internet Under Crisis
Conditions: Learning from September 11, the National Research Council,
National Academy Press: Washington, D.C., 2003, and other published
reports.
[End of figure]
Figure 8: Case Study--Hurricane Katrina:
[See PDF for image]
Sources: GAO analysis of published reports and testimonies by DHS, FCC,
NSTAC, and Renesys as well as interviews with private-sector officials.
[End of figure]
The Internet Has Not Yet Experienced a Catastrophic Disruption:
Since its inception, the Internet has experienced disruptions of
varying scale--from fast-spreading worms, to denial-of-service attacks,
to physical destruction of key infrastructure components. However, the
Internet has yet to experience a catastrophic disruption. Experts
agree--and case studies show--that the Internet is resilient and
flexible enough to handle and recover from many types of disruptions.
While specific regions may experience Internet disruptions, backup
servers and the ability to reroute traffic limit the effect of many
targeted attacks. These efforts highlight the importance of recovery
planning.
However, it is possible that a complex attack or set of attacks could
cause the Internet to fail. It is also possible that a series of
attacks against the Internet could undermine users' trust--and thereby
reduce the Internet's utility.
Existing Laws and Regulations Apply to the Internet, but Numerous
Uncertainties Exist in Using Them for Internet Recovery:
Several federal laws and regulations provide broad guidance that
applies to the Internet infrastructure, but it is not clear how useful
these authorities would be in helping to recover from a major Internet
disruption, because some do not specifically address Internet recovery
and others have seldom been used. Pertinent laws and regulations
address critical infrastructure protection, federal disaster response,
and the telecommunications infrastructure (see app. II for additional
details).
Specifically, the Homeland Security Act of 2002[Footnote 18] and
Homeland Security Presidential Directive 7[Footnote 19] establish
critical infrastructure protection as a national goal and describe a
strategy for cooperative efforts by the government and the private-
sector to protect the cyber-and physical-based systems that are
essential to the operations of both the economy and the government.
These authorities apply to the Internet because it is a core
communications infrastructure supporting the information technology and
telecommunications sectors. However, this law and regulation do not
specifically address roles and responsibilities in the event of an
Internet disruption.
Regarding federal disaster response, the Defense Production
Act[Footnote 20] and the Stafford Act[Footnote 21] provide authority to
federal agencies to plan for and respond to incidents of national
significance--like disasters and terrorist attacks. Specifically, the
Defense Production Act authorizes the President to ensure the timely
availability of products, materials, and services needed to meet the
requirements of a national emergency. The act is applicable to critical
infrastructure protection and restoration, but it has never been used
for Internet recovery. The Stafford Act authorizes federal assistance
to states, local governments, nonprofit entities, and individuals in
the event of a major disaster or emergency. However, the act does not
authorize assistance to for-profit companies--such as those that own
and operate core Internet components. Several representatives of
private companies reported that they were unable to obtain needed
resources to restore the communications infrastructure in the aftermath
of Hurricane Katrina because the act does not extend to for-profit
companies.
Other legislation and regulations, including the Communications Act of
1934[Footnote 22] and the National Communications System (NCS)
authorities,[Footnote 23] govern the telecommunications infrastructure
and help ensure communications during national emergencies. The act
governs the regulation of the telecommunications infrastructure upon
which the Internet depends. However, coverage of the Internet is
subsumed in provisions that govern interstate wire and radio
communications, and there is no specific provision governing Internet
recovery. NCS authorities establish guidance for operationally
coordinating with industry to protect and restore key national security
and emergency preparedness communications services. These authorities
grant the President certain emergency powers regarding
telecommunications, including the authority to require any carrier
subject to the Communications Act of 1934 to grant preference or
priority to essential communications.[Footnote 24] The President may
also, in the event of war or national emergency, suspend regulations
governing wire and radio transmissions and authorize the use or control
of any such facility or station and its apparatus and equipment by any
department of the government. Although these authorities remain in
force and are implemented in the Code of Federal Regulations, they have
been seldom used--and never for Internet recovery. Thus, it is not
clear how effective they would be if used for this purpose.
In commenting on the statutory authority for Internet reconstitution
following a disruption, DHS agreed that this authority is lacking and
noted that the government's roles and authorities related to assisting
Internet reconstitution following a disruption are not fully defined.
In a written response, DHS attorneys identified several statutes and
other authorities that provide authority for the NCS telecommunications
response functions in a situation involving national security and
emergency preparedness. DHS stated the following:
"The Internet infrastructure is owned and operated by the private
sector. Although certain policies direct DHS to work with the private
sector to ensure infrastructure protection, DHS does not have the
authority to direct Internet owners and operators in their recovery
efforts."
DHS Initiatives Supporting Internet Recovery Planning Are under Way,
but Much Remains to Be Done and the Relationships among Initiatives Are
Not Evident:
DHS has begun a variety of initiatives to fulfill its responsibility
for developing an integrated public/private plan for Internet recovery,
but these efforts are not complete or comprehensive. Specifically, DHS
has developed high-level plans for infrastructure protection and
national disaster response, but the components of these plans that
address the Internet infrastructure are not complete. In addition, DHS
has started a variety of initiatives to improve the nation's ability to
recover from Internet disruptions, including working groups to
facilitate coordination and exercises in which government and private
industry practice responding to cyber events. While these activities
are promising, some initiatives are not complete, others lack time
lines and priorities, and still others lack effective mechanisms for
incorporating lessons learned. In addition, the relationships among
these initiatives are not evident. As a result, the nation is not
prepared to effectively coordinate public/private plans for recovering
from a major Internet disruption.
DHS Has Developed High-level Protection and Response Plans, but Key
Components Are Not Complete:
Federal policy establishes DHS as the central coordinator for
cyberspace security efforts and tasks the department with developing an
integrated public/private plan for Internet recovery.[Footnote 25] DHS
has two key documents that guide its infrastructure protection and
recovery efforts, but components of these plans dealing with Internet
recovery are not complete.
The National Response Plan is DHS's overarching framework for
responding to domestic incidents. The plan, which was released in
December 2004, contains the following two components that address
issues related to telecommunications and the Internet:
* The Emergency Support Function 2 of the plan identifies federal
actions to provide temporary emergency telecommunications during a
significant incident and to restore telecommunications after the
incident. It assigns roles and responsibilities to different federal
agencies; provides guidelines for incident response; and identifies
actions to take before, during, and after the incident. Because the
Internet is supported by the telecommunications infrastructure, this
section of the plan could help with Internet recovery efforts.
* The Cyber Incident Annex identifies policies and organizational
responsibilities for preparing for, responding to, and recovering from
cyber-related incidents impacting critical national processes and the
national economy. The annex recognizes the National Cyber Response
Coordination Group as the principal federal interagency mechanism to
coordinate the government's preparation for, response to, and recovery
from a major Internet disruption or significant cyber incident.
These components, however, are not complete in that the Emergency
Support Function 2 does not directly address Internet recovery, and the
Cyber Incident Annex does not reflect the National Cyber Response
Coordination Group's current operating procedures. DHS officials
acknowledged that both Emergency Support Function 2 and the Cyber
Incident Annex need to be revised to reflect the maturing capabilities
of the National Cyber Response Coordination Group, the planned
organizational changes affecting NCS and NCSD, and the convergence of
voice and Internet networks. However, DHS has not reached consensus on
the best approach for revising these components, and it has not
established a schedule for revising the overall plan.
The Draft National Infrastructure Protection Plan consists of both a
base plan and sector-specific plans, but these have not been finalized.
A January 2006 draft of the base plan identifies roles,
responsibilities, and a high-level strategy for infrastructure
protection across all sectors. It emphasizes the need to protect and
recover the cyber infrastructure, including the Internet. Additionally,
the sector plans are expected to apply the strategies identified in the
base plan to the infrastructure sectors. For example, the information
technology sector plan identifies relationships within the information
technology sector and with other infrastructure sectors. It also
identifies preliminary steps for infrastructure protection, such as
identifying key assets and the consequences of the failure of those
assets.
DHS is planning to finalize its base plan in 2006, but it has not yet
set a date for doing so. Once this plan is released, it will lead to
the development of the more detailed sector-specific plans. The next
versions of the information technology and telecommunications sector
plans are due to DHS within 180 days of the release of the final base
plan.
While DHS's intentions to revise these plans are necessary steps in the
right direction, the plans do not fulfill the department's
responsibility to develop an integrated public/private plan for
Internet recovery. Several representatives of private-sector firms
supporting the Internet infrastructure expressed concerns about both
plans, noting that the plans would be difficult to execute in times of
crisis. Other representatives were uneasy about the government
developing recovery plans, because they were not confident in the
government's ability to successfully execute the plans. DHS officials
acknowledged that it will be important to obtain input from private-
sector organizations as they refine these plans and initiate more
detailed public/private planning.
Until both the National Response Plan and the National Infrastructure
Protection Plan are updated and more detailed public/private planning
begins, DHS lacks the integrated approach to Internet recovery called
for in the cyberspace strategy and risks not being prepared to
effectively coordinate such a recovery.
Other DHS Initiatives Related to Internet Recovery Planning Are under
Way, but They Are Incomplete and the Relationships among the
Initiatives Are Not Evident:
While the National Response Plan outlines an overall framework for
incident response, it is designed to be supplemented by more specific
plans and activities. DHS has numerous initiatives under way to better
define its ability to assist in responding to major Internet
disruptions. These initiatives include task forces, working groups, and
exercises. While these activities are promising, some initiatives are
incomplete, others still lack time lines and priorities, and others
lack an effective mechanism for incorporating lessons learned. In
addition, the relationships and interdependencies among different
initiatives are not evident.
As a result, tangible progress toward improving the government's
ability to help recover from a major Internet disruption has been
limited.
DHS Plans to Revise the Role and Mission of the National Communications
System, but This Effort Is Not Yet Complete:
DHS plans to revise the role and mission of the National Communications
System (NCS) to reflect the convergence of voice and data
communications, but this effort is not yet complete. NCS is responsible
for ensuring the availability of a viable national security and
emergency preparedness communications infrastructure. Originally
focused on traditional telephone service, NCS has recently taken on a
larger role in Internet-related issues due to the convergence of the
infrastructures that serve traditional telephone traffic and those that
serve data (such as Internet traffic). A presidential advisory
committee on telecommunications[Footnote 26] has established two task
forces to recommend changes to NCS's role, mission, and functions to
reflect this convergence. One task force focused on changes due to next-
generation network technologies, while the other focused on revising
the role and mission of NCS's National Communications Center. Appendix
III provides additional details on the two task forces.
Both task forces have made recommendations to improve NCS's operations,
but DHS has not yet developed plans to address these recommendations.
Until NCS completes efforts to revise its role and mission, the group
is at risk of not being prepared to address the unique issues that
could be caused by future Internet disruptions.
National Cyber Response Coordination Group Is Defining Its Roles and
Responsibilities, but Much Remains to Be Done:
As a primary entity responsible for coordinating governmentwide
responses to cyber incidents--such as major Internet disruptions--DHS's
National Cyber Response Coordination Group is working to define its
roles and responsibilities, but much remains to be done. The group
reported that it has begun efforts to define its roles,
responsibilities, capabilities, and activities. For example, the group
has developed a concept of operations--which includes a high-level
recovery function--but is waiting for the results of additional
analyses before revising and enhancing the concept of operations. The
group also drafted operating procedures that it used during a national
cyber exercise in February 2006, and it plans to incorporate lessons
learned from the exercise into the operating procedures and to issue
revised procedures by June 2006. The group also reported that it has
made progress on initiatives to (1) map the current capabilities of
government agencies to detect, respond to, and recover from cyber
incidents; (2) identify secure communications capabilities within the
government that can be used to respond to cyber incidents; (3) perform
a gap analysis of different agencies' capabilities for responding to
cyber incidents; and (4) establish formal resource-sharing agreements
with other federal agencies as well as state and local governments.
However, much remains to be done to complete these initiatives.
One challenge facing the National Cyber Response Coordination Group is
the "trigger" for government involvement. Currently, the group can be
activated by:
* a cyber incident that may relate to or constitute a terrorist attack,
a terrorist threat, a threat to national security, a disaster, or any
other cyber emergency requiring federal government response;
* a confirmed, significant cyber incident directed at one or more
national critical infrastructures;
* a cyber incident that impacts or potentially impacts national
security, national economic security, public health or safety, or
public confidence and morale;
* discovery of an exploitable vulnerability in a widely used protocol;
* other complex or unusual circumstances related to a cyber incident
that requires interagency coordination;
or:
* any cyber incident briefed to the President.
DHS officials acknowledged that the trigger to activate this group is
imprecise and will need to be clarified. Because key activities to
define roles, responsibilities, capabilities, and the appropriate
trigger for government involvement are still under way, the group is at
risk of not being able to act quickly and definitively during a major
Internet disruption.
The Internet Disruption Working Group Was Established to Work with the
Private Sector to Establish Plans to Respond to Major Internet
Disruptions, but It Lacks Time Lines and Priorities for Its
Initiatives:
Since most of the Internet is owned and operated by the private sector,
NCSD and NCS established the Internet Disruption Working Group to work
with the private sector to establish priorities and develop action
plans to prevent major disruptions of the Internet and to identify
recovery measures in the event of a major disruption. The group
includes representatives of both domestic and international government
agencies and private Internet-related companies. According to DHS
officials who organized the group, the group held its first forum in
November 2005 to begin to identify real versus perceived threats to the
Internet, refine the definition of an Internet disruption, determine
the scope of a planned analysis of disruptions, and identify near-term
protective measures.
DHS officials stated that they had identified a number of potential
future plans, including meeting with industry representatives to:
* better understand what constitutes normal network activity and what
suggests malicious activity;
* further refine the definition of an Internet disruption;
* determine which public/private organizations would be contacted in an
emergency and what contingency plans the government could establish;
* encourage implementation of best practices for protecting key
Internet infrastructure, including the Domain Name System;
and:
* consider requiring improved security technologies for the Domain Name
System and the Border Gateway Protocol in government contracts.
Efforts such as those previously mentioned appear to be worthwhile;
however, agency officials have not yet finalized plans, resources, or
milestones for these efforts. Until they do, the benefits of these
efforts will not be fully realized.
The North American Incident Response Group Is an Additional Mechanism
for Outreach to the Private Sector, but Its Efforts Are Early:
In addition to the Internet Disruption Working Group, US-CERT officials
formed the North American Incident Response Group. The group, modeled
on similar groups in Asia and Europe, includes both public and private-
sector network operators who would be the first to recognize and
respond to cyber disruptions. In September 2005, US-CERT officials
conducted regional workshops with group members to share information on
structure and programs and incident response, and to seek ways for the
government and industry to work together operationally. The attendees
included 32 organizations, such as computer security incident response
teams; information sharing and analysis centers; members of private
firms that provide security services; information technology vendors;
and other organizations that participate in cyber watch, warning, and
response functions. US-CERT officials stated that these events were
highly successful, and that they hope to continue to hold such events
quarterly beginning in 2006.
As a result of the first meetings, US-CERT officials developed a list
of action items and assigned milestones to some of these items. For
example, US-CERT has established a secure instant messaging capability
to communicate with group members. In addition, it plans to conduct a
survey of the group members to determine what they need from US-CERT
and what types of information they can provide.
While the outreach efforts of the North American Incident Response
Group are promising, DHS has only just begun developing plans and
activities to address the concerns of private-sector stakeholders.
DHS Has Conducted Initial Exercises That Address Cyber Disruption, but
Efforts to Incorporate Lessons Learned into DHS Operations Are Lacking:
Over the last few years, DHS has conducted several broad
intergovernmental exercises to test regional responses to significant
incidents that could affect the critical infrastructure. These regional
exercises included incidents that could cause localized Internet
disruptions, and they resulted in numerous findings and recommendations
regarding the government's ability to respond to and recover from a
major Internet disruption. For example, selected exercises found that
both the government and private-sector organizations were poorly
prepared to effectively respond to cyber events. They cited the lack of
clarity on roles and responsibilities, the lack of coordination and
communication, and a limited understanding of cybersecurity concerns as
serious obstacles to effective response and recovery from cyber attacks
and disruptions. Furthermore, regional participants reported being
unclear regarding who was in charge of incident management at the
local, state, and national levels.
More recently, in February 2006, DHS conducted an exercise called Cyber
Storm, which was focused primarily on testing responses to a cyber-
related incident of national significance. The exercise involved a
simulated large-scale attack affecting the energy and transportation
infrastructures, using the telecommunications infrastructure as a
medium for the attack. The results of this exercise have not yet been
published. (Details on these exercises are provided in app. IV.)
Exercises that include Internet disruptions can help to identify issues
and interdependencies that need to be addressed. However, DHS has not
yet identified planned activities and milestones or identified which
group should be responsible for incorporating into its plans and
initiatives lessons learned from the regional and Cyber Storm
exercises. Without a coordination process, plans, and milestones, there
is less chance that the lessons learned from the exercises will be
successfully transferred to operational improvements.
The Relationships and Interdependencies among Various DHS Initiatives
Are Not Evident:
While DHS has various initiatives under way--including efforts to
update the National Response Plan, task forces assessing changes to
NCS, working groups on responding to cyber incidents, and exercises to
practice recovery efforts--the relationships and interdependencies
among these various efforts are not evident. For example, plans to
update the National Response Plan to better reflect the Internet
infrastructure are related to task force efforts to suggest changes to
NCS to deal with the convergence of voice and data technologies.
However, it is not clear how these initiatives are being coordinated.
Furthermore, the National Cyber Response Coordination Group, the
Internet Disruption Working Group, and the North American Incident
Response Group are all meeting to discuss ways to address Internet
recovery, but the interdependencies among the groups have not been
clearly established. Additionally, it is not evident that lessons
learned from the various cyber-related exercises are being incorporated
in the planned revision of the National Response Plan or the ongoing
efforts of the various working groups. Without a thorough understanding
of the interrelationships among its various initiatives, DHS risks
pursuing redundant efforts and missing opportunities to build on
related efforts.
DHS officials acknowledged that they have not yet fully coordinated the
various initiatives aimed at enhancing the department's ability to help
respond to and recover from a major Internet disruption, but they noted
that the complexity of this undertaking and the number of entities
involved in Internet recovery make this effort challenging.
Multiple Challenges Exist to Planning for Recovery from Internet
Disruptions:
Although DHS has various initiatives under way to improve Internet
recovery planning, it faces key challenges in developing a public/
private plan for Internet recovery, including (1) innate
characteristics of the Internet that make planning for and responding
to a disruption difficult, (2) a lack of consensus on DHS's role and on
when the department should get involved in responding to a disruption,
(3) legal issues affecting DHS's ability to provide assistance to
restore Internet service, (4) reluctance of the private-sector to share
information on Internet disruptions with DHS, and (5) leadership and
organizational uncertainties within DHS. Until it addresses these
challenges, DHS will have difficulty achieving results in its role as
the focal point for recovering the Internet from a major disruption.
Key Internet Characteristics Make Recovery More Difficult:
The Internet's diffuse structure, vulnerabilities in its basic
protocols, and lack of agreed-upon performance measures make planning
for and responding to a disruption more difficult.
Control of the Internet Is Diffuse:
The diffuse control of the Internet makes planning for recovering from
a disruption more challenging. The components of the Internet are not
all governed by the same organization. Some components of the Internet
are controlled by government organizations, while others are controlled
by academic or research institutions. However, the vast majority of the
Internet is owned and operated by the private sector. Each organization
makes decisions to implement or not implement various standards based
on issues such as security, cost, and ease of use. Therefore, any plan
for responding to a disruption requires the agreement and cooperation
of these private-sector organizations.
In addition, the Internet is international. According to private-sector
estimates, only about 20 percent of Internet users are in the United
States. Cyber actors in one country have the potential to impact
systems connected to the Internet in another country. This geographical
diversity makes planning for Internet recovery more difficult.
Vulnerabilities in Internet-Related Protocols Make Responding to
Disruptions Difficult:
The Internet's protocols have vulnerabilities that can be exploited.
Examples of these vulnerabilities include the following:
* The version of Internet Protocol (IPv4) that is widely used today has
certain security limitations that have been addressed but are not fully
integrated into the protocol. The newest version of the protocol (IPv6)
addresses some of these limitations, but it has not yet been fully
adopted.[Footnote 27]
* The Domain Name System, which directs users to the correct Web site
based on the name they typed in, was not originally built with the
intent of being resistant to attacks. Domain name servers or caches
storing Domain Name System information can be corrupted. Although some
protective measures have been implemented, a method to encrypt and
protect Domain Name System information has not yet been widely
deployed.
* Border Gateway Protocol, the protocol that transmits routing
information among separate networks, has vulnerabilities that, if not
mitigated, could subject those networks to attack. For example, a
malicious actor could advertise incorrect routing information. Because
this protocol provides the basis for all Internet connectivity, a
successful attack could have wide-ranging effects.
Lack of Standards for Measuring Internet Performance Hinders the
Ability to Recognize Disruptions and Recover Accordingly:
There are no well-accepted standards for measuring and monitoring the
Internet infrastructure's availability and performance. Instead,
individuals and organizations rate the Internet's performance according
to their own priorities.
The commonly used version of Internet Protocol (IPv4) does not
guarantee a priority or speed for delivery, but rather provides "best
effort" service. The next version (IPv6) has features that may help the
delivery of future Internet traffic, but it is not yet widely
used.[Footnote 28] The topic of guaranteeing a particular level of
service, called "quality of service," is currently the subject of much
research. For example, NCS requested information from private companies
on the potential for prioritizing certain types of Internet service
over others if network capacity was limited; NCS found that there is
currently no offering of a priority service, nor is there any consensus
by industry on a standard approach to prioritization. Obstacles to
offering the service include both technical and financial challenges.
Since there are no clear standards for quality of service, prioritizing
service if capacity is limited or setting thresholds that indicate a
disrupted network can be difficult.
Private-sector representatives identified additional challenges to
network measurement and performance standards, including a reluctance
to share proprietary performance data that other companies could use
for competitive advantage, flaws in measurement techniques, and the
ability to "spoof" performance data.
The lack of agreement on standards for measurement and performance
limits the ability of the government and private sector to readily
identify poor performance and identify when recovery efforts should
begin.
There Is No Consensus on DHS's Role in Responding to Internet
Disruption or the Appropriate Trigger for Its Involvement:
There is a lack of consensus about the role DHS should play in
responding to a major Internet disruption and about the appropriate
trigger for its involvement. As we previously noted in this report, the
lack of clear legislative authority for Internet recovery efforts
complicates the definition of this role.
DHS's Role Lacks Consensus:
DHS is currently providing information to private industry through
existing US-CERT and National Coordinating Center relationships and
conducting exercises such as Cyber Storm. US-CERT and National
Coordinating Center officials are also working to improve their
relationships with the private sector. However, DHS officials
acknowledged that their role in recovering from an Internet disruption
needs additional clarification, because private industry owns and
operates the vast majority of the Internet.
Private-sector officials representing telecommunication backbone
providers and Internet service providers were also unclear about the
types of assistance DHS could provide in responding to an incident and
about the value of such assistance. While many officials stated that
the government did not have a direct recovery role, others identified a
variety of roles ranging from providing information on specific threats
(which DHS currently does through US-CERT), providing security and
disaster relief support during a crisis, funding backup communication
infrastructures, and driving improved Internet security through
requirements for its own procurement. Clearly, there was no consensus
among the officials on this issue. Table 6 summarizes potential roles
suggested by private-sector representatives and DHS officials'
assessments of each area.
Table 6: Potential DHS Roles:
Potential role: Serve as a focal point with state and local governments
to establish standard credentials to allow Internet and
telecommunications companies access to areas that have been restricted
or closed in a crisis;
DHS assessment of activities: NCS officials stated that credentials are
primarily controlled by state and local government officials. However,
NCS stated that it is working with a telecommunications company and
Georgia on a pilot credentialing process for telecommunications and
electric power teams in a disaster area to restore critical
infrastructure. Once the pilot process is generally agreed to with
Georgia officials, NCS stated it will share this information with other
state and local officials to provide them with the option of adopting
it the next hurricane season. The agency may consider a formal
credentialing system for the next hurricane season.
Potential role: Provide logistical assistance, such as fuel, power, and
security, to Internet infrastructure operators;
DHS assessment of activities: NCS currently does not provide such
services directly, and the Stafford Act does not authorize DHS to
provide direct assistance to private companies. However, the National
Coordinating Center has assisted companies in obtaining these services
from other companies in previous physical disruptions. An NCS official
acknowledged that providing these services in the case of Hurricane
Katrina was challenging because of the scale of the disaster and
difficulties in coordination with other government organizations.
Potential role: Conduct a more formal analysis of physical diversity in
service routes so that a customer with multiple telecommunications
vendors would be able to determine the extent to which the vendors'
circuits physically overlap;
DHS assessment of activities: NCS stated it has developed a formal
analysis process to assist federal agencies in conducting analyses of
physical diversity in service routes for any given site. The formal NCS
analysis process requires full collaboration between NCS and the
requesting agency. An abbreviated analysis process is also available
for those agencies wishing to conduct their analyses independently.
However, DHS stated that an overall analysis of physical diversity in
service routes for all federal agency locations would be a massive
undertaking. It would also be extremely expensive and is currently
beyond even industry's capability to maintain.
Potential role: Focus on smaller scale exercises targeted at specific
Internet disruption issues. An example would be an exercise focused on
root server/top-level domain attacks;
DHS assessment of activities: DHS officials stated that they agree with
this premise and are planning a tabletop exercise specifically focused
on the Internet. A group of government and private-sector experts first
met to plan the exercise in March 2006. The exercise is currently
planned for June 2006.
Potential role: Limit the initial focus for Internet recovery planning
to key national security and emergency preparedness functions, such as
public health and safety, similar to NCS's approach to telephone
service. This would make the scope of planning efforts more manageable;
DHS assessment of activities: DHS officials agree that this may be a
more appropriate place to start. They stated that a focus on these
areas would likely be more positively received by the private sector
than larger scale planning efforts. However, they stated that this
prioritization will require discussions among stakeholders. These
officials noted that the Next Generation Network Task Force addressed
prioritization. However, there are no immediate plans that target this
particular issue.
Potential role: Fund backup communications systems;
DHS assessment of activities: NCS initiated a program, called the
Shared Resources High- Frequency Radio Program, to provide backup radio
communications during an emergency. The purpose of the program is to
provide a single, interagency emergency message-handling system by
bringing together existing radio resources of federal, state, and
industry organizations when normal communications are destroyed or
unavailable for the transmission of national security and emergency
preparedness information.
In addition, DHS operates the Critical Infrastructure Warning
Information Network, a private communications network designed to serve
as a reliable and survivable network capability with no logical
dependency on the Internet or the public-switched network. In the event
of a significant cyber attack that disrupts telecommunications networks
and/or the Internet, this network is expected to provide a secure
capability for interagency incident managers to communicate. DHS plans
to extend the network to private- sector communications backbone
providers.
Potential role: Establish a system for prioritizing recovery of
Internet service similar to the existing Telecommunications Service
Priority Program;
DHS assessment of activities: DHS officials and industry
representatives noted that the existing Telecommunications Service
Priority Program applies to physical restoration of both voice circuits
and data circuits, including Internet traffic. However, prioritization
of particular traffic on the Internet faces numerous technical
challenges and is not supported by current legislation. DHS stated that
this issue will become more significant as existing telecommunications
circuit-switched networks migrate to packet- switched networks.
Potential role: Use federal contracting mechanisms to require use of
more secure Internet technologies, such as secure Domain Name System
and secure Border Gateway Protocols;
DHS assessment of activities: DHS officials noted that they can
coordinate with the Office of Management and Budget in addressing this
issue, but that the office has authority for providing federal agencies
with overarching policy.
They also stated that DHS's Science and Technology Directorate and the
National Institute of Standards and Technology have developed guidance
documents to encourage the use of a secure Domain Name System in
federal information technology systems. The Science and Technology
Directorate is also coordinating with the General Services
Administration to begin to implement a secure Domain Name System in the
.gov and global root Domain Name System servers.
These officials noted that standards for securing Border Gateway
Protocol are still not fully agreed to--beyond some common best
practices for simple security--and that DHS and the National Institute
of Standards and Technology are working to develop standards and
technology to support securing Border Gateway Protocol.
These officials cautioned that expenses and the timing of
implementation are key issues. Federal agencies can specify what they
want, but ultimately the costs of enhanced services will have to be
paid.
Sources: GAO interviews with private-sector infrastructure owners and
operators to identify potential roles and a written assessment by DHS
on these potential roles.
[End of table]
The Trigger for Government Involvement Is Unclear:
The difference between a minor and a major Internet disruption can be a
combination of factors. The severity of a disruption can be influenced
by:
* the length of time that the disruption lasts;
* the impact of the disruption on the operation of the Internet, both
in quality of operation (e.g., if the speed of the Internet is
affected), and the number of users that cannot access the Internet;
* the impact that the disruption has on society, such as the impact on
national security or economic security;
and:
* the simultaneity of events (e.g., a disruption coinciding with a
national disaster or terrorist attack could be more severe than a
disruption occurring on an uneventful day).
However, it is not clear when the government should get involved in a
disruption. For example, the lessons learned from the DHS-sponsored
regional exercises show that:
* organizations do not know how and to whom they should report a cyber
attack and what information to convey;
* local and state emergency operations centers often lack procedures to
determine when they should activate for a cyber event;
* private-sector participants often do not inform government
authorities about what they see as routine events because of company
policy, legal constraints, or liability concerns;
and:
* it is unclear when a cybersecurity incident becomes a source of
concern and what types of incidents should be communicated to local and
federal law enforcement.
The trigger for the National Response Plan, which is DHS's overall
framework for incident response, is poorly defined and has been found
by both GAO and the White House to need revision.[Footnote 29] DHS
officials acknowledged that the definition for activation of its
National Cyber Response Coordination Group is very broad and needs
clarification. In addition, other DHS officials stated that, in their
meetings with private-sector firms and other government agencies, they
have determined that they need to further refine the definition of when
government should be involved during an Internet disruption.
DHS officials have stated that a successful public/private partnership
is critical to the success of efforts to plan for responding to
Internet disruptions. Since private-sector participation in DHS
planning activities for Internet disruption is voluntary, agreement on
the appropriate trigger for government involvement and on the role of
government in resolving an Internet disruption are essential to any
plan's success. Without a consensus on the appropriate role of
government in responding to the disruption, or on the trigger for
government involvement, planning for response to the disruption is
difficult.
Legal Issues Affect DHS's Ability to Provide Assistance during Recovery
Efforts:
There are key legal issues affecting DHS's ability to provide
assistance to help restore Internet service. As previously noted, key
legislation and regulations guiding critical infrastructure protection,
disaster recovery, and the telecommunications infrastructure do not
provide specific authorities for Internet recovery. As a result, there
is no clear legislative guidance on what government entity would be
responsible in the case of a major Internet disruption.
In addition, while the Stafford Act authorizes the government to
provide federal assistance to states, local governments, nonprofit
entities, and individuals in the event of a major disaster or
emergency, it does not authorize assistance to for-profit corporations.
Several representatives of telecommunications companies reported that
they had requested federal assistance from DHS during Hurricane
Katrina. Specifically, they requested food, water, and security for the
teams they were sending in to restore the communications
infrastructure, and fuel to power their generators. DHS responded that
it could not fulfill these requests, noting that the Stafford Act did
not extend to for-profit companies.
Many in the Private Sector Are Reluctant to Share Internet Information
with the Government:
Because a large percentage of the nation's critical infrastructure--
including the Internet--is owned and operated by the private sector,
public/private partnerships are crucial for successful critical
infrastructure protection. Although certain policies direct DHS to work
with the private sector to ensure infrastructure protection, DHS does
not have the authority to direct Internet owners and operators in their
recovery efforts. Instead, it must rely on the private sector to share
information on incidents, disruptions, and recovery efforts.
We have previously reported that many in the private sector are
reluctant to share information with the federal government.[Footnote
30] Many private-sector representatives questioned the value of
providing information to DHS regarding planning for and recovery from
Internet disruption. Concerns included the potential for disclosure of
the information and the perceived lack of benefit in providing the
information. In addition, DHS identified provisions of the Federal
Advisory Committee Act[Footnote 31] as having a "chilling effect" on
cooperation with the private sector. The act governs the structure of
certain federal advisory groups and requires that membership in and
information about the groups' activities be public record. However,
both the act itself and other federal legislation provide the ability
to limit disclosure of sensitive information provided to the
government. While DHS officials stated that the agency was working on a
solution to problems posed by the act, they did not provide us with
information on potential solutions or milestones for completing these
activities. The uncertainties regarding the value and risks of
cooperation with the government limit incentives for the private sector
to cooperate in Internet recovery planning efforts.
DHS's Leadership and Organizational Issues Impact Its Ability to
Address Internet Disruption:
In 2003 and again in 2005, we identified the transformation of DHS from
22 agencies into one department as a high-risk area.[Footnote 32] As
part of this body of work, we noted that organizational and management
practices are critical to successfully transforming an organization.
Additionally, we reported on the importance of top leadership driving
any transformation and the need for a stable and authoritative
organizational structure. However, DHS has lacked permanent leadership
while developing its plans for Internet recovery and reconstitution. In
addition, the organizations with roles in Internet recovery have
overlapping responsibilities and may be reorganized once DHS selects
permanent leadership. As a result, it is difficult for DHS to develop a
clear set of organizational priorities and to coordinate among the
various activities responsible for Internet recovery planning.
DHS Has Lacked Permanent Leadership in Key Roles:
In recent years, DHS has experienced a high level of turnover in its
cybersecurity division and has lacked permanent leadership in key
roles. In May 2005, we reported that multiple senior DHS cybersecurity
officials had recently left the department.[Footnote 33] These
officials included the NCSD Director, the Deputy Director responsible
for Outreach and Awareness, the Director of the US-CERT Control Systems
Security Center, the Under Secretary for the Information Analysis and
Infrastructure Protection Directorate, and the Assistant Secretary
responsible for the Information Protection Office.
Subsequently, in July 2005, the DHS Secretary announced a major
reorganization of the department. Under this reorganization, the
Information Analysis and Infrastructure Protection Directorate, which
contained NCS and NCSD, was renamed the Directorate for Preparedness,
which would be managed by an appointed under secretary. The
responsibilities of NCS and NCSD were placed under a new Assistant
Secretary for Cyber Security and Telecommunications. DHS stated that
the creation of a position for Assistant Secretary for Cyber Security
and Telecommunications within the department would elevate the position
of cybersecurity in the department and by doing so raise visibility for
the issue. However, as of May 2006, no candidate for the assistant
secretary position had yet been publicly announced. In addition, the
current head of NCSD is in an acting position and has been since
October 2004.
While DHS stated that the lack of a permanent assistant secretary has
not hampered its efforts in protecting critical infrastructure, several
private-sector representatives stated that DHS's lack of leadership in
this area has limited progress. Specifically, these representatives
stated that filling key leadership positions would enhance DHS's
visibility to the Internet industry and potentially improve its
reputation.
DHS Organizations Have Overlapping Responsibilities:
DHS officials acknowledged that the current organizational structure
has overlapping responsibilities in planning for and recovering from a
major Internet disruption. NCSD is responsible for planning and
response activities governing information technology, while NCS has the
lead for telecommunications. However, because of the convergence of
voice and data networks, NCS has become more involved in Internet
issues.
There is currently no written division of responsibilities between NCS
and NCSD related to Internet recovery. NCS officials stated that a
revision of the Emergency Support Function 2 would help address the
apparent overlap, but DHS has not established a date for finalizing
this document. Furthermore, DHS officials stated that the new assistant
secretary would have discretion to reorganize NCS and NCSD. For
example, NCS and NCSD could be combined, or one or more program areas
could be modified. As a result, it is difficult for DHS to develop a
clear set of organizational priorities and to coordinate among the
various activities responsible for Internet recovery planning.
Conclusions:
As a critical information infrastructure supporting our nation's
commerce and communications, the Internet is subject to disruption--
from both intentional and unintentional incidents. While major
incidents to date have had regional or local impacts, the Internet has
not yet suffered a catastrophic failure. Should such a failure occur,
however, existing legislation and regulations supporting critical
infrastructure protection, disaster response, and the
telecommunications infrastructure do not specifically address roles and
responsibilities for Internet recovery.
A national policy, the National Strategy to Secure Cyberspace,
establishes DHS as the focal point for ensuring the security of
cyberspace--a role that includes developing joint public/private plans
for facilitating a recovery from a major Internet disruption. While DHS
has initiated efforts to refine high-level disaster recovery plans, the
components of these plans that pertain to the Internet are not
complete. Additionally, while DHS has undertaken several initiatives to
improve Internet recovery planning, much remains to be done.
Specifically, some initiatives lack clear time lines, lessons learned
are not consistently being incorporated in recovery plans, and the
relationships between the various initiatives are not clear.
DHS faces numerous challenges to developing integrated public/private
recovery plans--not the least of which is the fact that the government
does not own or operate much of the Internet. In addition, there is no
consensus among public and private stakeholders about the appropriate
role of DHS and when it should get involved; legal issues limit the
actions the government can take; the private sector is reluctant to
share information on Internet performance with the government; and DHS
is undergoing important organizational and leadership changes. As a
result, the exact role of the government in helping to recover the
Internet infrastructure following a major disruption remains unclear.
Matters for Congressional Consideration:
Given the importance of the Internet as a critical infrastructure
supporting our nation's communications and commerce, Congress should
consider clarifying the legal framework that guides roles and
responsibilities for Internet recovery in the event of a major
disruption. This effort could include providing specific authorities
for Internet recovery as well as examining potential roles for the
federal government, such as providing access to disaster areas,
prioritizing selected entities for service recovery, and using federal
contracting mechanisms to encourage more secure technologies. This
effort also could include examining the Stafford Act to determine if
there would be benefits in establishing specific authority for the
government to provide for-profit companies--such as those that own or
operate critical communications infrastructures--with limited
assistance during a crisis.
Recommendations for Executive Action:
To improve DHS's ability to facilitate public/private efforts to
recover the Internet in case of a major disruption, we recommend that
the Secretary of the Department of Homeland Security implement the
following nine actions:
* Establish dates for revising the National Response Plan and
finalizing the National Infrastructure Protection Plan--including
efforts to update key components relevant to the Internet.
* Use the planned revisions to the National Response Plan and the
National Infrastructure Protection Plan as a basis, draft public/
private plans for Internet recovery, and obtain input from key Internet
infrastructure companies.
* Review the NCS and NCSD organizational structures and roles in light
of the convergence of voice and data communications.
* Identify the relationships and interdependencies among the various
Internet recovery-related activities currently under way in NCS and
NCSD, including initiatives by US-CERT, the National Cyber Response
Coordination Group, the Internet Disruption Working Group, the North
American Incident Response Group, and the groups responsible for
developing and implementing cyber recovery exercises.
* Establish time lines and priorities for key efforts identified by the
Internet Disruption Working Group.
* Identify ways to incorporate lessons learned from actual incidents
and during cyber exercises into recovery plans and procedures.
* Work with private-sector stakeholders representing the Internet
infrastructure to address challenges to effective Internet recovery by:
* further defining needed government functions in responding to a major
Internet disruption (this effort should include a careful consideration
of the potential government functions identified by the private sector
in table 6 of this report),
* defining a trigger for government involvement in responding to such a
disruption, and:
* documenting assumptions and developing approaches to deal with key
challenges that are not within the government's control.
Agency Comments:
We received written comments from DHS on a draft of this report (see
app. V). In DHS's response, the Director of the Departmental GAO/Office
of Inspector General Liaison Office concurred with our recommendations.
DHS stated that it recognizes that the Internet is an important
component of the information infrastructure in which both the
information technology and telecommunications sectors share an
interest. It also stated that because of the increasing reliance of
various critical infrastructure sectors on interconnected information
systems, the Internet represents a significant source of
interdependencies for many sectors. DHS agreed that strengthened
collaboration between the public and private sectors is critical to
protecting the Internet. DHS also provided information on initial
actions it is taking to implement our recommendations.
DHS officials, as well as others who were quoted in our report, also
provided technical corrections, which we have incorporated in this
report as appropriate.
As agreed with your offices, unless you publicly announce the contents
of this report earlier, we plan no further distribution of it until 30
days from the report date. At that time, we will send copies of this
report to interested congressional committees, the Secretary of the
Department of Homeland Security, and other interested parties. In
addition, this report will be available at no charge on GAO's Web site
at [Hyperlink, http://www.gao.gov.]
If you have any questions on matters discussed in this report, please
contact us at (202) 512-9286 and at (202) 512-6412, or by e-mail at
pownerd@gao.gov and rhodesk@gao.gov. Contact points for our Offices of
Congressional Relations and Public Affairs may be found on the last
page of this report. GAO staff who made major contributions to this
report are listed in appendix VI.
Signed by:
David A. Powner:
Director, Information Technology Management Issues:
Signed by:
Keith A. Rhodes:
Chief Technologist:
Director, Center for Technology and Engineering:
List of Congressional Requesters:
The Honorable Joseph I. Lieberman:
Ranking Member:
Committee on Homeland Security and Governmental Affairs:
United States Senate:
The Honorable Tom Coburn, MD:
Chairman:
The Honorable Tom Carper:
Ranking Member:
Subcommittee on Federal Financial Management, Government Information,
and International Security:
Committee on Homeland Security and Governmental Affairs:
United States Senate:
The Honorable Joe Barton:
Chairman:
Committee on Energy and Commerce:
House of Representatives:
The Honorable Tom Davis:
Chairman:
Committee on Government Reform:
House of Representatives:
[End of section]
Appendix I: Objectives, Scope, and Methodology:
Our objectives were to (1) identify examples of major disruptions to
the Internet, (2) identify the primary laws and regulations governing
recovery of the Internet in the event of a major disruption, (3)
evaluate the Department of Homeland Security's (DHS) plans for
facilitating recovery from Internet disruptions, and (4) assess
challenges to such efforts.
To determine the types of major disruptions to the Internet, we
analyzed our prior work on cybersecurity issues as well as reports by
private organizations, research experts, and government agencies. We
identified incidents that were representative of types of disruptions
that have actually occurred. We compiled case studies by reviewing and
summarizing research reports and interviewing private-industry experts
and government officials. We also conducted interviews with individuals
in the private/public sectors, including representatives of private
companies that operate portions of Internet infrastructure.
To determine the primary laws and regulations for recovering the
Internet in the event of a major disruption, we analyzed relevant laws
and regulations related to infrastructure protection, disaster
response, and the telecommunications infrastructure. These laws and
regulations included the Homeland Security Act of 2002, Homeland
Security Presidential Directive 7, the Defense Production Act, the
Stafford Act, the Communications Act of 1934, and the National
Communications System (NCS) authorities. We also obtained the
perspectives of DHS and the Federal Communications Commission on the
laws and regulations that govern Internet recovery. Additionally, we
conducted interviews with DHS and other government officials as well as
representatives of the telecommunications and information technology
sectors.
To assess plans for recovery of Internet service in the event of a
major disruption, we analyzed key documents, such as the interim
National Infrastructure Protection Plan, the National Response Plan, a
report from the National Coordinating Center Task Force, and reports
from regional tabletop security exercises. We observed a portion of
DHS's Cyber Storm exercise, which focused on facilitating government
and private industry organizations to address an array of cybersecurity
issues. We also spoke with the Deputy Manager of NCS and the Deputy
Director of the NCSD to identify DHS's initiatives in the area of
Internet protection and recovery. Additionally, we interviewed
representatives from private companies that operate portions of
Internet infrastructure. These included representatives of major
telecommunications and cable companies, Internet service providers, and
root server operators. We also interviewed representatives from three
information sharing and analysis centers[Footnote 34] to obtain their
perspectives on DHS's capabilities in the area of Internet recovery.
To identify the challenges that may affect current recovery plans, we
analyzed DHS plans, congressional testimony, and other evaluations of
challenges to Internet recovery. We also interviewed officials at DHS,
including NCSD's Deputy Director of Strategic Initiatives and Deputy
Director of Operations and NCS's Chief of the Critical Infrastructure
Protection Division. In addition, we interviewed other agencies that
are involved with the government's efforts in the area of Internet
recovery and experts in the private sector and academia. We performed
our work from August 2005 to May 2006 in accordance with generally
accepted government auditing standards.
[End of section]
Appendix II: Legislation and Regulations Govern Critical Infrastructure
Protection, Disaster Response, and the Telecommunications
Infrastructure:
Multiple Laws and Regulations Govern Protection of Critical
Infrastructure:
Federal laws and policies establish critical infrastructure protection
as a national goal and describe a strategy for cooperative efforts by
government and the private sector to protect the cyber-and physical-
based systems that are essential to the minimum operations of the
economy and the government. The primary authorities governing
protection of critical infrastructure include the Homeland Security Act
of 2002 and Homeland Security Presidential Directive 7.
The Homeland Security Act of 2002:
The Homeland Security Act of 2002[Footnote 35] established DHS and gave
it lead responsibility for preventing terrorist attacks in the United
States, reducing the vulnerability of the United States to terrorist
attacks, and minimizing the damage and assisting in the recovery from
attacks that do occur.
The act also assigns DHS a number of responsibilities for critical
infrastructure protection, including (1) developing a comprehensive
national plan for securing the key resources and critical
infrastructure of the United States; (2) recommending measures to
protect the key resources and critical infrastructure of the United
States in coordination with other federal agencies and in cooperation
with state and local government agencies and authorities, the private
sector, and other entities; and (3) disseminating, as appropriate,
information analyzed by the department--both within the department and
to other federal, state, and local government agencies and private-
sector entities--to assist in the deterrence, prevention, or preemption
of or response to terrorist attacks.
Additionally, the act specifically charged DHS with providing state and
local government entities and, upon request, private entities that own
or operate critical infrastructure, with:
* analyses and warnings concerning vulnerabilities and threats to
critical infrastructure systems,
* crisis management support in response to threats or attacks on
critical information systems, and:
* technical assistance with respect to recovery plans to respond to
major failures of critical information systems.
Homeland Security Presidential Directive 7:
Homeland Security Presidential Directive 7, dated December 17, 2003,
superseded Presidential Decision Directive 63 and established a
national policy for federal departments and agencies to identify and
prioritize critical infrastructures and key resources and to protect
them from terrorist attack. The directive defines responsibilities for
(1) DHS, (2) sector-specific federal agencies that are responsible for
addressing specific critical infrastructure sectors, and (3) other
departments and agencies.
The directive also makes DHS responsible for coordinating the national
effort to enhance the protection of the critical infrastructure and key
resources of the United States. Under the directive, the Secretary of
DHS is to serve as the principal federal official to lead, integrate,
and coordinate implementation of efforts among federal departments and
agencies, state and local governments, and the private sector to
protect critical infrastructure and key resources. The Secretary also
is to work closely with other federal departments and agencies, state
and local governments, and the private sector in accomplishing the
objectives of the directive. The Secretary is given responsibility to
coordinate protection activities for several key infrastructure
sectors, including the information technology and telecommunications
sectors.
Homeland Security Presidential Directive 7 provides that DHS is to
collaborate with the appropriate private-sector entities and to
encourage the development of information-sharing and analysis
mechanisms. Additionally, the department and sector-specific agencies
are to collaborate with the private sector and continue to support
sector-coordinating mechanisms to:
* identify, prioritize, and coordinate the protection of critical
infrastructure and key resources and:
* facilitate sharing of information about cyber and physical threats,
vulnerabilities, incidents, potential protective measures, and best
practices.
Multiple Laws Govern Federal Response to Disasters and Incidents of
National Significance:
Federal planning for disaster recovery is governed by legislation
including the Defense Production Act and the Stafford Act.
Defense Production Act:
The Defense Production Act was enacted at the outset of the Korean War
to ensure the availability of industrial resources to meet the needs of
the Department of Defense.[Footnote 36] The act is intended to
facilitate the supply and timely delivery of products, materials, and
services to military and civilian agencies, in times of peace as well
as in times of war. Presently, only titles I, III, and VII of the
Defense Production Act remain in effect.[Footnote 37] DHS identified
the act as a primary authority that supports telecommunications
emergency planning and response functions.
Title I of the act authorizes the President to ensure the timely
availability of products, materials, and services needed to meet
current defense preparedness and military readiness requirements as
well as the requirements of a national emergency. Under section 101 of
the act, the President may require preferential performance on
contracts and orders to meet approved national defense requirements and
may allocate materials, services, and facilities as necessary to
promote the national defense in a national emergency. Homeland Security
Presidential Directive 7, previously discussed, specifically
acknowledges the authority of the Department of Commerce to use the act
to ensure the timely availability of industrial products, materials,
and services to meet homeland security requirements.
Title III of the act authorizes the use of financial incentives to
expand productive capacity and supply. It authorizes loan guarantees,
loans, purchases, purchase guarantees, and installation of equipment in
contractor facilities for those goods necessary for national defense.
It is used only in cases where domestic sources are required and
domestic firms cannot, or will not, act on their own to meet a national
defense production need.
Title VII of the Defense Production Act defines national defense to
include domestic emergency preparedness and critical infrastructure
protection and restoration activities. The act's authorities,
therefore, are available to meet requirements in a civil disaster, such
as a major Internet disruption.
The act also authorizes the President to provide antitrust defenses to
private firms participating in voluntary agreements aimed at solving
production and distribution problems.
The Year 2000 computer transition and the September 11, 2001, attacks
prompted new interest in the act and its application to information
technology and cybersecurity. Some commentators indicated that the act
would be a useful tool in managing a critical infrastructure
emergency.[Footnote 38] In January 2001, President Clinton directed the
Secretary of Energy to exercise authority under the act, among other
statutes, to ensure the availability of natural gas for high-priority
uses in California. President Clinton found that ensuring natural gas
supplies to California was necessary and appropriate to maximize
domestic supplies and to promote the national defense. President Bush
subsequently extended this executive order.[Footnote 39]
In recent years, Congress has expanded the Defense Production Act's
coverage to include crises resulting from natural disasters or "man-
caused events" not amounting to an armed attack on the United
States.[Footnote 40] The definition of national defense in the act was
expanded in 1994 to include emergency preparedness activities
authorized by the Stafford Act.[Footnote 41] In 2003, the act was
reauthorized through September 30, 2008.[Footnote 42] It was also
amended to add explicit authority to use the act for critical
infrastructure protection and restoration. In addition, the 2003 Act
(section 5) added a definition of critical infrastructure to the
act.[Footnote 43]
The Stafford Act:
The Robert T. Stafford Disaster Relief and Emergency Assistance Act
(the Stafford Act)[Footnote 44] authorizes federal assistance to
states, local governments, nonprofit entities, and individuals in the
event of a major disaster or emergency. For example, the President, at
the request of a governor, may declare a "major disaster," which is
defined as follows:
"Major disaster means any natural catastrophe (including any hurricane,
tornado, storm, high water, winddriven water, tidal wave, tsunami,
earthquake, volcanic eruption, landslide, mudslide, snowstorm, or
drought), or, regardless of cause, any fire, flood, or explosion, in
any part of the United States, which in the determination of the
President causes damage of sufficient severity and magnitude to warrant
major disaster assistance under this Act to supplement the efforts and
available resources of States, local governments, and disaster relief
organizations in alleviating the damage, loss, hardship, or suffering
caused thereby."
A presidential declaration that a major disaster has occurred activates
the federal response plan for the delivery of federal disaster
assistance. The Federal Emergency Management Agency is responsible for
coordinating the federal and private response effort. A presidential
declaration of a major disaster[Footnote 45] triggers several Stafford
Act authorities, including, for example, federal activities to:
* support state and local governments to facilitate the distribution of
consumable supplies;
* help distribute aid to victims through state and local governments
and voluntary organizations, perform life-and property-saving
assistance, clear debris, and use the resources of the Department of
Defense;
* repair and reconstruct federal facilities;
* repair, restore, and replace damaged facilities owned by state and
local governments, as well as private nonprofit facilities that provide
essential services or contributions for other facilities or hazard
mitigation measures in lieu of repairing or restoring damaged
facilities;
and:
* establish--during or in anticipation of an emergency--temporary
communications systems, and make such communications available to state
and local government officials.
Specific Laws and Regulations Govern the Telecommunications
Infrastructure That Supports the Internet:
The Internet is enabled by the telecommunications infrastructure that
supports transmission of data. Key laws and regulations include the
Communications Act of 1934, as amended, and the National Communications
System (NCS) authorities.
Communications Act of 1934, as Amended:
The primary federal telecommunications law is the Communications Act of
1934. Its original purpose was to regulate interstate and foreign
commerce in communications by wire and radio by licensing radio
stations and regulating the telecommunications monopolies of the
time.[Footnote 46] The 1934 Act also created the Federal Communications
Commission to implement the act.[Footnote 47] The 1934 act, as amended,
has remained for more than 60 years as the basis of federal regulation
of telecommunications services.[Footnote 48] The Telecommunications Act
of 1996[Footnote 49] amended the 1934 Act to enhance competition in the
telecommunications market. These laws govern regulation of forms of
transmission upon which the Internet depends. There is, however, no
general regulatory provision for the Internet in the act and no
specific provision providing authorities and responsibilities for
Internet recovery.
NCS Authorities:
NCS was established by a memorandum signed by President Kennedy in
1963, following the Cuban Missile Crisis.[Footnote 50] The memorandum
called for establishing a national communications system by linking
together and improving the communication facilities and components of
various federal agencies. This original memorandum has since been
amended and superseded over time.
The executive order currently in force is Executive Order 12472, April
3, 1984, which was amended slightly by Executive Order 13286 on
February 28, 2003. Executive Order 12472, as amended by Executive Order
13286, established NCS and provided that its mission was to assist the
President, the National Security Council, the Homeland Security
Council, the Director of the Office of Science and Technology Policy,
and the Director of the Office of Management and Budget in, among other
responsibilities, "the coordination of the planning for and provision
of national security and emergency preparedness communications for the
Federal government under all circumstances, including crisis or
emergency, attack, recovery and reconstitution."
The administrative structure includes a National Communications System
Committee of Principals, an executive agent, and a manager. The
Homeland Security Act of 2002 transferred NCS to DHS. To reflect this
change, Executive Order 13286 made the Secretary of DHS the Executive
Agent.
NCS's mission with regard to critical infrastructure protection is to
ensure the reliability and availability of telecommunications for
national security and emergency preparedness. Its mission includes, but
it is not necessarily limited to, responsibility for (1) ensuring the
government's ability to receive priority services for national security
and emergency preparedness purposes in current and future
telecommunications networks by conducting research and development and
participating in national and international standards bodies and (2)
operationally coordinating with industry for protecting and restoring
national security and emergency preparedness services in an all-hazards
environment.[Footnote 51]
Section 706 of the Communications Act of 1934 grants the President
certain emergency powers regarding telecommunications, including the
authority to grant essential communications "preference or priority
with any carrier" subject to this act.[Footnote 52] The President may
also, in the event of war or national emergency, suspend regulations
governing wire and radio transmissions and "authorize the use or
control of any such facility or station and its apparatus and equipment
by any department of the Government." Section 706 is implemented in
Executive Order 12472, which provides that the Director of the Office
of Science and Technology Policy shall direct the exercise of the war
power functions of the President under section 706(a), (c)-(e) of the
Communications Act of 1934, as amended (47 U.S.C. 606). Section 706 is
implemented in the Code of Federal Regulations at title 47, chapter II.
[End of section]
Appendix III: Two Task Forces Have Assessed NCS Roles and Mission:
The National Security Telecommunications Advisory Committee advises the
President on issues and problems related to implementing national
security and emergency preparedness telecommunications policy. The
committee recently formed two task forces to provide recommendations on
changes to DHS's NCS division and operations.
Next Generation Network Task Force:
In May 2004, the Next Generation Network Task Force was formed to
develop recommendations on changes that needed to be made to NCS as a
result of issues such as the convergence of voice and data
communications. The task force was to (1) define the expected structure
for next-generation networks, such as those using Internet-based
protocols; (2) identify national security and emergency preparedness
user requirements for next-generation networks and outline how these
requirements will be met; and (3) examine relevant user scenarios and
expected cyber threats and recommend optimal actions to address these
threats.
The task force agreed to present its findings and recommendations in
two separate reports to the President--a near-term recommendations
report and a final comprehensive report.
In March 2005, the task force issued near-term recommendations for the
federal government. While the recommendations did not address NCS's
role in recovering from an Internet disruption, they included:
* exploring the use of government networks as alternatives for critical
emergency communications during times of national crisis;
* using and testing existing and leading-edge technologies and
commercial capabilities to support critical emergency user requirements
for security and availability;
* studying and supporting industry efforts in areas that present the
greatest emergency communications risks during the period of
convergence, including gateways, control systems, and first responder
communications systems;
and:
* reviewing the value of satellite systems as a broad alternative
transmission channel for critical emergency communications.
The final report, issued in March 2006, contained recommendations that
the federal government:
* require federal agencies to plan for and invest in resilient and
alternate communications mechanisms to be used in a crisis,
* develop identity management tools to support priority emergency
communication on next-generation networks,
* develop supporting policies for emergency communications on next-
generation networks, and:
* improve DHS incident management capabilities.
DHS has not yet developed specific plans to address the recommendations
from either report.
National Coordinating Center Task Force:
In October 2004, a task force was established to examine the future
mission and role of the National Coordinating Center, which is part of
NCS. This task force was to study the direction of the center over the
next year, 3 years, and 5 years, including how industry members of the
center should continue to partner with the government and how the
center should be structured.
The task force researched the center's functions and mapped the
center's authorities to its missions. It studied the center's
organizational structure, information sharing and analysis, incident
management and leadership, and international mutual-aid abilities.
In its report issued in May 2006, the task force found that since the
September 11 attacks the number of companies participating in the
National Coordinating Center has more than doubled, but the influx of
new members has hindered information sharing because of the time it
takes to develop trusted relationships between members. The report also
found that members wanted government to increase its sharing of threat
information with the communications industry through the National
Coordinating Center. The report recommended that:
* the National Coordinating Center broaden center membership by
including additional firms, such as cable operators, satellite
operators, and Internet service providers;
* NCS examine the possible combination of the National Coordinating
Center and the Information Technology Information Sharing and Analysis
Center;
* DHS clarify responsibilities and authorities in emergency situations
to facilitate response to telecommunications disruptions;
* DHS revise the Cyber Incident Annex to the National Response Plan to
clarify the trigger for the annex and the appropriate role of the
government in responding to such an incident;
* the National Coordinating Center develop a concept of operations for
responding to cyber events;
and:
* DHS resolve confusion over legal or jurisdictional issues in
responding to cyber or communications crises.
DHS has not yet developed a plan to address these findings and
recommendations.
[End of section]
Appendix IV: DHS Has Conducted Disaster Response Exercises That Include
Cyber Incidents:
DHS Has Conducted Regional Exercises Involving Cyber Attacks:
Over the last few years, DHS has conducted several exercises to test
the federal and regional response to incidents affecting critical
infrastructures. Among other events, these exercises included incidents
that could cause localized Internet disruptions. Specifically, DHS
sponsored two cyber tabletop exercises with Connecticut and New Jersey,
as well as a series of exercises in the Pacific Northwest and Gulf
Coast regions of the United States.
The series of exercises in the Pacific Northwest was named Blue
Cascades. Blue Cascades II, conducted in September 2004, addressed a
scenario involving cyber attacks and attacks that disrupted
infrastructure, including telecommunications and electric power. The
scenario explored regional capabilities to deal with threats,
interdependences, cascading impacts, and incident response. Blue
Cascades III, conducted in March 2006, focused on the impact of a major
earthquake in the area and the resulting efforts to recover and restore
services. Both exercises were sponsored by NCSD and organized by the
Pacific Northwest Economic Region.
Purple Crescent II, held in New Orleans, Louisiana, in October 2004,
was also designed to raise awareness of infrastructure
interdependencies and to identify how to improve regional preparedness.
The scenario involved a cell of terrorists that used an approaching
major hurricane to test their ability to disrupt regional
infrastructures, government and private organizations, and particularly
disaster preparedness operations using cyber attacks. The exercise was
sponsored by the Gulf Coast Regional Partnership for Infrastructure
Security and funded by NCSD.
The objectives of these exercises included:
* raising awareness of infrastructure-related cybersecurity issues and
vulnerabilities;
* identifying response and recovery challenges;
* bringing together physical security, emergency management, and other
disciplines involved in homeland security and disaster response;
* identifying roles and responsibilities in addressing cyber attacks
and disruptions;
* determining ways to foster public/private cooperation and information
sharing;
* identifying preparedness gaps associated with cybersecurity and
related interdependencies;
and:
* producing an action plan of activities.
The exercises resulted in many findings regarding the overall
preparedness for cyber incidents (see table 7). Overall, the exercises
found that both the government and private-sector organizations were
poorly prepared to effectively respond to cyber events. The lack of
clarity on roles and responsibilities coupled with both the lack of
coordination and communication and limited understanding of
cybersecurity concerns pose serious obstacles to effective response and
recovery from cyber attacks and disruptions. Furthermore, it was
unclear who was in charge of incident management at the local, state,
or national levels.
Table 7: Selected Lessons Learned from DHS Regional Exercises with
Cyber Components:
Area: Skills, knowledge, and preparedness;
Selected lessons learned:
* Many exercise participants demonstrated a basic understanding of
high- level cybersecurity issues, but they were not knowledgeable about
more complex cyber vulnerabilities and interdependencies that could
cause cascading impacts;
* Organizations overestimated their technical capabilities to protect
against threats and attacks and to respond and recover expeditiously in
the exercise scenario;
* It appeared that few organizations had any formal alternative
communications plans;
* The dependence of emergency preparedness activities on information
systems and electronic communications needs to be tested and assessed.
Furthermore, vulnerabilities need to be identified and cost-effective
mitigation measures need to be adopted;
* It was unclear what redundant and alternative communications were
available to organizations in a major cyber disruption, or if
available, whether these capabilities were regularly tested.
Area: Coordination;
Selected lessons learned:
* While a cooperative spirit was demonstrated by participating
organizations during the exercise, this cooperation appeared to be
based on ad hoc personal relationships, and it is focused on physical
incidents;
* Participants for the most part focused on their own organizational
interests, with minimal public/private coordination or formalized
relationships;
* With the exception of sector-specific Information Sharing and
Analysis Centers and cybersecurity professional associations,
organizations rarely coordinate on cyber threat and incident response
activities, chiefly for legal and liability reasons;
* Government agencies at the state level interact with other state
entities, and federal agencies with federal offices, with little
coordination at federal and state levels. There appears to be little
coordination among the many federal, other government and private
organizations with cybersecurity missions;
* Private-sector participants emphasized that their organizations do
not inform government authorities about what is seen as routine events
because of company policy, legal constraints or liability concerns.
Area: Triggers and thresholds for reporting;
Selected lessons learned:
* Regional organizations lack information on what organization they
should contact to report a cyber event or to seek guidance in dealing
with an incident;
* State and local emergency operations centers lack threshold criteria
to determine when they should activate for a cyber attack;
* It is unclear when a cybersecurity incident becomes a source of
concern and what types of incidents should be communicated to local and
federal law enforcement.
Area: Government actions;
Selected lessons learned:
* No one organization is mandated as the focal point for cybersecurity
threats and incident response. The federal government has a number of
organizations that have missions to respond to cyber incidents and
there are also state and private-sector response organizations and
vendors. As a result, it was not clear to the participants what role
DHS elements and other federal agencies would play in a cyber incident;
* Some participants believed DHS and US-CERT should undertake the lead
role in dealing with major cyber attacks while other participants--
chiefly private-sector representatives--did not see a federal
government lead role as appropriate or desirable;
* Participants described cyber incident management as "confused" or
"loose.".
Source: GAO analysis of the Purple Crescent II exercise held in October
2004 and the Blue Cascades II exercise held in September 2004.
[End of table]
The after-action reports from the exercises recommended areas for
additional study and planning, including:
* additional study of the vulnerabilities of critical infrastructures
to cyber attack;
* improved information on training, assessments, and resources to be
used against cyber attacks;
* improved federal, state, local, and private-sector planning and
coordination; and:
* defined thresholds for what constitutes a major cyber attack.
Cyber Storm Was DHS's First National Exercise Focused on Cyber Attacks:
Cyber Storm, held in February 2006 in Washington, D.C., was the first
DHS-sponsored national exercise to test response to a cyber-related
incident of national significance. The exercise involved a simulated,
large-scale attack affecting the energy, information technology,
telecommunications, and transportation infrastructures. DHS officials
stated that they plan to hold a similar exercise every other year.
According to information provided by agency officials, the exercise
involved eight federal departments and three agencies, three states,
and four foreign countries. The exercise also involved representatives
from the private sector, including nine information technology
companies, six electric companies, and two airlines. The exercise
objectives included testing interagency, intergovernmental, and
public/private coordination of incident response.
Representatives of private-sector companies provided mixed responses on
the value of exercises such as Cyber Storm. Selected representatives
expressed concerns about the overly broad scope and the difficulty in
justifying dedicating resources for the exercises due to the lack of
clear goals and outcomes. Another representative stated that government
exercises help the government but exercises involving private-sector
coordination with multiple agencies would also be helpful. Another
representative stated that exercises were only of value if there was a
process for integrating lessons learned from the exercises into
policies and procedures. Two representatives, from a private-sector
company that participated in Cyber Storm, stated that, while useful,
the exercise was not designed for network operators, who would benefit
from more comprehensive training in incident response.
[End of section]
Appendix V: Comments from the Department of Homeland Security:
Homeland Security:
June 2, 2006:
Mr. David A. Powner:
Director, Information Technology Management Issues:
U.S. Government Accountability Office:
441 G Street, NW
Washington, DC 20548:
Dear Mr. Powner:
RE: Draft Report GAO-06-672, Internet Infrastructure: DHS Faces
Challenges in Developing a Joint Public/Private Recovery Plan (GAO Job
Code 310499):
The Department of Homeland Security (DHS) appreciates the opportunity
to review and comment on the draft report. We recognize that the
Internet is an important component of the information infrastructure in
which both the information technology (IT) and telecommunications
sectors share an interest. Moreover, because of the increasing reliance
of various Critical Infrastructure and Key Resources (CI/KR) sectors on
interconnected networked information systems, the Internet represents a
significant source of interdependencies for many sectors. In this
regard, we agree with the Government Accountability Office (GAO) that
recent incidents have shown the Internet as a whole is resilient. We
also agree that strengthening collaboration between the public and
private sector with constant attention to risk mitigation, response and
recovery planning is critical to protect the Internet[Footnote 53].
Finally, as noted in each response, DHS has already focused on issues
raised in the recommendations and has either addressed a recommendation
or is in the process of implementing a recommendation. Nevertheless, we
welcome GAO's review and appreciate the opportunity to comment on each
of the nine recommended actions that are intended to improve DHS'
ability to facilitate public and private efforts to recover the
Internet in case of a major disruption.
Recommendation 1: Establish dates for revising the National Response
Plan and finalizing the National Infrastructure Protection Plan -
including efforts to update key components relevant to the
Internet.
Response: We agree with the recommendation. Implementation of the
National Infrastructure Protection Plan (NIPP) is one of the three
priorities called for as part of the National Preparedness Goal. The
final draft of the NIPP Base Plan was provided to the Homeland Security
Council Critical Infrastructure Protection Policy Coordinating
Committee, which recently gave its concurrence. We anticipate the final
interagency approval and signatures from the HSPD-7 departments and
agencies will be forthcoming.
The pending release of the final NIPP Base Plan is an important
milestone, but it is the implementation of that plan and the
accompanying seventeen Sector-Specific Plans (SSPs) that will help
build a safer, more secure, and more resilient America by enhancing
protection of the Nation's CI/KR. Combined with the updated cyber
component of the NIPP Base Plan, the development of these SSPs
represents progress in efforts to update the key NIPP components
relevant to the Internet. Specifically, the SSPs for the IT and
telecommunications sectors will address plans for protecting the
Internet, and will include consideration of the interdependencies
between the two sectors. These plans are already undergoing development
in collaboration with public and private sector security partners.
Significant progress has been made on both, and completion of all SSPs
is scheduled for 180 days after the release of the NIPP Base Plan.
With regard to the National Response Plan (NRP) revision, the Homeland
Security Council (HSC) directed DHS to complete an interagency review
of the NRP to incorporate critical revisions prior to the onset of the
2006 Hurricane Season. On May 25, 2006, DHS incorporated the revisions
into the NRP in a Notice of Change. The revisions are based on
organizational changes within DHS, as well as the lessons learned from
the experience of responding to Hurricanes Katrina, Wilma, and Rita in
2005. As one part of the NRP Notice of Change, DHS created a NRP Quick
Reference Guide as an appendix to the NRP, which provides senior
officials with a concise summary of key concepts, relationships and
roles and responsibilities outlined in the NRP. In addition, DHS
intends to initiate a comprehensive stakeholder review of the NRP in
the fall of 2006.
Recommendation 2: Using the planned revisions to the National Response
Plan and National Infrastructure Protection Plan as a basis, draft
public/private plans for Internet recovery and obtain input from key
Internet infrastructure companies.
Response: We agree with the recommendation. DHS' National Cyber
Security Division (NCSD) and the National Communications System (NCS),
both located within the Directorate of Preparedness, are actively
engaged with the private sector in furthering a mutual understanding of
government's and industry's respective roles and responsibilities in
connection with a disruption of the Internet or its supporting
infrastructure. In August 2005, the President's National Security
Telecommunications Advisory Committee (NSTAC) hosted an event entitled,
"Incident Management in Next Generation Network," between key industry
and government leaders regarding next steps for collaboratively
responding to incidents affecting the shared public Internet
infrastructure. These types of events build relationships and are key
because the Internet infrastructure is, for the most part, owned and
operated by the private sector.
NCSD has several initiatives underway specifically focused on building
relationships with private industry to determine risks and needs in the
event of an Internet disruption. For example, the United States
Computer Emergency Readiness Team (US-CERT), through its leadership of
the North American Incident Response Group (NAIRG), continues to
develop operational relationships and processes to enhance US-CERT's
ability to respond to an Internet disruption of national significance.
Additionally, the National Cyber Response Coordinating Group (NCRCG)
has developed thresholds for activating the Group and a concept of
operations for responding to cyber incidents, which would include
Internet disruptions. Although the NCRCG role is not operational, it
plays a key role in facilitating effective Federal response to
incidents.
Finally, ongoing collaboration with subject matter experts from the
private sector and academia through the Internet Disruption Working
Group (IDWG) further supports and validates government/industry efforts
to identify key Internet infrastructure contacts, thresholds, and
processes to facilitate situational awareness, incident management, and
recovery actions. This collaboration, along with simulations such as
the recent Cyber Storm exercise and the upcoming IDWG tabletop
exercise, provide data points to clarify industry and government roles
and responsibilities during an Internet disruption, and will lead to
the enhancement of mitigation measures to be included in the public/
private plans.
Recommendation 3: Review the NCS and NCSD organizational structure and
roles in light of the convergence of voice and data
communications.
Response: We agree with the recommendation and believe it can be
closed. DHS has addressed the organizational structure by placing NCS
and NCSD in a newly created Office of Cyber Security and
Telecommunications within the Directorate of Preparedness. This
reorganization clearly acknowledges the increasing convergence between
the telecommunications and IT sectors. NCSD and NCS work closely
together to coordinate efforts to protect the Nation's critical cyber
systems and telecommunications transport layer. In addition, NCSD's
operational division, US-CERT and the NCS's National Coordinating
Center for Telecommunications work together to analyze potential
threats, mitigate risks and collaborate as appropriate with respect to
response and recovery initiatives. NCS and NCSD together chair the IDWG
and play a lead role in the NCRCG as discussed below.
Recommendation 4: Identify the relationships and interdependencies
between the various Internet-recovery related activities currently
under way in NCS and NCSD, including initiatives by US-CERT, the
National Cyber Response Coordination Group, the Internet Disruption
Working Group, the North American Incident Response Group, and the
groups responsible for developing and implementing cyber recovery
exercises.
Response: We agree with the recommendation. NCS and NCSD have
identified and capitalized on relationships and interdependencies
between Internet-recovery related activities within DHS. There has been
significant and strategic collaboration between IDWG, NCRCG, and US-
CERT through major initiatives such as the IDWG Forum, Exercise Cyber
Storm, NCRCG meetings and working groups, as well as the upcoming IDWG
Tabletop exercise. Further, in the event of an Internet disruption of
national significance, the Secretary of DHS may activate the
Interagency Advisory Committee (IAC)[Footnote 54] ,which would work in
coordination with the NCRCG.
US-CERT is the operational entity having real-time responsibility for
responding to a Federal cyber incident and, when applicable, an
incident that has an actual or perceived potential to require the
activation of the NCRCG. DHS//NCSD co-chairs the NCRCG with the
Department of Justice and the Department of Defense. The NCRCG and US-
CERT collaborate with respect to information sharing, and work in
coordination with the IAC. During an incident of national significance
that involves cyber, the NCRCG would provide a cyber incident
management role to the IAC.
The IDWG is not an operational entity and has no incident response or
recovery responsibilities. The IDWG engages with the private sector,
academia, and international security experts to examine risks and
develop recommendations to improve preparedness. Findings and
recommendations developed by the IDWG are provided to the US-CERT,
NCRCG, and other like entities having direct response and recovery
roles within their respective organizations.
With respect to the North American Incident Response Group (NAIRG), it
is the intent of US-CERT to foster operational relationships with
incident response organizations such as NAIRG within the private
sector. In this regard, the NAIRG is not a government organization and
is without any extant actions/taskings.
In regard to groups responsible for cyber exercises, the NCSD Exercise
Program is the focal point for cyber exercise management and execution
within DHS. It supports those activities (US-CERT, NCRCG, IDWG, etc.)
that have identified requirements for further discovery to better
understand roles, responsibilities and processes, and identification of
gaps. In addition, the NCSD Exercise Program is the exercise sponsor
for the National Cyber Exercise: Cyber Storm, a biennial cyber exercise
focused on strategic and operational issues such as interagency
preparedness, response and recovery under the Cyber Annex to the NRP;
cross-sector interdependencies on the underlying information systems
including control systems; and, public-private collaboration and
coordination. It should be noted that the US-CERT, NCRCG and other
industry experts were significant players during the February, 2006
Cyber Storm Exercise.
Recommendation 5: Establish timelines and priorities for key efforts
identified by the Internet Disruption Working Group.
Response: We agree with the recommendation. The IDWG has identified
milestones and priorities for key efforts along with their respective
timelines as part of the NCSD strategic plan. The initial activity of
the IDWG was a one day forum of facilitated discussion among Internet
and policy experts addressing perceived and real vulnerabilities and
threats to key Internet resources. A draft report outlining key efforts
is in the process of being finalized. In collaboration with US-CERT,
NCRCG, and the private sector, the IDWG continues to refine a project
plan that addresses timelines and priorities.
Recommendation 6: Identify ways to incorporate lessons learned from
actual incidents and during cyber exercises into recovery plans and
procedures.
Response: We agree with the recommended action. As the cyber exercise
focal point for DHS, NCSD has the responsibility to provide the venue
and environment for participants to take part in exercises and garner
lessons learned both during the planning process and actual exercise
execution. In this role as facilitator of Cyber Storm, the NCSD
Exercise Program has conducted 5 after action conferences to date
(Federal, NCRCG, Private Sector, States and International) as part of
the process to draft an exercise After Action Report (AAR) for all
stakeholders/participants. The Cyber Storm AAR will cover macro lessons
learned based on the exercise objectives. In addition to this process,
many participants will conduct their own internal AAR efforts in order
to develop specific organizational lessons learned and internal action
recommendations. NCSD has also begun its own process to develop an
action plan based on the AAR and is collaborating with other
Departments and Agencies as well as the private sector on implementing
changes to policy and procedures. Further, US-CERT has already
developed specific internal action recommendations and has begun to
implement them based on the lessons learned from Cyber Storm.
Recommendation 7: Working with the private-sector stakeholders
representing the Internet infrastructure, address challenges to
effective Internet recovery by further defining needed government
functions during a major Internet disruption (this effort should
include a careful consideration of the potential government functions
identified by the private sector in table 6 of this report).
Response: We agree with the recommendation. DHS recognizes NCS and NCSD
face challenges in planning comprehensive strategies for responding to
and reconstituting after a cyber incident of national significance. It
is axiomatic, that only a truly functioning private/public partnership
will result in the plans and strategies necessary as the majority of
the Internet infrastructure is owned and operated by the private
sector. DHS will continue to make progress by exercising and testing
response actions and capabilities, building relationships, and bringing
attention to the severity of the threat against the
infrastructure.
DHS has formed a strategic partnership through the IDWG to combine
resources, avoid duplication of effort, and leverage Federal
government, academia, and private sector work on the issue of Internet
disruptions. The IDWG works with major stakeholders to identify and
prioritize short-term protective measures necessary to prevent major
disruptions of the Internet, especially as it relates to identifying
necessary government functions during such an incident, and to identify
responsive/reconstitution measures in the event of a major disruption.
This group has reviewed previous Internet disruption reports to
identify and leverage high priority actions to improve the resiliency
of the Internet quickly and effectively.
In addition, US-CERT has been attending the North American Network
Operator's Group (NANOG) meetings for the last three years to continue
to establish closer ties to tier one through tier three Internet
providers to work issues of national significance. US-CERT also
participates in a number of technical venues to further coordination
efforts and works with subject matter experts on topics ranging from
Domain Name Systems (DNS) issues to core Internet Protocol topics. The
US-CERT also works within the Forum of Incident Response Teams
community (www.first.org) and a number of other international incident
response teams for situational awareness and collaboration.
Recommendation 8: Define a trigger for government involvement in
responding to such a disruption.
Response: We generally agree with the recommendation. However, the
dynamics of the Internet, and business processes and policies of its
owners and operators pose a significant challenge to defining a
standard set of thresholds. As noted above, DHS continues to address
this challenge and is collaborating with the private sector to better
understand existing operational and corporate governance policies. The
IDWG has begun an information sharing study to review the information
sharing environment. This study should provide insights regarding a
consensus on the effectiveness of establishing standard thresholds and/
or processes for sharing information between private sector Internet
owners/operators and DHS.
Recommendation 9: Document assumptions and develop approaches to deal
with key challenges that are not within the government's
control.
Response: We concur with the recommendation. Many of the challenges
confronting enhancement of existing processes are, for the most part,
identified in the report. These challenges include: lack of authority,
dynamics of the Internet infrastructure, technology enhancement (to
include technology convergence), defining thresholds, understanding of
government's role, and private sector business processes/governance
policies. DHS is addressing challenges with the Internet owners and
operators through forums, tabletop exercises, and smaller action teams
consisting of subject matter experts who will address those actions
identified within the IDWG forum.
Related Issues:
An ongoing DHS focus is cyber threat analysis. This effort encompasses
many different organizations and elements, including threat information
collection requirements, scenario development, and cyber threat
products for all sectors. Dialogue between public and private IT sector
partners, DHS' Homeland Infrastructure Threat and Risk Analysis Center
(HITRAC) and the intelligence community will help to promote and
invigorate cyber threat analysis by leveraging the capabilities,
insights, and experience that each organization represents.
Thank you again for the opportunity to review this report and provide
additional comments.
Sincerely,
Signed by:
Steven J. Pecinovsky:
Director:
Departmental GAO/OIG Liaison Office:
[End of section]
Appendix VI: GAO Contacts and Staff Acknowledgments:
GAO Contacts:
David A. Powner, (202) 512-9286 or pownerd@gao.gov Keith A. Rhodes,
(202) 512- 6412 or rhodesk@gao.gov:
Staff Acknowledgments:
In addition to those named above, Don R. Adams, Naba Barkakati, Scott
Borre, Neil Doherty, Vijay D'Souza, Joshua A. Hammerstein, Bert
Japikse, Joanne Landesman, Frank Maguire, Teresa M. Neven, and Colleen
M. Phillips made key contributions to this report.
(310499):
FOOTNOTES
[1] Homeland Security Presidential Directive 7: Critical Infrastructure
Identification, Prioritization, and Protection (Dec. 17, 2003).
[2] The White House, National Strategy to Secure Cyberspace
(Washington, D.C.: February 2003).
[3] GAO, Critical Infrastructure Protection: Department of Homeland
Security Faces Challenges in Fulfilling Cybersecurity Responsibilities,
GAO-05-434 (Washington, D.C.: May 26, 2005).
[4] We reported on issues associated with these protocols in Internet
Protocol Version 6: Federal Agencies Need to Plan for Transition and
Manage Security Risks, GAO-05-471 (Washington, D.C.: May 20, 2005).
[5] This example assumes that the required domain name information is
not available on the user's local network.
[6] Although the Department of Commerce has authority to modify the
root file containing this top-level domain information, it has
delegated this authority to the Internet Corporation for Assigned Names
and Numbers, a nonprofit organization, and VeriSign, a private
corporation.
[7] An autonomous system is a set of routers that are administered
using an interior gateway protocol to route packets among that set of
routers and an exterior gateway protocol, such as Border Gateway
Protocol, to route packets to other autonomous systems.
[8] Homeland Security Presidential Directive 7 (Dec. 17, 2003).
[9] DHS, National Infrastructure Protection Plan.
[10] The White House, National Strategy to Secure Cyberspace.
[11] The National Intelligence Council, Mapping the Global Future
(December 2004).
[12] These federal policies and plans include the National Strategy to
Secure Cyberspace, the interim National Infrastructure Protection Plan,
the Cyber Incident Annex to the National Response Plan (December 2004),
and Homeland Security Presidential Directive 7.
[13] These entities include the Department of State, the Central
Intelligence Agency, the Department of the Treasury, the Federal
Emergency Management Agency, the Department of Defense, the Joint
Staff, the Department of Justice, the General Services Administration,
the Department of the Interior, the National Aeronautics and Space
Administration, the Department of Agriculture, the Nuclear Regulatory
Commission, the Department of Commerce, the National Security Agency,
the Department of Health and Human Services, the National
Telecommunications and Information Administration, the Department of
Transportation, the United States Postal Service, the Department of
Energy, the Federal Reserve Board, the Department of Veterans Affairs,
the Federal Communications Commission, and the Department of Homeland
Security.
[14] The Network Reliability and Interoperability Council, NRIC Best
Practices, NRIC Best Practices Selector Tool, http://www.bell-
labs.com/cgi-user/krauscher/bestp.pl (viewed Apr. 19, 2006).
[15] GAO-05-434.
[16] GAO, Information Security: Code Red, Code Red II, and SirCam
Attacks Highlight Need for Proactive Measures, GAO-01-1073T
(Washington, D.C.: Aug. 29, 2001).
[17] Top-level domains are the right-most label following the last
period in a domain name;
for example, for www.senate.gov, .gov is the top-level domain. There
are generic top-level domains, which include .com, .edu, .gov, .int,
.mil, .net, and .org, among others. There are also country code top-
level domains, such as .us, .uk, and .jp.
[18] The Homeland Security Act of 2002, Pub. L. No. 107-296 (Nov. 25,
2002).
[19] Homeland Security Presidential Directive 7 (Dec. 17, 2003).
[20] Act of September 8, 1950, c. 932, 64 Stat. 798, as amended;
codified at 50 U.S.C. App. Section 2061 et seq.
[21] Pub. L. No. 93-288, 88 Stat. 143 (1974).
[22] Communications Act of 1934 (June 19, 1934), ch. 652, 48 Stat.
1064.
[23] Executive Order 12472 (Apr. 3, 1984), as amended by Executive
Order 13286 (Feb. 28, 2003).
[24] Communications Act of 1934, Section 706, 47 U.S.C § 606.
[25] The White House, National Strategy to Secure Cyberspace.
[26] The National Security Telecommunications Advisory Committee
advises the President on issues and problems related to implementing
national security and emergency preparedness telecommunications policy.
[27] GAO-05-471.
[28] GAO-05-471.
[29] GAO, Hurricane Katrina: GAO's Preliminary Observations Regarding
Preparedness, Response, and Recovery, GAO-06-442T (Washington, D.C.:
Mar. 8, 2006);
and the White House, The Federal Response to Hurricane Katrina: Lessons
Learned (Washington, D.C.: February 2006).
[30] GAO, Information Sharing: DHS Should Take Steps to Encourage More
Widespread Use of Its Program to Protect and Share Critical
Infrastructure Information, GAO-06-383 (Washington, D.C.: Apr. 17,
2006);
Information Sharing: The Federal Government Needs to Establish Policies
and Processes for Sharing Terrorism-Related and Sensitive but
Unclassified Information, GAO-06-385 (Washington, D.C.: Mar. 17, 2006);
and GAO-05-434.
[31] Pub. L. No. 92-463, 86 Stat. 770 (1972) codified at 5 U.S.C. app.
2.
[32] GAO, High-Risk Series: An Update, GAO-05-207 (Washington, D.C.:
January 2005);
and High-Risk Series: An Update, GAO-03-119 (Washington, D.C.: January
2003).
[33] GAO-05-434.
[34] These were the Telecommunications, Information Technology, and
Multi-State Information Sharing and Analysis Centers.
[35] Pub. L. No. 107-296 (Nov. 25, 2002).
[36] Act of September 8, 1950, c. 932, 64 Stat. 798, as amended;
codified at 50 U.S.C. App. Section 2061 et seq.
[37] Congressional Research Service, David E. Lockwood, Defense
Production Act: Purpose and Scope, RS20587 (Oct. 16, 2002).
[38] For example, Joseph J. Petrillo, "Time to dust off emergency
procurement rules?," Government Computer News (Nov. 5, 2001);
Lee M. Zeichner, "Use of the Defense Production Act for 1950 for
Critical Infrastructure Protection," reprinted in Security in the
Information Age;
New Challenges, New Strategies, Joint Economic Committee, United States
Congress (May 2002);
and Major Federal Legislation, A "Legal Foundations" Study, Report 6 of
12, Report to the President's Commission on Critical Infrastructure
Protection (1997).
[39] The California Energy Crisis and Use of the Defense Production
Act, Hearing Before the Committee on Banking, Housing, and Urban
Affairs, United States Senate, 107th Cong. 1st Sess. (Feb. 9, 2001).
[40] S. Rep. No. 108-156, 108th Cong. 1st Sess. September 30, 2003, at
1-2.
[41] Pub. L. No. 103-337, section 3411(b) (Oct. 5, 1994).
[42] Pub. L. No. 108-195 (Dec. 19, 2003).
[43] That definition reads as follows: "The term 'critical
infrastructure' means any systems and assets, whether physical or cyber-
based, so vital to the United States that the degradation or
destruction of such systems and assets would have a debilitating impact
on national security and national public health or safety."
[44] Pub. L. No. 93-288, 88 Stat. 143 (1974).
[45] The Stafford Act also authorizes declaration of an emergency,
which has less stringent requirements and triggers less comprehensive
forms of assistance. Congressional Research Service, Keith Bea, Federal
Stafford Act Disaster Assistance: Presidential Declarations, Eligible
Activities, and Funding, RL33053 (Jan. 24, 2006).
[46] Congressional Research Service, Charles B. Goldfarb,
Telecommunications Act: Competition, Innovation, and Reform, RL33034
(Aug. 12, 2005) and 47 U.S.C. 151 et seq.
[47] Communications Act of 1934, June 19, 1934, ch. 652, 48 Stat. 1064.
[48] Section 706 of the act, discussed below, grants wartime powers to
the President, enabling the federal government to provide
telecommunications services deemed critical to national security
interest during times of war or national emergency.
[49] Pub. L. No. 104-104, 110 Stat. 56 (1996).
[50] Congressional Research Service, John Moteff, Computer Security: A
Summary of Selected Federal Laws, Executive Orders, and Presidential
Directives, RL32357 (Apr. 16, 2004).
[51] GAO, Critical Infrastructure Protection: Significant Homeland
Security Challenges Need to Be Addressed, GAO-02-918T (Washington,
D.C.: July 9, 2002).
[52] 47 U.S.C. § 606.
[53] The Internet is generally understood as a vast network of
interconnected global information systems that are logically linked
together by a globally unique address space based on the Internet
Protocol (IP) or its subsequent extensions/follow-ons. This network
supports communications using the Transmission Control Protocol/
Internet Protocol (TCP/IP) suite or its subsequent extensions/follow-
ons, and/or other IP-compatible protocols.
[54] Pursuant to recommendations made in numerous after action reports
examining the Federal government's response to Hurricanes Katrina,
Rita, and Wilma, the Department has recently put forward a proposal for
a number of changes to the National Response Plan. One of these changes
would replace the existing Interagency Incident Management Group (IIMG)
with an Interagency Advisory Committee, "a task organized advisory body
comprised of senior representatives from DHS components and
headquarters staff offices, other Federal departments and agencies, and
NGOs . . . [which] provide[s] the Secretary with strategic
recommendations that facilitate immediate and effective action(s) to
prevent, prepare for, respond to, and/or recover from an
incident."
GAO's Mission:
The Government Accountability Office, the investigative arm of
Congress, exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds;
evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order
GAO Products" heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office
441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director,
NelliganJ@gao.gov
(202) 512-4800
U.S. Government Accountability Office,
441 G Street NW, Room 7149
Washington, D.C. 20548:
