Cyber Analysis and Warning
DHS Faces Challenges in Establishing a Comprehensive National Capability Gao ID: GAO-08-588 July 31, 2008Cyber analysis and warning capabilities are critical to thwarting computer-based (cyber) threats and attacks. The Department of Homeland Security (DHS) established the United States Computer Emergency Readiness Team (US-CERT) to, among other things, coordinate the nation's efforts to prepare for, prevent, and respond to cyber threats to systems and communications networks. GAO's objectives were to (1) identify key attributes of cyber analysis and warning capabilities, (2) compare these attributes with US-CERT's current capabilities to identify whether there are gaps, and (3) identify US-CERT's challenges to developing and implementing key attributes and a successful national cyber analysis and warning capability. To address these objectives, GAO identified and analyzed related documents, observed operations at numerous entities, and interviewed responsible officials and experts.
Cyber analysis and warning capabilities include (1) monitoring network activity to detect anomalies, (2) analyzing information and investigating anomalies to determine whether they are threats, (3) warning appropriate officials with timely and actionable threat and mitigation information, and (4) responding to the threat. GAO identified 15 key attributes associated with these capabilities. While US-CERT's cyber analysis and warning capabilities include aspects of each of the key attributes, they do not fully incorporate all of them. For example, as part of its monitoring, US-CERT obtains information from numerous external information sources; however, it has not established a baseline of our nation's critical network assets and operations. In addition, while it investigates if identified anomalies constitute actual cyber threats or attacks as part of its analysis, it does not integrate its work into predictive analyses. Further, it provides warnings by developing and distributing a wide array of notifications; however, these notifications are not consistently actionable or timely. US-CERT faces a number of newly identified and ongoing challenges that impede it from fully incorporating the key attributes and thus being able to coordinate the national efforts to prepare for, prevent, and respond to cyber threats. The newly identified challenge is creating warnings that are consistently actionable and timely. Ongoing challenges that GAO previously identified, and made recommendations to address, include employing predictive analysis and operating without organizational stability and leadership within DHS, including possible overlapping roles and responsibilities. Until US-CERT addresses these challenges and fully incorporates all key attributes, it will not have the full complement of cyber analysis and warning capabilities essential to effectively performing its national mission.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-08-588, Cyber Analysis and Warning: DHS Faces Challenges in Establishing a Comprehensive National Capability
This is the accessible text file for GAO report number GAO-08-588
entitled 'Cyber Analysis And Warning: DHS Faces Challenges in
Establishing a Comprehensive National Capability' which was released on
September 16, 2008.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to the Subcommittee on Emerging Threats, Cybersecurity, and
Science and Technology, Committee on Homeland Security, House of
Representatives:
United States Government Accountability Office:
GAO:
July 2008:
Cyber Analysis And Warning:
DHS Faces Challenges in Establishing a Comprehensive National
Capability:
GAO-08-588:
GAO Highlights:
Highlights of GAO-08-588, a report to the Subcommittee on Emerging
Threats, Cybersecurity, and Science and Technology, Committee on
Homeland Security, House of Representatives.
Why GAO Did This Study:
Cyber analysis and warning capabilities are critical to thwarting
computer-based (cyber) threats and attacks. The Department of Homeland
Security (DHS) established the United States Computer Emergency
Readiness Team (US CERT) to, among other things, coordinate the
nation‘s efforts to prepare for, prevent, and respond to cyber threats
to systems and communications networks. GAO‘s objectives were to (1)
identify key attributes of cyber analysis and warning capabilities, (2)
compare these attributes with US-CERT‘s current capabilities to
identify whether there are gaps, and (3) identify US-CERT‘s challenges
to developing and implementing key attributes and a successful national
cyber analysis and warning capability. To address these objectives, GAO
identified and analyzed related documents, observed operations at
numerous entities, and interviewed responsible officials and experts.
What GAO Found:
Cyber analysis and warning capabilities include (1) monitoring network
activity to detect anomalies, (2) analyzing information and
investigating anomalies to determine whether they are threats, (3)
warning appropriate officials with timely and actionable threat and
mitigation information, and (4) responding to the threat. GAO
identified 15 key attributes associated with these capabilities, as
shown in the following table:
Table: Key Attributes of Cyber Analysis and Warning:
Capability: Monitoring;
Attribute:
* Establish a baseline understanding of network assets and normal
network traffic volume and flow;
* Assess risks to network assets;
* Obtain internal information on network operations via technical tools
and user reports;
* Obtain external information on threats, vulnerabilities, and
incidents;
* Detect anomalous activities.
Capability: Analysis;
Attribute:
* Verify that an anomaly is an incident (threat of attack or actual
attack);
* Investigate the incident to identify the type of cyber attack,
estimate impact, and collect evidence;
* Identify possible actions to mitigate the impact of the incident;
* Integrate results into predictive analysis of broader implications or
potential future attack.
Capability: Warning;
Attribute:
* Develop attack and other notifications that are targeted and
actionable;
* Provide notifications in a timely manner;
* Distribute notifications using appropriate communications methods
Capability: Response;
Attribute:
* Contain and mitigate the incident;
* Recover from damages and remediate vulnerabilities;
* Evaluate actions and incorporate lessons learned.
Source: GAO analysis.
[End of table]
While US-CERT‘s cyber analysis and warning capabilities include aspects
of each of the key attributes, they do not fully incorporate all of
them. For example, as part of its monitoring, US-CERT obtains
information from numerous external information sources; however, it has
not established a baseline of our nation‘s critical network assets and
operations. In addition, while it investigates if identified anomalies
constitute actual cyber threats or attacks as part of its analysis, it
does not integrate its work into predictive analyses. Further, it
provides warnings by developing and distributing a wide array of
notifications; however, these notifications are not consistently
actionable or timely.
US-CERT faces a number of newly identified and ongoing challenges that
impede it from fully incorporating the key attributes and thus being
able to coordinate the national efforts to prepare for, prevent, and
respond to cyber threats. The newly identified challenge is creating
warnings that are consistently actionable and timely. Ongoing
challenges that GAO previously identified, and made recommendations to
address, include employing predictive analysis and operating without
organizational stability and leadership within DHS, including possible
overlapping roles and responsibilities. Until US-CERT addresses these
challenges and fully incorporates all key attributes, it will not have
the full complement of cyber analysis and warning capabilities
essential to effectively performing its national mission.
What GAO Recommends:
GAO is making 10 recommendations to the Secretary of Homeland Security
to implement key attributes and address challenges. DHS concurred with
9 recommendations. It took exception to GAO‘s recommendation to ensure
distinct and transparent lines of authority and responsibilities
between its organizations, stating it had done this in a concept-of-
operations document. However, this document is still in draft, and DHS
has not established a date for it to be finalized and implemented.
To view the full product, including the scope and methodology, click on
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-08-588]. For more
information, contact Dave Powner at 202-512-9286 or pownerd@gao.gov.
[End of section]
Contents:
Letter:
Results in Brief:
Background:
Fifteen Key Attributes Essential to Establishing Cyber Analysis and
Warning Capabilities:
US-CERT's Capabilities Include Some but Not All Aspects of Key
Attributes:
US-CERT Faces New and Ongoing Challenges to Fulfilling Its Mission:
Conclusions:
Recommendations for Executive Action:
Agency Comments and Our Evaluation:
Appendix I: Objectives, Scope, and Methodology:
Appendix II: Comments from the Department of Homeland Security:
Appendix III: GAO Contacts and Staff Acknowledgments:
Tables:
Table 1: Attributes of Cyber Analysis and Warning:
Table 2: Sources of Emerging Cybersecurity Threats:
Table 3: Types of Cyber Attacks:
Table 4: Key Attributes of the Cyber Analysis and Warning Capabilities:
Table 5: Common Types of Technology Used for Internal Monitoring:
Table 6: US-CERT Capabilities Includes Most but Not All Aspects of
Monitoring:
Table 7: US-CERT Incorporates Some but Not All Aspects of Analysis:
Table 8: US-CERT Exhibits Some but Not All Aspects of Warning:
Table 9: US-CERT Warning Products, Fiscal Year 2007:
Table 10: Quantity of US-CERT Warning Products, Fiscal Year 2007:
Table 11: US-CERT Satisfies Some but Not All Aspects of Response:
Figures:
Figure 1: Department of Homeland Security Organizational Chart:
Figure 2: US-CERT Organizational Structure:
Figure 3: A Simplified View of How Cyber Analysis and Warning
Capabilities Are Executed:
Abbreviations:
CERT/CC: CERT Coordination Center:
DHS: Department of Homeland Security:
DOD: Department of Defense:
HITRAC: Homeland Infrastructure Threat and Risk Analysis Center:
HSPD: Homeland Security Presidential Directive:
ISAC: information sharing and analysis center:
NCRCG: National Cyber Response Coordination Group:
NCSD: National Cyber Security Division:
NIST: National Institute of Standards and Technology:
OMB: Office of Management and Budget:
US-CERT: United States Computer Emergency Readiness Team:
[End of section]
United States Government Accountability Office:
Washington, DC 20548:
July 31, 2008:
The Honorable James R. Langevin:
Chairman:
The Honorable Michael T. McCaul:
Ranking Member:
Subcommittee on Emerging Threats, Cybersecurity, and Science and
Technology:
Committee on Homeland Security:
House of Representatives:
The rapid increase in computer connectivity has revolutionized the way
that our government, our nation, and much of the world communicate and
conduct business. While the benefits have been enormous, this
widespread interconnectivity also poses significant risks to our
nation's computer-reliant critical operations. Establishing analytical
and warning capabilities is essential to thwarting computer-based, or
cyber, threats and attacks. Cyber analysis and warning capabilities
include (1) monitoring network activity to detect anomalies, (2)
analyzing information and investigating anomalies to determine whether
they are threats, (3) warning appropriate officials with timely and
actionable threat and mitigation information, and (4) responding to the
threat.
Federal law and policy direct the Department of Homeland Security (DHS)
to establish such capabilities for our nation. To fulfill this
requirement, the department established the United States Computer
Emergency Readiness Team (US-CERT) to develop and implement these
capabilities and, in doing so, coordinate the nation's efforts to
prepare for, prevent, and respond to cyber threats and attacks.
Our objectives were to (1) identify key attributes of cyber analysis
and warning capabilities, (2) compare these attributes with US-CERT's
current analysis and warning capabilities to identify whether there are
gaps, and (3) identify US-CERT's challenges to developing and
implementing key attributes and a successful national cyber analysis
and warning capability. To identify key attributes, we identified and
analyzed relevant laws, strategies, policies, reports, and studies;
observed cyber analysis and warning operations at numerous entities;
and interviewed responsible officials and experts from federal and
nonfederal entities[Footnote 1]. To determine US-CERT's current
capabilities and related challenges, we analyzed DHS's policies,
procedures, and program plans and interviewed relevant officials.
Appendix I provides further details on our objectives, scope, and
methodology.
We conducted this performance audit from June 2007 to July 2008 in
accordance with generally accepted government auditing standards. Those
standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on our audit objectives. We believe that
the evidence obtained provides a reasonable basis for our findings and
conclusions based on our audit objectives.
Results in Brief:
Cyber analysis and warning typically encompasses four key capabilities:
monitoring, analysis, warning, and response. Monitoring system and
communication networks includes activities to detect cyber threats,
attacks, and vulnerabilities. Analysis involves taking the information
gathered from monitoring and hypothesizing about what the threat or
attack might be, investigating it, and identifying any impact and, if
necessary, mitigation steps. Warning includes alerting recipients about
potential or imminent, as well as ongoing, cyber threats or attacks.
Response includes containing and recovering from cyber incidents that
occur. Our research and past experience identified 15 key attributes
associated with these cyber analysis and warning capabilities, as shown
in the following table:
Table 1: Attributes of Cyber Analysis and Warning:
Capability: Monitoring;
Attribute:
* Establish a baseline understanding of network assets and normal
network traffic volume and flow;
* Assess risks to network assets;
* Obtain internal information on network operations via technical tools
and user reports;
* Obtain external information on threats, vulnerabilities, and
incidents;
* Detect anomalous activities.
Capability: Analysis;
Attribute:
* Verify that an anomaly is an incident (threat of attack or actual
attack);
* Investigate the incident to identify the type of cyber attack,
estimate impact, and collect evidence;
* Identify possible actions to mitigate the impact of the incident;
* Integrate results into predictive analysis of broader implications or
potential future attack.
Capability: Warning;
Attribute:
* Develop attack and other notifications that are targeted and
actionable;
* Provide notifications in a timely manner;
* Distribute notifications using appropriate communications methods
Capability: Response;
Attribute:
* Contain and mitigate the incident;
* Recover from damages and remediate vulnerabilities;
* Evaluate actions and incorporate lessons learned.
Source: GAO analysis.
[End of table]
While US-CERT's cyber analysis and warning capabilities include aspects
of each of the key attributes, they do not fully incorporate all of
them. For example, as part of its monitoring, US-CERT obtains
information from numerous external information sources; however, it has
not established a comprehensive baseline of our nation's critical
computer-reliant critical assets and network operations. In addition,
while it investigates if identified anomalies constitute actual cyber
threats or attacks as part of its analysis, the organization does not
integrate its work into predictive analyses, nor does it have the
analytical or technical resources to analyze multiple, simultaneous
cyber incidents. The organization also provides warnings by developing
and distributing a wide array of attack and other notifications;
however, these notifications are not consistently actionable or timely-
-providing the right information to the right persons or groups as
early as possible to give them time to take appropriate action.
Further, while it responds to a limited number of affected entities in
their efforts to contain and mitigate an attack, recover from damages,
and remediate vulnerabilities, the organization does not possess the
resources to handle multiple events across the nation.
US-CERT faces a number of newly identified and ongoing challenges that
impede it from fully implementing the key attributes and in turn
establishing cyber analysis and warning capabilities essential to
coordinating the national effort to prepare for, prevent, and respond
to cyber threats. The newly identified challenge is creating warnings
that are actionable and timely--US-CERT does not consistently issue
warning and other notifications that its customers find useful. Ongoing
challenges that we previously identified and made recommendations to
address are:
* employing predictive cyber analysis--the organization has not
established the ability to determine broader implications from ongoing
network activity, predict or protect against future threats, or
identify emerging attack methods;
* developing more trusted relationships to encourage information
sharing--federal and nonfederal entities are reluctant to share
information because US-CERT and these parties have yet to develop close
working and trusted relationships that would allow the free flow of
information;
* having sufficient analytical and technical capabilities--the
organization has difficulty hiring and retaining adequately trained
staff and acquiring supporting technology tools to handle a steadily
increasing workload; and:
* operating without organizational stability and leadership within
DHS-- the department has not provided the sustained leadership to make
cyber analysis and warning a priority. This is due in part to frequent
turnover in key management positions that currently also remain vacant.
In addition, US-CERT's role as the central provider of cyber analysis
and warning may be diminished by the creation of a new DHS center at a
higher organizational level.
Until DHS addresses these challenges and fully incorporates all key
attributes into its capabilities, it will not have the full complement
of cyber analysis and warning capabilities essential to effectively
performing its national mission.
Accordingly, we are making 10 recommendations to the Secretary of
Homeland Security to improve DHS's cyber analysis and warning
capabilities by implementing key cyber analysis and warning attributes
and addressing the challenges, including:
* developing close working and more trusted relationships with federal
and nonfederal entities that would allow the free flow of information,
* expeditiously hiring sufficiently trained staff and acquiring
supporting technology tools to handle the steadily increasing workload,
* ensuring consistent notifications that are actionable and timely,
* filling key management positions to provide organizational stability
and leadership, and:
* ensuring that there are distinct and transparent lines of authority
and responsibility assigned to DHS organizations with cybersecurity
roles and responsibilities.
In written comments on a draft of this report (see app. II), the
department concurred with 9 of our 10 recommendations. It also
described actions planned and under way to implement these
recommendations. DHS took exception to 1 recommendation, stating that
it had developed a concept-of-operations document that clearly defined
roles and responsibilities for key DHS organizations. However, this
document is still in draft, and the department has yet to establish a
date for it to be finalized and implemented.
Background:
Increasing computer interconnectivity--most notably growth in the use
of the Internet--has revolutionized the way that our government, our
nation, and much of the world communicate and conduct business. While
the benefits have been enormous, they are accompanied by significant
risks to the nation's computer systems and to the critical operations
and infrastructures that those systems support.[Footnote 2]
Cyber Threats and Incidents Adversely Affect the Nation's Critical
Infrastructure:
Different types of cyber threats from numerous sources may adversely
affect computers, software, a network, an agency's operations, an
industry, or the Internet itself. Cyber threats can be unintentional or
intentional. Unintentional threats can be caused by software upgrades
or maintenance procedures that inadvertently disrupt systems.
Intentional threats include both targeted and untargeted attacks. A
targeted attack occurs when a group or individual specifically attacks
a cyber asset. An untargeted attack occurs when the intended target of
the attack is uncertain, such as when a virus, worm, or malware is
released on the Internet with no specific target.
Threats to the Nation's Critical Infrastructure Are Proliferating:
There is increasing concern among both government officials and
industry experts regarding the potential for a cyber attack on the
national critical infrastructure, including the infrastructure's
control systems. The Department of Defense (DOD) and the Federal Bureau
of Investigation, among others, have identified multiple sources of
threats to our nation's critical infrastructure, including foreign
nation states engaged in information warfare, domestic criminals,
hackers, virus writers, and disgruntled employees working within an
organization. In addition, there is concern about the growing
vulnerabilities to our nation as the design, manufacture, and service
of information technology have moved overseas.[Footnote 3] For example,
according to media reports, technology has been shipped to the United
States from foreign countries with viruses on the storage devices.
[Footnote 4] Further, U.S. authorities are concerned about the prospect
of combined physical and cyber attacks, which could have devastating
consequences. For example, a cyber attack could disable a security
system in order to facilitate a physical attack. Table 2 lists sources
of threats that have been identified by the U.S. intelligence community
and others.
Table 2: Sources of Emerging Cybersecurity Threats:
Threat: Bot-network operators;
Description: Bot-network operators take over multiple systems in order
to coordinate attacks and to distribute phishing schemes, spam, and
malware attacks (See Table 3 for definitions). The services of these
networks are sometimes made available on underground markets (e.g.,
purchasing a denial-of-service attack or servers to relay spam or
phishing attacks).
Threat: Criminal groups;
Description: Criminal groups seek to attack systems for monetary gain.
Specifically, organized crime groups are using spam, phishing, and
spyware/malware to commit identity theft and online fraud.
International corporate spies and organized crime organizations also
pose a threat to the United States through their ability to conduct
industrial espionage and large-scale monetary theft and to hire or
develop hacker talent.
Threat: Foreign intelligence services;
Description: Foreign intelligence services use cyber tools as part of
their information-gathering and espionage activities. In addition,
several nations are aggressively working to develop information warfare
doctrine, programs, and capabilities. Such capabilities enable a single
entity to have a significant and serious impact by disrupting the
supply, communications, and economic infrastructures that support
military power--impacts that could affect the daily lives of U.S.
citizens across the country.
Threat: Hackers;
Description: Hackers break into networks for the thrill of the
challenge or for bragging rights in the hacker community. While gaining
unauthorized access once required a fair amount of skill or computer
knowledge, hackers can now download attack scripts and protocols from
the Internet and launch them against victim sites. Thus, while attack
tools have become more sophisticated, they have also become easier to
use. According to the Central Intelligence Agency, the large majority
of hackers do not have the requisite expertise to threaten difficult
targets such as critical U.S. networks. Nevertheless, the worldwide
population of hackers poses a relatively high threat of an isolated or
brief disruption causing serious damage.
Threat: Insiders;
Description: The disgruntled organization insider is a principal source
of computer crime. Insiders may not need a great deal of knowledge
about computer intrusions because their knowledge of a target system
often allows them to gain unrestricted access to cause damage to the
system or to steal system data. The insider threat includes contractors
hired by the organization as well as employees who accidentally
introduce malware into systems.
Threat: Phishers;
Description: Individuals, or small groups, execute phishing schemes in
an attempt to steal identities or information for monetary gain.
Phishers may also use spam and spyware/malware to accomplish their
objectives.
Threat: Spammers;
Description: Individuals or organizations distribute unsolicited e-mail
with hidden or false information in order to sell products, conduct
phishing schemes, distribute spyware/malware, or attack organizations
(i.e., denial of service).
Threat: Spyware/malware authors;
Description: Individuals or organizations with malicious intent carry
out attacks against users by producing and distributing spyware and
malware. Several destructive computer viruses and worms have harmed
files and hard drives, including the Melissa Macro Virus, the
Explore.Zip worm, the CIH (Chernobyl) Virus, Nimda, Code Red, Slammer,
and Blaster.
Threat: Terrorists;
Description: Terrorists seek to destroy, incapacitate, or exploit
critical infrastructures in order to threaten national security, cause
mass casualties, weaken the U.S. economy, and damage public morale and
confidence. Terrorists may use phishing schemes or spyware/malware in
order to generate funds or gather sensitive information.
Source: GAO analysis based on data from the Federal Bureau of
Investigation, the Central Intelligence Agency, and the Software
Engineering Institute's CERT® Coordination Center.
[End of table]
The nation's critical infrastructure operates in an environment of
increasing and dynamic threats, and adversaries are becoming more agile
and sophisticated. Terrorists, transnational criminals, and
intelligence services use various cyber tools that can deny access,
degrade the integrity of, intercept, or destroy data and jeopardize the
security of the nation's critical infrastructure (see table 3).
Table 3: Types of Cyber Attacks:
Type of attack: Denial of service;
Description: A method of attack from a single source that denies system
access to legitimate users by overwhelming the target computer with
messages and blocking legitimate traffic. It can prevent a system from
being able to exchange data with other systems or use the Internet.
Type of attack: Distributed denial of service;
Description: A variant of the denial-of-service attack that uses a
coordinated attack from a distributed system of computers rather than
from a single source. It often makes use of worms to spread to multiple
computers that can then attack the target.
Type of attack: Exploit tools;
Description: Publicly available and sophisticated tools that intruders
of various skill levels can use to determine vulnerabilities and gain
entry into targeted systems.
Type of attack: Logic bombs;
Description: A form of sabotage in which a programmer inserts code that
causes the program to perform a destructive action when some triggering
event occurs, such as terminating the programmer's employment.
Type of attack: Phishing;
Description: The creation and use of e-mails and Web sites--designed to
look like those of well-known legitimate businesses, financial
institutions, and government agencies--in order to deceive Internet
users into disclosing their personal data, such as bank and financial
account information and passwords. The phishers then use that
information for criminal purposes, such as identity theft and fraud.
Type of attack: Sniffer;
Description: Synonymous with packet sniffer. A program that intercepts
routed data and examines each packet in search of specified
information, such as passwords transmitted in clear text.
Type of attack: Trojan horse;
Description: A computer program that conceals harmful code. A Trojan
horse usually masquerades as a useful program that a user would wish to
execute.
Type of attack: Virus;
Description: A program that infects computer files, usually executable
programs, by inserting a copy of itself into the file. These copies are
usually executed when the infected file is loaded into memory, allowing
the virus to infect other files. Unlike a computer worm, a virus
requires human involvement (usually unwitting) to propagate.
Type of attack: Vishing;
Description: A method of phishing based on voice-over-Internet Protocol
technology and open-source call center software that have made it
inexpensive for scammers to set up phony call centers and criminals to
send e-mail or text messages to potential victims, saying there has
been a security problem and they need to call their bank to reactivate
a credit or debit card, or send text messages to cell phones,
instructing potential victims to contact fake online banks to renew
their accounts.
Type of attack: War driving;
Description: A method of gaining entry into wireless computer networks
using a laptop, antennas, and a wireless network adaptor that involves
patrolling locations to gain unauthorized access.
Type of attack: Worm;
Description: An independent computer program that reproduces by copying
itself from one system to another across a network. Unlike computer
viruses, worms do not require human involvement to propagate.
Type of attack: Zero-day exploit;
Description: A cyber threat taking advantage of a security
vulnerability on the same day that the vulnerability becomes known to
the general public and for which there are no available fixes.
Source: GAO analysis of data from GAO and industry reports.
[End of table]
Cyber Incidents Have Caused Serious Damage:
The growing number of known vulnerabilities increases the potential
number of attacks. By exploiting software vulnerabilities, hackers and
others who spread malicious code can cause significant damage, ranging
from defacing Web sites to taking control of entire systems and thereby
being able to read, modify, or delete sensitive information; disrupt
operations; launch attacks against other organizations' systems; or
destroy systems. Reports of attacks involving critical infrastructure
demonstrate that a serious attack could be devastating, as the
following examples illustrate.
* In June 2003, the U.S. government issued a warning concerning a virus
that specifically targeted financial institutions. Experts said the
BugBear.b virus was programmed to determine whether a victim had used
an e-mail address for any of the roughly 1,300 financial institutions
listed in the virus's code. If a match was found, the software
attempted to collect and document user input by logging keystrokes and
then provide this information to a hacker, who could use it in attempts
to break into the banks' networks.[Footnote 5]
* In August 2006, two Los Angeles city employees hacked into computers
controlling the city's traffic lights and disrupted signal lights at
four intersections, causing substantial backups and delays. The attacks
were launched prior to an anticipated labor protest by the employees.
[Footnote 6]
* In October 2006, a foreign hacker penetrated security at a water
filtering plant in Harrisburg, Pennsylvania. The intruder planted
malicious software that was capable of affecting the plant's water
treatment operations.[Footnote 7]
* In May 2007, Estonia was the reported target of a denial-of-service
cyber attack with national consequences. The coordinated attack created
mass outages of its government and commercial Web sites.[Footnote 8]
* In March 2008, the Department of Defense reported that in 2007
computer networks operated by Defense, other federal agencies, and
defense-related think tanks and contractors were targets of cyber
warfare intrusion techniques. Although those responsible were not
definitively substantiated, the attacks appeared to have originated in
China.[Footnote 9]
As these examples illustrate, attacks resulting in the incapacitation
or destruction of the nation's critical infrastructures could have a
debilitating impact on national and economic security and on public
health and safety.
Federal Law and Policy Establish the Need for National Cyber Analysis
and Warning:
To protect the nation's critical computer-dependent infrastructures
against cyber threats and attacks, federal law and policy have
identified the need to enhance cybersecurity and establish cyber
analytical and warning capabilities, which are sometimes referred to as
"indications and warnings." The laws and policies include (1) the
Homeland Security Act of 2002, (2) the National Strategy to Secure
Cyberspace, (3) Homeland Security Presidential Directive 7, and (4) the
National Response Framework. In addition, the President issued in
January 2008 Homeland Security Presidential Directive 23, which,
according to US-CERT officials, has provisions that affect cyber
analysis and warning efforts of the federal government.
Homeland Security Act of 2002:
The Homeland Security Act of 2002 established the Department of
Homeland Security and gave it lead responsibility for preventing
terrorist attacks in the United States, reducing the vulnerability of
the United States to terrorist attacks, and minimizing the damage and
assisting in recovery from attacks that do occur.[Footnote 10] The act
assigned the department, among other things, a number of critical
infrastructure protection responsibilities, including gathering of
threat information, including cyber-related, from law enforcement,
intelligence sources, and other agencies of the federal, state, and
local governments and private sector entities to identify, assess, and
understand threats; carrying out assessments of the vulnerabilities of
key resources to determine the risks posed by attacks; and integrating
information, analyses, and vulnerability assessments in order to
identify priorities for protection. In addition, the department is
responsible for disseminating, as appropriate, information that it
analyzes--both within the department and to other federal, state, and
local government agencies and private sector entities--to assist in the
deterrence, prevention, preemption of, or response to terrorist acts.
National Strategy to Secure Cyberspace:
The National Strategy to Secure Cyberspace proposes that a public/
private architecture be provided for analyzing, warning, and managing
incidents of national significance.[Footnote 11] The strategy states
that cyber analysis includes both (1) tactical analytical support
during a cyber incident and (2) strategic analyses of threats. Tactical
support involves providing current information on specific factors
associated with incidents under investigation or specific identified
vulnerabilities. Examples of tactical support include analysis of (1) a
computer virus delivery mechanism to issue immediate guidance on ways
to prevent or mitigate damage related to an imminent threat or (2) a
specific computer intrusion or set of intrusions to determine the
perpetrator, motive, and method of attack. Strategic analysis is
predictive in that it looks beyond one specific incident to consider a
broader set of incidents or implications that may indicate a potential
future threat of national importance. For example, strategic analyses
may identify long-term vulnerability and threat trends that provide
advance warnings of increased risk, such as emerging attack methods.
Strategic analyses are intended to provide policymakers with
information that they can use to anticipate and prepare for attacks,
thereby diminishing the damage from such attacks.
Homeland Security Presidential Directive 7:
Homeland Security Presidential Directive 7 (HSPD 7) directs DHS to,
among other things, serve as the focal point for securing cyberspace.
This includes analysis, warning, information sharing, vulnerability
reduction, mitigation, and recovery efforts for critical infrastructure
information systems.[Footnote 12] It also directs DHS to develop a
national indications and warnings architecture for infrastructure
protection and capabilities, including cyber, that will facilitate an
understanding of baseline infrastructure operations, the identification
of indicators and precursors to an attack, and create a surge capacity
for detecting and analyzing patterns of potential attacks.
In May 2005, we reported that DHS has many cybersecurity-related roles
and responsibilities, including developing and enhancing national cyber
analysis and warning capabilities.[Footnote 13] However, we found that
DHS had not fully addressed all its cybersecurity-related
responsibilities and that it faced challenges that impeded its ability
to fulfill its responsibilities. These challenges included having
organizational stability and authority, hiring employees, establishing
information sharing and effective partnerships, and developing
strategic analysis and warning. We made recommendations to the
Secretary of Homeland Security to engage appropriate stakeholders to
prioritize key cybersecurity responsibilities, develop a prioritized
list of key activities to addressing underlying challenges, and
identify performance measures and milestones for fulfilling its
responsibilities and for addressing its challenges. We did not make new
recommendations regarding cyber-related analysis and warning because
our previous recommendations had not been fully implemented.
Specifically, in 2001, we recommended that responsible executive branch
officials and agencies establish a capability for strategic analysis of
computer-based threats, including developing a methodology, acquiring
expertise, and obtaining infrastructure data.[Footnote 14]
National Response Framework:
The National Response Framework, issued by DHS in January 2008,
provides guidance to coordinate cyber incident response among federal
entities and, upon request, state and local governments and private
sector entities.[Footnote 15] Specifically, the Cyber Incident Annex
describes the framework for federal cyber incident response in the
event of a cyber-related incident of national significance affecting
the critical national processes. Further, the annex formalizes the
National Cyber Response Coordination Group (NCRCG). As established
under the preceding National Response Plan, the NCRCG continues to be
cochaired by DHS's National Cyber Security Division (NCSD), the
Department of Justice's Computer Crime and Intellectual Property
Section, and the DOD. It is to bring together officials from all
agencies that have responsibility for cybersecurity and the sector-
specific agencies identified in HSPD 7. The group coordinates
intergovernmental and public/private preparedness and response to and
recovery from national-level cyber incidents and physical attacks that
have significant cyber-related consequences. During and in anticipation
of such an incident, the NCRCG's senior-level membership is responsible
for providing subject matter expertise, recommendations, and strategic
policy support and ensuring that the full range of federal capabilities
is deployed in a coordinated and effective fashion.
Homeland Security Presidential Directive 23:
In January 2008, the President issued HSPD 23--also referred to as
National Security Presidential Directive 54 and the President's "Cyber
Initiative"--to improve the federal government's cybersecurity efforts,
including protecting against intrusion attempts and better anticipating
future threats.[Footnote 16] While the directive is a classified
document, US-CERT officials stated that it includes steps to enhance
cyber analysis related efforts, such as requirements that federal
agencies implement a centralized monitoring tool and that the federal
government reduce the number of connections to the Internet, referred
to as Trusted Internet Connections.
DHS Established US-CERT to Provide National Cyber Analysis and Warning:
To help protect the nation's information infrastructure, DHS
established the US-CERT. It is currently positioned within the NCSD of
DHS's Office of Cybersecurity and Communications. Figure 1 shows the
position of these offices within DHS's organizational structure.
Figure 1: Department of Homeland Security Organizational Chart:
[Refer to PDF for image]
This figure is an illustration of the Department of Homeland Security
Organizational Chart, as follows:
DHS Secretary:
* National Cybersecurity Center;
U.S. Secret Service;
* Transportation Security Administration;
* Intelligence and Analysis;
* U.S. Customs and Border Control;
* U.S. Immigration Customs Enforcement;
* Multiple other directorates reporting to DHS Secretary;
* National Protection and Programs:
- US-VISIT;
- Office of Risk Management and Analysis;
- Office of Infrastructure Protection;
- Office of Intergovernmental Programs;
- Office of Cyber Security and Communications:
- Office of Emergency Communications;
- National Communications System;
- National Cyber Security Division:
- Strategic Initiatives;
- US-CERT;
- Outreach and Awareness.
Source: GAO based on DHS data.
[End of figure]
US-CERT is to serve as a focal point for the government's interaction
with federal and nonfederal entities on a 24-hour-a-day, 7-day-a-week
basis regarding cyber-related analysis, warning, information sharing,
major incident response, and national-level recovery efforts.[Footnote
17] It is charged with aggregating and disseminating cybersecurity
information to improve warning of and response to incidents, increasing
coordination of response information, reducing vulnerabilities, and
enhancing prevention and protection. In addition, the organization is
to collect incident reports from all federal agencies and assist
agencies in their incident response efforts. It is also to accept
incident reports when voluntarily submitted by other public and private
entities and assist them in their response efforts, as requested.
US-CERT is composed of five branches, as shown in figure 2: Operations,
Situational Awareness, Law Enforcement and Intelligence, Future
Operations, and Mission Support. Each branch has specific
responsibilities:
* The Operations branch is to receive and respond to incidents,
disseminate reasoned and actionable cybersecurity information, and
analyze various types of data to improve overall understanding of
current or emerging cyber threats affecting the nation's critical
infrastructure.
* The Situational Awareness branch is to identify, analyze, and
comprehend broad network activity and to support incident handling and
analysis of cybersecurity trends for federal agencies so that they may
increase their own situational awareness and reduce cyber threats and
vulnerabilities. As part of its responsibilities, the branch is
responsible for managing the information garnered from the US-CERT
Einstein program, which obtains network flow data from federal
agencies, and analyzing the traffic patterns and behavior. This
information is then combined with other relevant data to (1) detect
potential deviations and identify how Internet activities are likely to
affect federal agencies and (2) provide insight into the health of the
Internet and into suspicious activities.
* The Law Enforcement and Intelligence branch is to facilitate
information sharing and collaboration among law enforcement agencies,
the intelligence community, and US-CERT through the presence of
liaisons from those organizations at US-CERT.
* The Future Operations branch was established in January 2007 to lead
or participate in the development of related policies, protocols,
procedures, and plans to support US-CERT's coordination of national
response to cyber incidents.
* The Mission Support branch is to manage US-CERT's communications
mechanisms, including reports, alerts, notices, and its public and
classified Web site content.
Figure 2: US-CERT Organizational Structure:
[Refer to PDF for image]
This figure is an illustration of the US-CERT Organizational Structure,
as follows:
US-CERT:
* Operations:
- Incident handling program;
- Production program;
- Analysis program, including: Network analysis; Malware analysis;
Digital media analysis; Information sharing and analysis center (ISAC)
partnerships;
* Situational Awareness:
- Einstein program;
- Mission operating environment;
- Internet health service;
* Law Enforcement and Intelligence:
- Cyber cop portal;
* Future Operations:
- Develop programs, and processes that enable and support a fully
integrated national cyber incident response capability;
* Mission Support:
- Administrative support;
- Personnel security;
- Contract management;
- Budget;
- Information services;
- Procurement.
Source: GAO based on DHS data.
[End of figure]
Cyber Analysis and Warning Encompasses Four Key Capabilities:
Our research and observations at federal and nonfederal entities show
that cyber analysis and warning typically encompasses four key
capabilities:
* Monitoring--detecting cyber threats, attacks, and vulnerabilities and
establishing a baseline of system and communication network assets and
normal traffic.
* Analysis--using the information or intelligence gathered from
monitoring to hypothesize about what the threat might be, investigate
it with technical and contextual expertise and identify the threat and
its impact, and determine possible mitigation steps. Analysis may be
initiated in reaction to a detected anomaly. This is a tactical
approach intended to triage information during a cyber incident and
help make decisions. It may also be predictive, proactively reviewing
data collected during monitoring to look at cyber events and the
network environment to find trends, patterns, or anomaly correlations
that indicate more serious attacks or future threats.
* Warning--developing and issuing informal and formal notifications
that alert recipients in advance of potential or imminent, as well as
ongoing, cyber threats or attacks. Warnings are intended to alert
entities to the presence of cyber attack, help delineate the relevance
and immediacy of cyber attacks, provide information on how to remediate
vulnerabilities and mitigate incidents, or make overall statements
about the health and welfare of the Internet.
* Response--taking actions to contain an incident, manage the
protection of network operations, and recover from damages when
vulnerabilities are revealed or when cyber incidents occur. In
addition, response includes lessons learned and cyber threat data being
documented and integrated back into the capabilities to improve overall
cyber analysis and warning.
Through our consultations with experts, we found that the terminology
may vary, but the functions of these capabilities are fairly consistent
across cyber analysis and warning entities. Figure 3 depicts the basic
process of cyber analysis and warning capabilities.
Figure 3: A Simplified View of How Cyber Analysis and Warning
Capabilities Are Executed:
[Refer to PDF for image]
This figure is an illustration of how cyber analysis and warning
capabilities are executed. Monitoring is a constant, and the following
process is followed:
Anomaly detected:
Analysis (interaction with monitoring);
Identify threat;
Warning (interaction with monitoring);
Issue alert;
Response (interaction with monitoring).
Source: GAO analysis.
[End of figure]
Typically, cyber analysis and warning is executed, or managed, from a
central focal point known as an operation center or watch center. Such
centers can serve a single organization or a number of organizations.
Centers generally include physically and electronically connected
multidisciplinary teams with access to a variety of communication and
software tools. The teams are made up of specialized analysts,
sometimes referred to as watch standers, with a combination of
expertise in information security, intelligence, and cyber forensics.
Teams may also include subject area experts with specialized expertise
in certain critical infrastructure sectors, industries, or
technologies. The centers operate tools that integrate data and
facilitate analysis by the watch standers. The data come from a
multitude of sources, including internal or external monitoring, human
or signals intelligence, analytical results, warnings from other
entities, and information collected from previous threat responses.
Centers decide when and how to issue formal and informal warnings that
contribute to further analysis or provide information that aids in
decisions about how to respond to an incident.
Depending on the size and organizational structure of an organization,
the analysis and warning team may work with incident response teams
during a cyber incident. The incident response team manages the
decisions required for handling an incident using information
discovered during monitoring, analysis, and warning. The team may also
coordinate with those responsible for information security for the
organization in order to assess risks, remediate vulnerabilities, and
prepare for and respond to attacks.
Fifteen Key Attributes Essential to Establishing Cyber Analysis and
Warning Capabilities:
Our research and past experience at federal and nonfederal entities
identified 15 key attributes associated with the cyber analysis and
warning capabilities of monitoring, analysis, warning, and response.
These attributes are displayed in table 4, which is followed by a
detailed description by capability of each attribute.
Table 4: Key Attributes of the Cyber Analysis and Warning Capabilities:
Capability: Monitoring;
Attribute: Establish a baseline understanding of network assets and
normal network traffic volume and flow; Assess risks to network assets;
Obtain internal information on network operations via technical tools
and user reports; Obtain external information on threats,
vulnerabilities, and incidents through various relationships, alerts,
and other sources; Detect anomalous activities.
Capability: Analysis;
Attribute: Verify that an anomaly is an incident (threat of attack or
actual attack); Investigate the incident to identify the type of cyber
attack, estimate impact, and collect evidence; Identify possible
actions to mitigate the impact of the incident; Integrate results into
predictive analysis of broader implications or potential future attack.
Capability: Warning;
Attribute: Develop attack and other notifications that are targeted and
actionable; Provide notifications in a timely manner; Distribute
notifications using appropriate communications methods.
Capability: Response;
Attribute: Contain and mitigate the incident; Recover from damages and
remediate vulnerabilities; Evaluate actions and incorporate lessons
learned.
Source: GAO analysis.
[End of table]
Monitoring:
Monitoring provides the data used to understand one's operating
environment and detect changes that indicate the presence of anomalies
that may be cyber attacks. It encompasses five key attributes:
1. Establishing a baseline understanding of network assets and normal
network traffic volume and flow:
In order to detect unusual activity in network traffic or changes in an
operating environment, organizations require knowledge of ordinary
traffic and environmental conditions. This knowledge forms the baseline
against which changes or anomalies can be detected, identified, and
mitigated. A baseline is established through activities such as
creating an accurate inventory of systems, prioritizing resources and
assets, maintaining an understanding of the expected volume and nature
of network traffic, and instituting operational procedures such as
procedures for handling incidents. Without a baseline, it may be
difficult to effectively detect threats or respond to a warning with
the appropriate resources.
2. Assessing risks to network assets:
Assessments should be conducted to determine what risks are posed by
combinations of threats and vulnerabilities and inform the monitoring
capability so that it is focused on the most critical assets. According
to CERT® Coordination Center (CERT/CC) officials,[Footnote 18] having a
baseline knowledge of networks and systems and their associated risks
in advance helps individual organizations understand what threats they
may be susceptible to, what resources are at risk, and what the
potential damage of an attack might be. Risks should be prioritized and
mitigated until a reasonable acceptable level of risk is reached.
3. Obtain internal information on network operations via technical
tools and user reports:
Another key attribute is monitoring traffic on internal networks using
(1) network and information security-related technology tools and (2)
reports on network activity. As table 5 shows, various technologies can
be used for internal network monitoring to help compile and identify
patterns in network data. Each type of technology may detect anomalies
that the other types of software cannot.
Table 5: Common Types of Technology Used for Internal Monitoring:
Technology: Antivirus software;
Function: Provides protection against malicious code, such as viruses,
worms, and Trojan horses.
Technology: Firewalls;
Function: Control access to and from a network or computer.
Technology: Intrusion detection systems;
Function: Detect inappropriate, incorrect, or anomalous activity on a
network or computer system.
Technology: Intrusion prevention systems;
Function: Build on intrusion detection systems to detect attacks on a
network and take action to prevent them from being successful.
Technology: Signature-based tools;
Function: Compare files or packets to a list of "signatures"--patterns
of specific files or packets that have been identified as a threat.
Each signature is the unique arrangement of zeros and ones that make up
the file.
Technology: Security event correlation tools;
Function: Monitor and document actions on network devices and analyze
the actions to determine if an attack is ongoing or has occurred.
Enable an organization to determine if ongoing system activities are
operating according to its security policy.
Technology: Scanners;
Function: Analyze computers or networks for security vulnerabilities.
Source: GAO.
[End of table]
These technologies can be used to examine data logs from networks on a
24-hour-a-day, 7-day-a-week schedule in an effort to identify (1)
precursors and indicators of cyber threats or other anomalies and (2)
the occurrence of known attacks. The data logged from these
technologies are typically prepared using automated tools to help
analysts observe or detect a single anomaly or to discover patterns in
data over time. According to several federal and nonfederal entities,
hands-on monitoring by trained analysts is essential because it can be
difficult for automated tools to identify anomalies and incidents. For
example, some automated signature-based tools focus on known threats
and may not automatically recognize or alert analysts to new attack
patterns or new threat delivery techniques. Other intrusion detection
systems can produce large numbers of alerts indicating a problem when
one does not exist (false positives); therefore, an analyst must look
into anomalies more closely to see if detected intrusions are
indications of a threat or simply an equipment malfunction.
4. Obtaining external information on threats, vulnerabilities, and
incidents through various relationships, alerts, and other sources:
External monitoring includes observing and receiving information that
is either publicly or not publicly available for the purpose of
maintaining environmental or situational awareness, detecting
anomalies, and providing data for analysis, warning, and response.
External sources of information include:
* formal relationships, such as with and between critical
infrastructure sector-related information sharing and analysis centers
(ISAC); [Footnote 19] federal agencies, including military, civilian,
law enforcement, and intelligence agencies; international computer
emergency response team organizations; the CERT/CC and vendors under
contract for services;
* informal relationships established on a personal basis between
analysts located at different operations centers;
* alerts issued by federal, state, and local governments;
* alerts issued by commercial external sources such as network security
and antivirus software vendors;
* vulnerability databases, standards, and frameworks such as the
National Vulnerability Database,[Footnote 20] the Common Vulnerability
and Exposures List,[Footnote 21] Common Vulnerability Scoring System,
[Footnote 22] and the Open Vulnerability Assessment Language;[Footnote
23]
* media outlets, such as television news and newspapers; and:
* Web sites, such as law enforcement entities' sites, known hacker and
criminal sites and chat rooms, and cooperative cyber analysis and
warning services.[Footnote 24]
5. Detecting anomalous activities:
Continuous monitoring occurs in order to detect significant changes
from the baseline operations or the occurrence of an attack through an
already known threat or vulnerability. It is ultimately the detection
of an anomaly--observed internally or received from external
information--and the recognition of its relevance that triggers
analysis of the incident to begin.
Analysis:
Analysis uses technical methods in combination with contextual
expertise to hypothesize about the threat and associated risks
concerning an anomaly and, if necessary, determine mitigation
solutions. It encompasses four key attributes:
1. Verifying that an anomaly is an incident:
Once an anomaly is detected, it should be verified whether it is a
genuine cyber incident by determining that the data are from a trusted
source and are accurate. For example, if the anomaly was identified by
an internal sensor, analysts start by confirming that the sensor was
working correctly and not indicating a false positive. If the anomaly
was reported by an external source, analysts try to determine the
trustworthiness of that source and begin to identify internal and
external corroborating sources. Anomalies that are verified may require
in-depth investigation and incident handling or more observation
through monitoring.
2. Investigating the incident to identify the type of cyber attack,
estimate impacts, and collect evidence:
Once the anomaly is verified as a potential, impending, or occurring
incident, analysts should combine information from multiple sources
and/or perform investigative testing using available tools. Analysis
often occurs through collaboration between analysts, the exchange of
notifications and warnings, and the use of analytical research
techniques. Analysts use these techniques to investigate the type of
attack, its source (where it originates), its target (whom it affects),
and the immediate risk to network assets and mission performance. In
addition, these techniques are used to compile evidence for law
enforcement. Techniques for investigation include:
* comparing and correlating additional monitoring data available with
the anomaly to determine what other internal and external entities are
experiencing;
* comparing data about the anomaly with standardized databases to
determine if the threats are known; and:
* performing investigations, such as cyber forensic examinations,
[Footnote 25] reverse engineering, malware analysis, and isolating
anomalies in a test environment such as a honeypot or a sandbox.
[Footnote 26]
3. Identifying possible actions to mitigate the impact of the incident:
Analysis should culminate in identifying essential details about an
anomaly such as what specific vulnerabilities are exploited or what
impacts are expected for a specific incident. Steps should then be
taken to identify alternative courses of action to mitigate the risks
of the incident according to the severity of the exploit, available
resources, and mission priorities. Such steps may include isolating the
affected system to prevent further compromise, disabling the affected
service that is being exploited, or blocking the connections providing
the attacker a route into the network environment.[Footnote 27] These
courses of action may lead to more analysis or be used to support the
warning capability.
4. Integrating results into predictive analysis of broader implications
or potential future attacks:
Information resulting from analysis of an individual incident should be
used to determine any broader implications and predict and protect
against future threats. This type of effort, or predictive analysis,
should look beyond one specific incident to consider a broader set of
incidents or implications that may indicate a potential threat of
importance. For example, it may include detailed trend analysis of
threats that have occurred over a certain period of time that is issued
in public reports that discuss current trends, predict future incident
activity, or emerging attack methods. However, according to many
experts, this type of predictive analysis is complex and it is still
difficult to predict future threats with current data.
Warning:
Warnings are intended to alert entities to the presence of anomalies,
help delineate the relevancy and immediacy of cyber attacks, provide
information on how to remediate vulnerabilities and mitigate incidents,
or make overall statements about the health and welfare of the
Internet. Warning includes three key attributes:
1. Developing notifications that are targeted and actionable:
Warning messages should be targeted to the appropriate audience and
provide details that are accurate, specific, and relevant enough to be
acted upon. Developing actionable notifications requires providing the
right incident information to the right person or group. If a single
group is the only target of a threat, a warning directly to it may be
more appropriate than a general public announcement. In addition,
warnings are tailored to address technical or nontechnical recipients.
Some warnings may be more appropriate for chief information officers,
while other may include technical details for network administrators.
Although notifications and warnings are delivered throughout incident
handling, it is important to reach a balance between releasing
actionable information and disclosing warnings too often, which can
overwhelm the recipients and stretch limited resources. By addressing
the specific audience, warnings avoid overwhelming recipients with
extraneous or irrelevant information.
Also, recipients of notifications and warnings need to be able to use
them to protect or defend their networks against cyber attacks. For
example, many organizations have designated thresholds that determine
how and when warnings are issued. To do so, the messages must include
specific and accurate information about the incident as it relates to
the recipient's monitoring, analysis, or response capabilities. An
actionable warning may also include recommendations about how to
respond to an incident. Federal and nonfederal entities also noted that
sensitivity of information and privacy are key considerations when
trying to develop an actionable warning. Warnings are sanitized or
stripped of identifying or proprietary information in order to protect
the privacy of individuals or entities involved in the incident. In
addition, the federal government and its private sector partners must
also adhere to procedures to make sure that they share useful
information at the appropriate clearance level.
2. Providing notifications in a timely manner:
Warnings are intended to give information to recipients as early as
possible--preferably in advance of a cyber attack--to give them time to
take appropriate action. In addition, the National Institute of
Standards and Technology (NIST) provides guidance to federal agencies
that describes when incidents are considered reportable and how long
they may take to report them to US-CERT.[Footnote 28] Similarly,
several ISACs stated that they have procedures that determine when and
how warnings are issued and when and how members should report
incidents.
3. Distributing notifications using the most appropriate communications
methods:
Once a warning is developed, it is important to determine the best
method for getting that message out without overwhelming the public or
incident handlers. Warnings can be provided both informally and
formally. Informal warnings between colleagues with established trusted
relationships can happen quickly and without significant regard to the
organizational structure. Formal warnings, which are typically held to
a higher standard of accuracy by recipients than informal warnings,
come in many forms, such as e-mail bulletins, vulnerability alerts, Web
postings, targeted warnings to a specific entity, or broad security
notices to the general public. In addition to specific formal warnings,
operations centers that perform analysis and warning for multiple
organizations, such as the ISACs and commercial vendors, use level-
based or color-coded alert systems on their Web sites to quickly notify
members and the public of the general threat status of the
infrastructure or Internet. Changing from one level or color to another
indicates that the threat level is increasing or decreasing. These same
organizations send alerts about threats and vulnerabilities to members
only or may issue specific warnings to a single organization that has
been identified through analysis as being targeted by a cyber threat.
Response:
Response includes actions to contain an incident, manage the protection
of network operations, and recover from damages when vulnerabilities
are revealed or when cyber incidents occur. It encompasses three key
attributes:
1. Containing and mitigating the incident:
When an incident is identified, immediate steps should be taken to
protect network assets. Decisions are made to control further impacts
on the network and then eliminate the threat. These actions may include
installing a software patch, blocking a port known to be used by a
particular threat, or deploying other appropriate network resources. In
the case of a serious threat, the decision may be to turn off the
network gateway and temporarily isolate the network from the Internet,
depending upon what assets are at risk. One industry expert noted that
investigation may occur before any mitigation steps are taken in order
to consider the necessity of law enforcement involvement. On the other
hand, if little is known about a threat and it does not appear to
endanger critical assets, a decision might be made to watch the threat
emerge in a contained area to allow for further monitoring and
analysis. Decisions to act or not are based on acceptable risks,
available resources, and ability to remedy the known threat. In
addition, decisions must be made in the context of the impact that
actions will have on other related efforts, such as a law enforcement
investigation.
2. Recovering from damage and remediating vulnerabilities:
Once an incident is contained and mitigated, restoring damaged areas of
the network to return it to its baseline becomes a priority. To
understand the damage, a cyber damage or loss assessment may be
conducted to identify, among other things, how the incident was
discovered, what network(s) were affected, when the incident occurred,
who attacked the network and by what methods, what was the intention of
the attacker, what occurred during the attack, and what is the impact
or severity of the incident. The recovery efforts may involve restoring
or reinstalling computers, network devices, applications, or systems
that have been compromised.
Taking action to remediate vulnerabilities in a network may also result
from analysis and incident management. Entities work to discover and
reduce the number of vulnerabilities in their computers, network
devices, applications, or systems.
3. Evaluating actions and incorporating lessons learned:
Entities should ensure that threat data, results, and lessons learned
are evaluated and appropriately incorporated to improve the overall
cyber analysis and warning capability. For example, teams can be used
to simulate network threats by purposefully attacking a network in
order to see how the network responds. From these simulations, an
evaluation can be made about the response, and recommendations on how
to improve can be developed. In addition, cyber simulations allow
critical infrastructure organizations to prepare for threat scenarios
and to test analysis, warning, and response capabilities. NIST guidance
also states that holding lessons learned meetings after major incidents
is helpful in improving security measures and the incident handling
process itself.[Footnote 29]
US-CERT's Capabilities Include Some but Not All Aspects of Key
Attributes:
US-CERT has established cyber analysis and warning capabilities that
include aspects of each of the key attributes. However, they do not
fully incorporate all of them.
Monitoring Capability Includes Most but Not All Aspects of Key
Attributes:
US-CERT has established capabilities that include aspects of key
attributes of monitoring. For example, it obtains internal network
operation information via technical tools and Einstein; obtains
external information on threats, vulnerabilities, and incidents; and
detects anomalous activities based on the information it receives.
However, its capabilities do not fully incorporate all of the key
attributes of monitoring. For example, it has not established a
baseline of our nation's critical infrastructure information systems.
Table 6 shows our analysis of its monitoring capability.
Table 6: US-CERT Capabilities Includes Most but Not All Aspects of
Monitoring:
Attribute: Establish a baseline understanding of network assets and
normal network traffic volume and flow;
Aspects incorporated: The organization has a limited baseline
understanding of network assets and normal network traffic volume
through the 16 federal participants in its situational awareness tool,
US-CERT Einstein. In addition, it receives additional network flow
information through contracts with information security vendors;
Aspects not incorporated: It does not have a comprehensive national-
level baseline across the nation's computer-reliant critical
infrastructure, including the information systems of federal civilian
and military entities, state and local governments, the private sector,
and other entities. For example, under Einstein, the organization
monitors 16 agencies, a practice that does not provide an overall view
of federal network traffic. In addition, the tool's current
capabilities are manually driven, thereby complicating and slowing the
collection and compilation of data.
Attribute: Assess risks to network assets;
Aspects incorporated: [Empty];
Aspects not incorporated: Though US-CERT is involved in cyber-related
risk assessment efforts being performed by other DHS organizations and
the private sector, it does not perform risk assessments.
Attribute: Obtain internal information on network operations via
technical tools and user reports;
Aspects incorporated: The organization obtains internal information
using security tools and user reports regarding its presence on the
Internet and its internal network operations;
Aspects not incorporated: Its ability to obtain real-time internal
traffic information is reduced by Einstein's limitation of requiring
manually intensive analysis.
Attribute: Obtain external information on threats, vulnerabilities, and
incidents;
Aspects incorporated: US-CERT monitors a variety of external
information sources, including network traffic data, incident reports,
and threat reports from federal, state, local, and foreign governments
and the private sector, such as the following:
* federal agencies providing an enhanced view of their networks through
participation in Einstein;
* various vendors providing Internet operational data;; the Homeland
Infrastructure Threat and Risk Analysis Center (HITRAC),[A] law
enforcement, and the intelligence community, providing threat
information and other data;
* federal agencies reporting information security incidents to the
organization, as required by the Federal Information Security
Management Act;[B]
* nonfederal entities voluntarily reporting incidents, malware, and
other information;
* foreign governments providing information on cyber incidents;
* CERT/CC providing vulnerability information; and;
* other analysis and warning entities, including the Financial Services-
ISAC, Multistate ISAC, the Internet Storm Center, and information
security vendors, sharing incident and other situational awareness
information;
Aspects not incorporated: Its information does not encompass all
critical infrastructure information networks. For example, by
monitoring only 16 agencies, Einstein does not provide an overall view
of federal network traffic. Also, the Department of Energy and DOD use
their own similar situational awareness tools, but their data are not
currently combined with Einstein's data to provide a more complete view
of federal traffic. There are efforts under way to develop automated
information exchanges between DOD's system and Einstein, but as of
March 2008, this had not been finalized. Regarding nonfederal entities,
the organization does not directly monitor any private sector networks,
nor are nonfederal entities required to report to it incidents or
anomalous activity. Typically, nonfederal entities, including the
ISACs, that report incident and other data filter sensitive details
from the data reported.
Attribute: Detect anomalous activities;
Aspects incorporated: The organization detects anomalies based on its
monitoring of network traffic flow. Einstein provides network flow data
from 16 agencies with the primary goal of looking for unique activity
that may indicate a cyber attack or other undesirable activity.[C]
According to US-CERT officials, Einstein provides the participating
agencies a capability to compare their network traffic data with
activity at other federal agencies and against law enforcement and
intelligence agencies' threat data to determine if they are the victim
of serious attacks. In addition, it works with its various partners in
the private sector as well as other federal, state, and local
governments to determine the extent of abnormal behavior. For example,
the organization receives limited information from certain computer
security vendors regarding Internet traffic flow of their respective
customer bases;
Aspects not incorporated: The organization does not detect anomalies
across the nation's computer-reliant critical infrastructure. For
example, it does not directly monitor any private sector networks, nor
are nonfederal entities required to report incidents or anomalous
activity.
Source: GAO analysis.
[A] HITRAC is a fusion center of intelligence analysts from DHS's
Office of Intelligence and Analysis and subject matter experts from the
National Protection and Programs Directorate working together to
analyze threats, vulnerabilities, and risks to the 18 Critical
Infrastructure/Key Resource sectors of the United States. Additionally,
HITRAC focuses solely on analyzing and identifying the threat aspect of
cybersecurity incidents as they occur. HITRAC shares these threat data
with numerous customers, including US-CERT.
[B] The Federal Information Security Management Act requires the
operation of a central federal information security incident center. 44
U.S.C. 3546. The act also requires agencies to report incidents to the
organization, in addition to law enforcement agencies, relevant offices
of inspector general, and other designated entities. 44 U.S.C.
3544(b)(7).
[C] These data are analyzed for traffic patterns and behavior; this
information can be combined with other relevant data to (1) detect
potential deviations and identify how Internet activities are likely to
affect federal agencies and (2) provide insight into the health of the
Internet and suspicious activities.
[End of table]
As part of the President's Cyber Initiative, DHS has a lead role for
several provisions that, if implemented appropriately, could address
key monitoring deficiencies, such as not having a comprehensive
national baseline and sufficient external information on threats,
vulnerabilities, and incidents. According to testimony by the Under
Secretary for the National Protection and Programs Directorate, the
initiative makes the Einstein program mandatory across all federal
agencies. In addition, DHS plans to enhance Einstein's capabilities to
be a real-time intrusion detection and situational awareness system.
Further, DHS, along with the Office of Management and Budget (OMB), is
responsible for working with federal agencies to reduce the number of
Trusted Internet Connections used by the federal government. According
to DHS and OMB officials, these initiatives will enhance the ability of
the US-CERT to monitor federal systems for cyber attacks and other
threats. According to US-CERT officials, the reduction in Trusted
Internet Connections, along with the positioning of Einstein in front
of those connections to the Internet, will help provide a
governmentwide baseline and view of the traffic entering and leaving
federal networks as well as access to the content of the traffic. In
addition, according to the Assistant Secretary for Cybersecurity and
Communications, the recently announced National Cybersecurity Center,
which reports directly to the Secretary of Homeland Security, will be
responsible for ensuring coordination among the cyber-related efforts
across the federal government, including improving the sharing of
incident and threat information. However, the efforts to use Einstein,
reduce Internet connections, and implement the National Cybersecurity
Center are in their early stages and have not yet been fully planned or
implemented, so whether these efforts will fully address all five of
the monitoring attributes is not known at this time.
Analysis Capability Does Not Fully Incorporate All Aspects of Key
Attributes:
US-CERT has established capabilities that include key attributes of
analysis. For example, it verifies anomalies, performs investigations,
and identifies possible courses of action. However, its capabilities do
not fully incorporate other attributes because of technical and human
resource constraints and the gaps in the monitoring capability. Table 8
shows our analysis of the organization's analysis capability.
Table 7: US-CERT Incorporates Some but Not All Aspects of Analysis:
Attribute: Verify that an anomaly is an incident (threat of attack or
actual attack);
Aspects incorporated: When an anomaly is detected or reported, US-CERT
works directly with its various public and private sector partners to
determine whether the anomaly is an incident. For example, it notifies
federal agencies when it observes abnormal activities. In turn, federal
agencies take the information provided and are to verify whether the
activity constitutes a cybersecurity incident and if any support is
required from US-CERT;
Aspects not incorporated: The lack of a robust monitoring capability
negatively affects the organization's ability to verify and investigate
anomalies and to identify threats. Specifically, although the Einstein
flow data are collected in real time, the actual analysis is manually
intensive and does not occur simultaneously or in real time. Another
limiting factor of Einstein data is that the organization is unable to
analyze the content of the potentially malicious traffic.
Attribute: Investigate the incident to identify the type of cyber
attack, estimate impacts, and collect evidence;
Aspects incorporated: The organization investigates incidents through
network and malware analysis. For example, it correlates Einstein
network traffic data with known vulnerabilities and threats to identify
abnormal activity, and then it focuses on identifying emerging threats,
ongoing trends, and intrusions that have already occurred. According to
agency officials, through the implementation of Einstein, the amount of
time needed to discover and understand a potential cyber attack and
communicate it to agencies has been significantly reduced from 4 to 5
days to 4 to 5 hours. In addition, according to US-CERT officials, its
malware analysis focuses on reverse engineering malicious code to
determine how the code works, its effect on a network or system, and
potentially who developed it. The organization receives the malware
code from a variety of sources, including its own monitoring, anonymous
submissions, and formal submissions from affected entities, such as
federal agencies, Internet service providers, and other entities. For
example, according to agency officials, they receive on average between
5,000 and 24,000 individual pieces of malware in a 24-hour period.
Additionally as of April 2008, officials stated that the organization
had conducted analysis on 1,520,022 samples of malware code during
fiscal year 2008; To do this work, the organization has established a
segregated facility, or malware laboratory, that provides a controlled
environment to conduct detailed analysis on infected computer hardware
and software. According to officials, its malware capability has
provided value to federal and nonfederal partners because it can
analyze the potential impact of malware with the known threat
information received from its partners in the law enforcement and
intelligence communities;
Aspects not incorporated: The number of incidents that can be analyzed
at one time is limited.
Attribute: Identify possible actions to mitigate the impact of the
incident;
Aspects incorporated: US-CERT's analysts develop alternative actions
for stopping or controlling the threat. These alternatives are based on
risk, required resources, mission priorities, and existing network
requirements and limitations. Its network analysts work with all US-
CERT partners to identify possible courses of action and methods to
respond to cyber incidents. For example, in January 2008, an analysis
of malware discovered at a targeted federal agency led to the
identification of three zero-day exploits and a subsequent alert issued
to federal and nonfederal entities;
Aspects not incorporated: The organization's ability to develop
possible actions to mitigate the identified threat is limited by its
inability to engage other partners in analysis efforts because the
information may be sensitive or classified.
Attribute: Integrate results into predictive analysis of broader
implications or potential future attack;
Aspects incorporated: According to NCSD officials, the organization is
engaged in activities with other NCSD entities to develop more
strategic views of the nation's critical cyber infrastructures;
Aspects not incorporated: The organization does not possess the
capability to integrate its work into predictive analysis.
Source: GAO analysis.
[End of table]
As part of the Cyber Initiative, the organization has received
additional resources to develop the next version of the Einstein
situational awareness tool. According to US-CERT officials, this new
version, referred to as Einstein 2.0, will provide real-time intrusion
detection monitoring, a content analysis capability, and automated
analysis functions that are currently manual. In addition, it has
received authorization for an additional 30 government and 50
contractor employee full-time equivalents. According to US-CERT
officials, they plan to fill the additional positions by leveraging
graduates of the Scholarship for Service program, which provides
cybersecurity-related scholarships to students willing to serve the
federal government for a time commitment. However, these efforts are in
their early stages and have not yet been fully planned or implemented.
Consequently, whether these efforts will fully address all four of the
analysis attributes is not known at this time.
Warning Capability Exhibits Some but Not All Characteristics of Key
Attributes:
The organization has established capabilities that include key
attributes of warning. For example, it develops and distributes a
number of attack and other notifications targeted to different
audiences with varying frequency. However, according to customers,
these warning products are not consistently actionable and timely.
Table 8 shows our analysis of the organization's warning capability.
Tables 9 and 10 show types of warning products and the quantity of
products issued during fiscal year 2007.
Table 8: US-CERT Exhibits Some but Not All Aspects of Warning:
Attribute: Develop attack and other notifications that are targeted and
actionable;
Aspects incorporated: As tables 9 and 10 depict, the organization
develops various attack and other notifications for a varied set of
customers;
Aspects not incorporated: Officials from entities with robust cyber
analysis and warning capabilities, such as the ISACs, DOD, and the
Department of Energy, stated that the organization's notifications
typically did not offer new or additional information beyond their own
efforts.
Attribute: Provide notifications in a timely manner;
Aspects incorporated: The organization is occasionally able to provide
notifications to certain customers in a timely manner. For example,
officials from organizations with limited cyber analysis and warning
capabilities stated that certain US-CERT notifications, especially
those warnings with For Official Use Only (FOUO) information, were
extremely timely;
Aspects not incorporated: The organization is not consistently able to
provide notifications in a timely manner. Its ability to disseminate
timely notifications is hindered by a number of factors. First, as the
national cyber analysis and warning organization, it must ensure a high
level of accuracy in the products it releases. In order to avoid
disseminating incomplete or inaccurate information, its warning
products are subjected to a review process, which can prevent their
rapid dissemination. Further, the sensitivity of information can be a
hindrance. Specifically, highly sensitive information must be
coordinated with other components as part of the review process, which
can add days to the release time. Finally, dissemination efforts are
limited by lack of performance measures that assess or provide feedback
on the value of US-CERT products.
Attribute: Distribute notifications using appropriate communications
methods;
Aspects incorporated: As table 9 depicts, the organization distributes
a wide array of attack and other "warning" products through various
mechanisms to a diverse set of customers;
Aspects not incorporated: According to NSCD officials, the organization
is refining its distribution lists and collaborating with various
federal and nonfederal user groups to better ensure appropriate
officials (those having the understanding and ability to appropriately
respond) receive its notifications.
Source: GAO analysis.
[End of table]
Table 9: US-CERT Warning Products, Fiscal Year 2007:
Product audience: Situational awareness report;
Product audience: Federal government: [Check];
Product audience: GFIRST[A]: [Check];
Product audience: Select international partners[B]: [Check];
Product audience: ISACs[C]: [Check];
Product audience: General public: [Empty];
Distribution mechanism: US-CERT Web site: [Check];
Distribution mechanism: US-CERT HSDN Web site[D]: [Check];
Distribution mechanism: US-CERT HSIN portal[E]: [Empty];
Distribution mechanism: NCAS[F]: [Empty];
Distribution mechanism: E-mail distribution: [Empty];
Distribution mechanism: RSS feeds[G]: [Empty];
Frequency: Daily: [Empty];
Frequency: Weekly: [Empty];
Frequency: Every other week: [Empty];
Frequency: Monthly: [Check];
Frequency: Quarterly: [Empty];
Frequency: As needed: [Check].
US-CERT products: Federal information notice;
Product audience: White House: [Check];
Product audience: Federal government: [Check];
Product audience: GFIRST[A]: [Check];
Product audience: Select international partners[B]:
Product audience: ISACs[C]: [Empty];
Product audience: General public: [Empty];
Distribution mechanism: US-CERT Web site: [Empty];
Distribution mechanism: US-CERT HSDN Web site[D]: [Check];
Distribution mechanism: US-CERT HSIN portal[E]: [Check];
Distribution mechanism: NCAS[F]: [Empty];
Distribution mechanism: E-mail distribution: [Check];
Distribution mechanism: RSS feeds[G]: [Empty];
Frequency: Daily: [Empty];
Frequency: Weekly: [Empty];
Frequency: Every other week: [Empty];
Frequency: Monthly: [Empty];
Frequency: Quarterly: [Empty];
Frequency: As needed: [Check].
US-CERT products: Critical infrastructure information notice;
Product audience: White House: [Check];
Product audience: Federal government: [Empty];
Product audience: GFIRST[A]: [Empty];
Product audience: Select international partners[B]: [Check];
Product audience: ISACs[C]: [Check];
Product audience: General public: [Empty];
Distribution mechanism: US-CERT Web site: [Empty];
Distribution mechanism: US-CERT HSDN Web site[D]: [Check];
Distribution mechanism: US-CERT HSIN portal[E]: [Check];
Distribution mechanism: NCAS[F]: [Empty];
Distribution mechanism: E-mail distribution: [Check];
Distribution mechanism: RSS feeds[G]: [Empty];
Frequency: Daily: [Empty];
Frequency: Weekly: [Empty];
Frequency: Every other week: [Empty];
Frequency: Monthly: [Empty];
Frequency: Quarterly: [Empty];
Frequency: As needed: [Check].
US-CERT products: Public trends and analysis report;
Product audience: White House: [Empty];
Product audience: Federal government: [Check];
Product audience: GFIRST[A]: [Check];
Product audience: Select international partners[B]: [Check];
Product audience: ISACs[C]: [Check];
Product audience: General public: [Check];
Distribution mechanism: US-CERT Web site: [Check];
Distribution mechanism: US-CERT HSDN Web site[D]: [Check];
Distribution mechanism: US-CERT HSIN portal[E]: [Check];
Distribution mechanism: NCAS[F]: [Empty];
Distribution mechanism: E-mail distribution: [Empty];
Distribution mechanism: RSS feeds[G]: [Empty];
Frequency: Daily: [Empty];
Frequency: Weekly: [Empty];
Frequency: Every other week: [Empty];
Frequency: Monthly: [Empty];
Frequency: Quarterly: [Check];
Frequency: As needed: [Empty].
US-CERT products: Technical information paper;
Product audience: White House: [Check];
Product audience: Federal government: [Check];
Product audience: GFIRST[A]: [Check];
Product audience: Select international partners[B]: [Check];
Product audience: ISACs[C]: [Check];
Product audience: General public: [Check];
Distribution mechanism: US-CERT Web site: [Check];
Distribution mechanism: US-CERT HSDN Web site[D]: [Check];
Distribution mechanism: US-CERT HSIN portal[E]: [Check];
Distribution mechanism: NCAS[F]: [Empty];
Distribution mechanism: E-mail distribution: [Empty];
Distribution mechanism: RSS feeds[G]: [Empty];
Frequency: Daily: [Empty];
Frequency: Weekly: [Empty];
Frequency: Every other week: [Empty];
Frequency: Monthly: [Empty];
Frequency: Quarterly: [Empty];
Frequency: As needed: [Check].
US-CERT products: Cyber daily briefing;
Product audience: White House: [Empty];
Product audience: Federal government: [Empty];
Product audience: GFIRST[A]: [Check];
Product audience: Select international partners[B]: [Empty];
Product audience: ISACs[C]: [Check];
Product audience: General public: [Empty];
Distribution mechanism: US-CERT Web site: [Empty];
Distribution mechanism: US-CERT HSDN Web site[D]: [Empty];
Distribution mechanism: US-CERT HSIN portal[E]: [Check];
Distribution mechanism: NCAS[F]: [Empty];
Distribution mechanism: E-mail distribution: [Check];
Distribution mechanism: RSS feeds[G]: [Empty];
Frequency: Daily: [Check];
Frequency: Weekly: [Empty];
Frequency: Every other week: [Empty];
Frequency: Monthly: [Empty];
Frequency: Quarterly: [Empty];
Frequency: As needed: [Empty].
US-CERT products: Non-technical alerts;
Product audience: White House: [Empty];
Product audience: Federal government: [Empty];
Product audience: GFIRST[A]: [Empty];
Product audience: Select international partners[B]: [Empty];
Product audience: ISACs[C]: [Empty];
Product audience: General public: [Check];
Distribution mechanism: US-CERT Web site: [Check];
Distribution mechanism: US-CERT HSDN Web site[D]: [Check];
Distribution mechanism: US-CERT HSIN portal[E]:
Distribution mechanism: NCAS[F]: [Check];
Distribution mechanism: E-mail distribution: [Check];
Distribution mechanism: RSS feeds[G]:
Frequency: Daily: [Empty];
Frequency: Weekly: [Empty];
Frequency: Every other week: [Empty];
Frequency: Monthly: [Empty];
Frequency: Quarterly: [Empty];
Frequency: As needed: [Check].
US-CERT products: Technical alerts;
Product audience: White House: [Check];
Product audience: Federal government: [Check];
Product audience: GFIRST[A]: [Check];
Product audience: Select international partners[B]: [Check];
Product audience: ISACs[C]: [Check];
Product audience: General public: [Check];
Distribution mechanism: US-CERT Web site: [Check];
Distribution mechanism: US-CERT HSDN Web site[D]: [Check];
Distribution mechanism: US-CERT HSIN portal[E]:
Distribution mechanism: NCAS[F]: [Check]; [Empty];
Distribution mechanism: E-mail distribution: [Check];
Distribution mechanism: RSS feeds[G]: [Check];
Frequency: Daily: [Empty];
Frequency: Weekly: [Check];
Frequency: Every other week: [Empty];
Frequency: Monthly: [Empty];
Frequency: Quarterly: [Empty];
Frequency: As needed: [Check].
US-CERT products: Security bulletins;
Product audience: White House: [Check];
Product audience: Federal government: [Check];
Product audience: GFIRST[A]: [Check];
Product audience: Select international partners[B]: [Check];
Product audience: ISACs[C]: [Check];
Product audience: General public: [Check];
Distribution mechanism: US-CERT Web site: [Check];
Distribution mechanism: US-CERT HSDN Web site[D]: [Check];
Distribution mechanism: US-CERT HSIN portal[E]:
Distribution mechanism: NCAS[F]: [Check];
Distribution mechanism: E-mail distribution: [Check];
Distribution mechanism: RSS feeds[G]: [Check];
Frequency: Daily: [Empty];
Frequency: Weekly: [Check];
Frequency: Every other week: [Empty];
Frequency: Monthly: [Empty];
Frequency: Quarterly: [Empty];
Frequency: As needed: [Empty].
US-CERT products: Security tips;
Product audience: White House: [Empty];
Product audience: Federal government: [Empty];
Product audience: GFIRST[A]: [Empty];
Product audience: Select international partners[B]: [Empty];
Product audience: ISACs[C]: [Empty];
Product audience: General public: [Check];
Distribution mechanism: US-CERT Web site: [Check];
Distribution mechanism: US-CERT HSDN Web site[D]:
Distribution mechanism: US-CERT HSIN portal[E]:
Distribution mechanism: NCAS[F]: [Check]; [Empty];
Distribution mechanism: E-mail distribution: [Check];
Distribution mechanism: RSS feeds[G]: [Check];
Frequency: Daily: [Empty];
Frequency: Weekly: [Empty];
Frequency: Every other week: [Check];
Frequency: Monthly: [Empty];
Frequency: Quarterly: [Empty];
Frequency: As needed: [Empty].
US-CERT products: Current activity;
Product audience: White House: [Check];
Product audience: Federal government: [Check];
Product audience: GFIRST[A]: [Check];
Product audience: Select international partners[B]: [Check];
Product audience: ISACs[C]: [Check];
Product audience: General public: [Check];
Distribution mechanism: US-CERT Web site: [Check];
Distribution mechanism: US-CERT HSDN Web site[D]: [Check];
Distribution mechanism: US-CERT HSIN portal[E]:
Distribution mechanism: NCAS[F]: [Empty];
Distribution mechanism: E-mail distribution: [Check];
Distribution mechanism: RSS feeds[G]: [Check];
Frequency: Daily: [Check];
Frequency: Weekly: [Empty];
Frequency: Every other week: [Empty];
Frequency: Monthly: [Empty];
Frequency: Quarterly: [Empty];
Frequency: As needed: [Check].
US-CERT products: Vulnerability notes;
Product audience: White House: [Check];
Product audience: Federal government: [Check];
Product audience: GFIRST[A]: [Check];
Product audience: Select international partners[B]: [Check];
Product audience: ISACs[C]: [Check];
Product audience: General public: [Check];
Distribution mechanism: US-CERT Web site: [Check];
Distribution mechanism: US-CERT HSDN Web site[D]: [Check];
Distribution mechanism: US-CERT HSIN portal[E]:
Distribution mechanism: NCAS[F]: [Empty];
Distribution mechanism: E-mail distribution: [Check];
Distribution mechanism: RSS feeds[G]: [Check];
Frequency: Daily: [Empty];
Frequency: Weekly: [Empty];
Frequency: Every other week: [Empty];
Frequency: Monthly: [Empty];
Frequency: Quarterly: [Empty];
Frequency: As needed: [Check].
Source: US-CERT:
[A] Government Forum of Incident Response and Security Teams (GFIRST)
is a group of technical and tactical practitioners from government
agency security response teams responsible for securing government
information technology systems.
[B] Select international partners including Australia, Canada, New
Zealand, and the United Kingdom.
[C] Information sharing and analysis center.
[D] Homeland Secure Data Network (HSDN) is a secure portal that
provides the ability to share information at the Secret category level
among other federal, state, and local government entities.
[E] DHS considers the Homeland Security Information Network (HSIN) to
be its primary communication application for transmitting sensitive but
unclassified information. According to DHS, this network is an
encrypted, unclassified, Web-based communications application that
serves as DHS's primary nationwide information-sharing and
collaboration tool. It is intended to offer both real-time chat and
instant messaging capability, as well as a document library that
contains reports from multiple federal, state, and local sources.
[F] DHS established the National Cyber Alert System (NCAS) to deliver
targeted, timely, and actionable information to the public on how to
secure computer systems. Information provided by the alert system is
designed to be understandable by all computer users, both technical and
nontechnical.
[G] Really Simple Syndication (RSS) is a format for gathering and
making available content from Web sites. RSS can be used to provide any
kind of information that can be broken down into discrete items and put
into RSS format, typically called an RSS feed. Software is available
that can periodically check RSS feeds for changes, download new items,
and make them available to the users.
[End of table]
Table 10: Quantity of US-CERT Warning Products, Fiscal Year 2007:
Product: Public trends and analysis reports;
Quantity: 4;
Interval: Quarterly.
Product: Vulnerability notes;
Quantity: 353;
Interval: As needed.
Product: Situational awareness reports (SAR);
Quantity: 83;
Interval: As needed.
Product: Federal information notices (FIN);
Quantity: 7;
Interval: As needed.
Product: Technical information papers (TIP);
Quantity: 8;
Interval: As needed.
Product: Critical infrastructure information notices (CIIN);
Quantity: 9;
Interval: As needed.
Product: Security bulletins;
Quantity: 52;
Interval: Weekly.
Product: Technical alerts;
Quantity: 39;
Interval: As needed.
Product: Nontechnical alerts;
Quantity: 27;
Interval: As needed.
Product: Current activity;
Quantity: 260;
Interval: As needed.
Product: Cyber daily briefings;
Quantity: 356;
Interval: Daily.
Source: US-CERT.
[End of table]
As part of the Cyber Initiative, the enhancements to the Einstein
program, as well as the reduction in the number of Trusted Internet
Connections can lead to more complete data. According to US-CERT
officials, the improved data will lead to an enhanced warning
capability that could provide the ability to issue targeted and
actionable alerts in advance of actual cyber attacks. However, these
efforts are in their early stages and have not yet been fully planned
or implemented; thus, it is not clear whether these efforts will fully
address the three warning attributes.
Response Capability Satisfies Some but Not All Aspects of Key
Attributes:
US-CERT possesses a limited response capability to assist other
entities in the containment, mitigation, and recovery from significant
cyber incidents. For example, while it provides on-site assistance to
various entities, its ability to provide response at the national level
is hindered by limitations in the resources available and authority
over affected entities. Table 11 shows our analysis of its response
capability.
Table 11: US-CERT Satisfies Some but Not All Aspects of Response:
Attribute: Contain and mitigate the incident;
Aspects incorporated: The organization assists entities in federal,
state, and local governments as well as the private sector with the
containment and mitigation of cybersecurity incidents as they occur, on
a requested basis. According to agency officials, the US-CERT routinely
deploys its two digital media analysis teams to perform on-site
response to serious incidents. These teams have the capabilities and
depth of knowledge to perform detailed analysis on compromised media
(e.g., hard drives and thumb drives). For example, as of April 2008,
the organization had provided on-site incident response eight times for
fiscal year 2008, making about 30 visits to various federal agencies to
address incidents dealing with unauthorized access, malware activity,
as well as misconfigured network devices. Also, in November 2007, the
organization deployed at least one response team to each of five
different federal agencies over 5 consecutive days; In addition, the
Law Enforcement and Intelligence branch works with organizations such
as the Federal Bureau of Investigation and United States Secret Service
to contain incidents on a global scale using established relationships
with other nations. According to officials, the organization has also
assisted at the international level, most recently deploying officials
to Estonia to help its government improve its cybersecurity posture
after suffering a major cyber attack; Further, DHS, in conjunction with
DOD and the Department of Justice, formed the NCRCG to coordinate the
federal response to cyber incidents of national significance. During a
significant national incident, the NCRCG is to provide subject matter
expertise, recommendations, and strategic policy support to the
Secretary of Homeland Security. At the time of our review, the senior-
level membership had coordinated and communicated about incidents;
however, there had not been a cyber incident of national significance
to activate these procedures;
Aspects not incorporated: Though the organization is responsible for
responding to national-level incidents, it does not possess the
authority to compel an agency or organization to take action.
Attribute: Recover from damages and remediate vulnerabilities;
Aspects incorporated: The organization routinely deploys its two
digital media analysis teams to perform on-site response to serious
incidents at federal agencies. According to agency officials, these
teams focus on serious incidents, typically involving advanced threats,
such as those propagated by nation states as well as advanced malware
attacks;
Aspects not incorporated: To handle a cyber attack that affects
multiple entities across the nation, officials stated that the
organization would need at least three additional digital media
analysis teams.
Attribute: Evaluate actions and incorporate lessons learned;
Aspects incorporated: US-CERT has identified shortcomings in its
processes, communications methods, and policies by conducting exercises
that simulate a national-level incident. For example, once a digital
media team has completed its on-site response assistance, it generates
an after-action report that summarizes what steps were taken and any
further suggested actions for the affected organization. In addition,
during Cyber Storm II, which occurred in March 2008, the organization
identified a number of issues for improvement that will be addressed in
after-action reports and tracked to ensure changes occur;
Aspects not incorporated: While it measures certain items, such as the
number and type of products it distributes, the organization has not
established performance measures to determine the effectiveness of its
efforts. According to US-CERT officials, other than an occasional
statement of appreciation from other organizations, they do not know
who benefits from their efforts or who uses their products.
Source: GAO analysis.
[End of table]
To improve the organization's response capability, US-CERT officials
stated that they needed to perform internal exercises that test its
national-level response capability more often than every 2 years, as is
the case with the Cyber Storm exercise.[Footnote 30] It plans to
develop "tabletop" exercises to more frequently test its response
capabilities. In addition, according to NCSD officials, they are
working collaboratively with other federal and nonfederal working
groups to improve their performance measures so that they can
understand the value and use of their products and make continuous
improvements. However, until they do so, it is not clear whether these
efforts will lead to US-CERT fully addressing the three response
attributes.
US-CERT Faces New and Ongoing Challenges to Fulfilling Its Mission:
US-CERT faces a number of newly identified and ongoing challenges that
impede it from fully implementing the key attributes and in turn
establishing cyber analysis and warning capabilities essential to
coordinating the national effort to prepare for, prevent, and respond
to cyber threats. The new challenge is creating warnings that are
actionable and timely--it does not consistently issue warning and other
notifications that its customers find useful. In addition, US-CERT
continues to face four challenges that we previously identified: (1)
employing predictive cyber analysis, (2) developing more trusted
relationships to encourage information sharing, (3) having sufficient
analytical and technical capabilities, and (4) operating without
organizational stability and leadership within DHS. Until DHS addresses
these challenges and fully incorporates all key attributes into its
capabilities, it will not have the full complement of cyber analysis
and warning capabilities essential to effectively performing its
national mission.
New Challenge Involves Creating Warnings That Are Actionable and
Timely:
Developing and disseminating cyber threat warnings to enable customers
to effectively mitigate a threat in advance of an attack can be
challenging for the US-CERT. According to the organization's Acting
Deputy Director, it serves as the nation's cyber analysis and warning
center and must ensure that its warnings are accurate. In addition,
owners of classified or law enforcement information must review and
agree to the release of related information. Therefore, the
organization's products are subjected to a stringent review and
revision process that could adversely affect the timeliness of its
products--potentially adding days to the release if classified or law
enforcement information must be removed from the product. For example,
an official from a cybersecurity-focused organization at a university
stated that the alerts from US-CERT generally arrive a day or two after
they might have been helpful. An official from another private entity
stated that the bureaucratic process US-CERT must follow prevents it
from providing useful alerts in a timely manner and that as a result,
it does not have the credibility to drive a reaction when an alert is
finally issued. Another private sector official stated that, in some
cases, the organization gets information on cyber incidents and attacks
faster from media sources than US-CERT because its analysts need time
to verify the reliability of the data they receive.
In addition, according to federal officials responsible for determining
cyber-related threats, US-CERT, as well as other organizations with
cybersecurity-related responsibilities, must also balance the need to
develop and release warnings with the activities of other
organizations, such as law enforcement and intelligence support, to
identify and mitigate cyber threats. For example, the release of a
warning to address a threat or attack may also alert the intruders that
their methods have been discovered and cause them to change their
methods prior to the completion of an investigation about their
activities.
Further, when there is sensitive information to share, US-CERT
officials stated that on numerous occasions, they were unable to share
the details of threats to customers' networks because no one within the
federal agency or nonfederal entity possessed a security clearance high
enough to receive the information. In some organizations, the
individuals who do possess security clearances are in the upper
echelons of the organization and do not possess a cyber or information
security background. As a result, they are not always able to
accurately comprehend and relay the threat information to those who
would actually handle the mitigation efforts. In September 2007, we
reported that DHS lacked a rapid, efficient process for disseminating
sensitive information to private industry owners and operators of
critical infrastructures.[Footnote 31] We recommended that DHS
establish a rapid and secure process for sharing sensitive
vulnerability information with critical infrastructure stakeholders,
including vendors, owners, and operators; however, DHS has not yet
fulfilled this recommendation.
To provide actionable information to its customers, the organization
attempts to combine incident information with related cyber threat
information to determine the seriousness of the attack. However,
according to the Acting Director of US-CERT, its efforts are limited by
other federal entities' abilities to determine specific cyber threats
to the nation's critical infrastructure. One reason for the lack of
cyber threat data is that the task is complex and difficult and there
are no established, generally accepted methodologies for performing
such analysis. In addition, such entities are hampered by the limited
number of analysts dedicated to cyber threat identification. For
example, in January 2008, the Director of HITRAC stated that only 5
percent of HITRAC's total number of analyst positions was focused on
analyzing and identifying cyber threats to our nation's critical
information infrastructure. According to the director, it had received
approval to double the number of cyber-related analysts and was in the
process of filling those positions. In addition, the director stated
that HITRAC's primary focus is on identifying physical threats.
Ongoing Challenges Involve Establishing Predictive Analysis, Trusted
Relationships, Analytical and Technical Capabilities, and a Stable
Organization:
US-CERT faces ongoing challenges that we identified in previous reports
as impeding DHS's ability to fulfill its cyber critical infrastructure
protection responsibilities.
Employing predictive cyber analysis--US-CERT has been unable to
establish the solid foundation needed to perform predictive cyber
analysis that would enable it to determine any broader implications
from ongoing network activity, predict or protect against future
threats, or identify emerging attack methods prior to an attack. Since
2001, we have identified the challenges associated with establishing
strategic, predictive analysis and warning and have made
recommendations that responsible executive branch officials and
agencies establish such capabilities, including developing
methodologies.[Footnote 32] According to the Acting Director of US-
CERT, it has not been able to establish such capabilities because there
is not a generally accepted methodology for performing predictive cyber
analysis and warning. In addition, officials from US-CERT and other
federal and nonfederal entities with cyber analysis and warning
capabilities stated that while they can determine the motivations for
the various threat sources to use cyber attacks, it is a formidable
task to foresee prior to attacks how those threats would actually
conduct attacks and to establish indicators to recognize that such
cyber attacks are about to occur. Also, the relative newness of the
cyber analysis and warning discipline and immaturity of the related
methodologies and tools add to the complexity.
Developing more trusted relationships to encourage information sharing-
-Implementing cyber analysis and warning capabilities, including all of
the key attributes, requires that entities be willing and able to share
information, including details about incidents, threats,
vulnerabilities, and network operations. However, US-CERT continues to
be challenged to develop relationships with external sources that would
encourage information sharing. For example, nonfederal entities do not
consistently fully disclose incident and other data--they filter
sensitive details from the data reported, thus reducing its value to US-
CERT. The lack of such relationships negatively affects the
organization's cyber analysis and warning capability.
In 2005, we reported that entities within critical infrastructure
sectors possess an inherent disincentive to share cybersecurity
information with DHS.[Footnote 33] Much of their concern was that the
potential release of sensitive information could increase the threat
they face. In addition, when information was shared, it was not clear
whether the information would be shared with other entities, such as
other federal entities, state and local entities, law enforcement, or
various regulators, or how it would be used or protected from
disclosure. Alternatively, sector representatives expressed concerns
that DHS was not effectively communicating information with them and
had not matched private sector efforts to share valuable information
with a corresponding level of trusted information sharing. We also
identified information sharing in support of homeland security as a
high-risk area in 2005, and we noted that establishing an effective two-
way exchange of information to help detect, prevent, and mitigate
potential terrorist attacks requires an extraordinary level of
cooperation and perseverance among federal, state, and local
governments and the private sector.[Footnote 34]
Federal and nonfederal officials raised similar concerns about the
ability to develop trusted relationships and share information with and
between cyber analysis and warning entities, including US-CERT. For
example, frequent staff turnover at NCSD and US-CERT hindered the
ability to build trusted relationships with both public and private
entities. Federal and nonfederal officials stated that reliance was
placed on personal relationships to support sharing of sensitive
information about cybersecurity and cyber incidents. However, according
to the NCSD director, six senior staff members within the Office of
Cybersecurity and Communications (the national focal point for
addressing cybersecurity issues) were leaving for various reasons,
affecting the ability to develop such relationships. In addition,
private sector officials stated that their organizations continued to
be hesitant to share information on vulnerabilities and threats because
of the fear that such sharing might negatively affect their financial
bottom line. For example, private sector officials stated that it was
difficult to share unfiltered information with their respective
infrastructure sector ISAC because a competitor operated the ISAC, thus
negatively affecting the information received by US-CERT.
Having sufficient analytical and technical capabilities--Obtaining and
retaining adequately trained cyber analysts and acquiring up-to-date
technological tools to implement the analysis capability attributes is
an ongoing challenge to US-CERT and other analysis and warning centers,
hindering their ability to respond to increasingly fast, nimble, and
sophisticated cyber attacks. As we have reported, NCSD has had
difficulty hiring personnel to fill vacant positions.[Footnote 35] We
reported that once it found qualified candidates, some candidates
decided not to apply or withdrew their applications because it took too
long to be hired. This is still a concern because current staff has
limited organizational backup and, in some cases, performs multiple
roles. In addition, a private sector official stated that it is not
clear whether or not the government has the number of technical
analysts necessary to perform analysis on large and complex data sets
that are generated whether or not an incident is in progress or not.
Keeping cyber analysts trained and up to date on the latest
cybersecurity tools and techniques can be difficult. For example, a DOD
official representing one of its cyber analysis and warning centers
stated that its analysts must develop their expertise on the job
because there is no formal training program available that teaches them
how to detect and perform analysis of an anomaly or intrusion. A
private sector official stated that while analysts are often trained to
use existing tools, their understanding of the key attributes of
analysis is often limited, resulting in a solution too late to be
helpful.
Analysts also need the appropriate technological tools to handle the
volume, velocity, and variety of malicious data and activity they are
faced with, according to federal officials. For example, although the
Einstein flow data are collected in real time, the actual analysis is
manually intensive and does not occur simultaneously or in real time.
Another limiting factor of Einstein data is that US-CERT is unable to
analyze the content of the potentially malicious traffic and must rely
on the affected agency to perform any analysis of the content of the
traffic. Thus both the reaction time to determine the intent of the
anomalous activity and the necessary actions to address it are
significantly slowed. In addition, officials from one private sector
entity questioned if agencies can sufficiently protect their networks
using the tools they are mandated to use.
As part of the efforts to address the President's Cyber Initiative, US-
CERT recently received approval to fill 80 new positions--30 government
and 50 contractor--and is attempting to fill these analytical positions
by extending offers to candidates in the National Science Foundation's
Scholarship for Service Program. However, these positions have yet to
be completely filled with qualified candidates.
Operating without organizational stability and authority--We have
identified challenges regarding DHS's organizational stability,
leadership, and authority that affect US-CERT's ability to successfully
perform its mission. In the past, we have reported that the lack of
stable leadership has diminished NCSD's ability to maintain trusted
relationships with its infrastructure partners and has hindered its
ability to adequately plan and execute activities.[Footnote 36] While
DHS has taken steps to fill key positions, organizational instability
among cybersecurity officials continues to affect NCSD and thus US-
CERT. For example, at least six senior staff members were leaving DHS's
Office of Cybersecurity and Communications, including the NCSD
Director. Losing senior staff members in such large numbers has
negatively affected the agency's long-term planning and hampered the
ability of NCSD/US-CERT to establish trusted relationships with public
and private entities and to build adequate functions to carry out its
mission, including expanded cyber analysis and warning capabilities,
according to the official.
Furthermore, when new senior leadership has joined DHS, NCSD/US-CERT's
objectives were reassessed and redirected, thus affecting NCSD's
ability to have a consistent long-term strategy, according to the
former official. For example, senior officials wanted to broaden the
role and focus of US-CERT by having it provide centralized network
monitoring for the entire federal government on a 24-hour-a-day, 7-day-
a-week basis. However, the Director of NCSD disagreed with this
strategy, stating that each federal agency should have its own 24-hour-
a-day, 7-day-a-week incident-handling capability (either in-house or
contracted out) to respond to incidents affecting its own network. He
viewed US-CERT as a fusion center that would provide analysis and
warning for national-level incidents, support federal agency incident-
handling capabilities during crisis situations, and offer a mechanism
for federal agencies to coordinate with law enforcement.
The organization's future position in the government's efforts to
establish a national-level cyber analysis and warning capability is
uncertain. Specifically, Homeland Security Presidential Directive 23,
which is classified, creates questions about US-CERT's future role as
the focal point for national cyber analysis and warning. In addition,
DHS established a new National Cybersecurity Center at a higher
organizational level, which may diminish the Assistant Secretary of
Cyber Security and Communications' authority as the focal point for the
federal government's cybersecurity-related critical infrastructure
protection efforts, and thus US-CERT's role as the central provider of
cyber analysis and warning capabilities across federal and nonfederal
critical infrastructure entities.
As stated above, we did not make new recommendations in 2005 regarding
cyber analysis and warning because our previous recommendations had not
yet been fully implemented. At the time, we did recommend that the
Secretary of Homeland Security require NCSD to develop a prioritized
list of key activities for addressing the underlying challenges related
to information sharing, hiring staff with appropriate capabilities, and
organizational stability and authority. In addition, we recommended
that performance measures and milestones for performing activities to
address these challenges be identified. However, since that time, DHS
has not provided evidence that it has taken actions on these
activities.
Conclusions:
In seeking to counter the growing cyber threats to the nation's
critical infrastructures, DHS has established a range of cyber analysis
and warning capabilities, such as monitoring federal Internet traffic
and the issuance of routine warnings to federal and nonfederal
customers. However, while DHS has actions under way aimed at helping US-
CERT better fulfill attributes identified as critical to demonstrating
a capability, US-CERT still does not exhibit aspects of the attributes
essential to having a truly national capability. It lacks a
comprehensive baseline understanding of the nation's critical
information infrastructure operations, does not monitor all critical
infrastructure information systems, does not consistently provide
actionable and timely warnings, and lacks the capacity to assist in
mitigation and recovery in the event of multiple, simultaneous
incidents of national significance.
Planned actions could help to mitigate deficiencies. For example, as
part of the Cyber Initiative, US-CERT plans to enhance its Einstein
situational awareness tool so that it has real-time intrusion detection
monitoring, a content analysis capability, and automated analysis
functions. By placing the tool in front of Trusted Internet
Connections, officials expect to obtain a governmentwide baseline view
of the traffic and content entering and leaving federal networks. US-
CERT also plans to hire 80 additional cyber analysts and to increase
the frequency of exercises that test its national-level response
capability.
However, at this point, it is unclear whether these actions will help
US-CERT--or whatever organizational structure is ultimately charged
with coordinating national cyber analysis and warning efforts--achieve
the objectives set forth in policy. DHS faces a number of challenges
that impede its ability to achieve its objectives, including fostering
trusted relationships with critical infrastructure sectors, hiring and
retaining skilled cyber analysts, ensuring that US-CERT warning
products provide useful information in advance of attacks, enhancing
predictive analysis, and ensuring that any changes brought about by
HSPD 23 are marked by well-defined and transparent lines of authority
and responsibility. We identified most of these challenges in our prior
reviews and made broad recommendations to address them. DHS's actions
to address these challenges have not been adequate. Because of this,
addressing these challenges is as critical as ever to overcome the
growing and formidable threats against our nation's critical cyber
infrastructure. If these challenges are not addressed, US-CERT will not
be able to provide an effective national cyber analysis and warning
capability.
Recommendations for Executive Action:
We recommend that the Secretary of Homeland Security take four actions
to fully establish a national cyber analysis and warning capability.
Specifically, the Secretary should address deficiencies in each of the
attributes identified for:
* monitoring, including establish a comprehensive baseline
understanding of the nation's critical information infrastructure and
engage appropriate nonfederal stakeholders to support a national-level
cyber monitoring capability;
* analysis, including expanding its capabilities to investigate
incidents;
* warning, including ensuring consistent notifications that are
targeted, actionable, and timely; and:
* response, including ensuring that US-CERT provides assistance in the
mitigation of and recovery from simultaneous severe incidents,
including incidents of national significance.
We also recommend that the Secretary address the challenges that impede
DHS from fully implementing the key attributes, including the following
6 items:
* engaging appropriate stakeholders in federal and nonfederal entities
to determine ways to develop closer working and more trusted
relationships;
* expeditiously hiring sufficiently trained cyber analysts and
developing strategies for hiring and retaining highly qualified cyber
analysts;
* identifying and acquiring technological tools to strengthen cyber
analytical capabilities and handling the steadily increasing workload;
* developing predictive analysis capabilities by defining terminology,
methodologies, and indicators, and engaging appropriate stakeholders in
other federal and nonfederal entities;
* filling key management positions and developing strategies for hiring
and retaining those officials; and:
* ensuring that there are distinct and transparent lines of authority
and responsibility assigned to DHS organizations with cybersecurity
roles and responsibilities, including the Office of Cybersecurity and
Communications and the National Cybersecurity Center.
Agency Comments and Our Evaluation:
In written comments on a draft of this report (see app. II), signed by
the Director of DHS's GAO/OIG Liaison Office, the department concurred
with 9 of our 10 recommendations. It also described actions planned and
under way to implement the 9 recommendations. In particular, the
department said that to fully establish a cyber analysis and warning
capability, it plans to continue expansion of the Einstein intrusion
detection system and increase US-CERT's staffing. In addition, to
address the challenges that impede DHS from fully implementing key
cyber analysis and warning attributes, the department stated that it
plans to continue to build new relationships and grow existing ones
with stakeholders. Further, to strengthen its analysis and warning
capability and develop its predictive analysis capability, the
department cited, among other things, its planned implementation of an
upgraded version of Einstein.
DHS took exception to our last recommendation, stating that the
department had developed a concept-of-operations document that clearly
defined roles and responsibilities for the National Cybersecurity
Center and NCSD. However, this concept-of-operations document is still
in draft, and the department could not provide a date for when the
document would be finalized and implemented.
DHS also commented on the report's description of US-CERT as "the
center." Specifically, DHS was concerned that referring to US-CERT as
the center might lead to confusion with the department's newly
established National Cybersecurity Center. DHS requested that we remove
references to US-CERT as the center. We agree with this comment and
have incorporated it in the report where appropriate.
In addition to its written response, the department provided technical
comments that have been incorporated in the report where appropriate.
We also incorporated technical comments provided by other entities
involved in this review.
As agreed with your office, unless you publicly announce the contents
of this report earlier, we plan no further distribution until 30 days
from the report date. At that time, we will send copies of this report
to interested congressional committees, the Secretary of Homeland
Security, and other interested parties. We also will make copies
available to others upon request. In addition, this report will be
available at no charge on GAO's Web site at [hyperlink,
http://www.gao.gov].
If you or your staff have any questions about this report, please
contact David Powner at (202) 512-9286, or pownerd@gao.gov, or Dr.
Nabajyoti Barkakati at (202) 512-4499, or barkakatin@gao.gov. Contact
points for our Offices of Congressional Relations and Public Affairs
may be found on the last page of this report. Major contributors to
this report are listed in appendix III.
Signed by:
David A. Powner:
Director, Information Technology Management Issues:
Signed by:
Dr. Nabajyoti Barkakati:
Acting Chief Technologist:
[End of section]
Appendix I: Objectives, Scope, and Methodology:
Our objectives were to (1) identify key attributes of cyber analysis
and warning capabilities, (2) compare these attributes with the United
States Computer Emergency Readiness Team's (US-CERT) current analysis
and warning capabilities to identify whether there are gaps, and (3)
identify US-CERT's challenges to developing and implementing key
attributes and a successful national cyber analysis and warning
capability.
To identify key attributes of cyber analysis and warning capabilities,
we identified entities based on our previous work related to cyber
critical infrastructure protection, information security, and
information sharing and analyzed relevant laws, strategies, and
policies. In addition, we solicited suggestions from a variety of
sources familiar with cyber analysis and warning organizations,
including GAO's chief information technology officer and members of our
Executive Council on Information Management and Technology, which is a
group of executives with extensive experience in information technology
management who advise us on major information management issues
affecting federal agencies. On the basis of the entities identified, we
selected those that were relevant and agreed to participate. We then
gathered and analyzed policies, reports, and surveys; made site visits
to observe the operation of cyber analysis and warning capabilities;
conducted structured interviews; and received written responses to
structured interview questions. These activities were performed, as
appropriate, at the following entities:
* Department of Defense: Commander and Deputy Commander of the Joint
Task Force--Global Network Operations and Director of the Defense
Information Systems Agency; Commanding Officer, Navy Cyber Defense
Operations Command; Chief Information Officer and Electronic Data
Service officials of the Navy's Global Network Operations Center. We
also toured the Joint Task Force's Global Network Operations Center;
the Navy's Cyber Defense Operation Command Center; and the Navy Marine
Corps Intranet Network's Operations Center, Computer Incident Response
Team Laboratory, Request Management Center, and Enterprise Global
Networks Operations Center.
* Department of Energy: the Associate Chief Information Officer for
Cyber Security for the Department of Energy and other relevant
officials, and the Chief Information Officer of the National Nuclear
Security Administration and other relevant officials.
* Department of Homeland Security: the Director of the National Cyber
Security Division, the Acting Director of the National Cyber Security
Division, and the Acting Director of US-CERT.
* National Institute of Standards and Technology: the Director of the
Information Technology Laboratory and officials from the Information
Technology Laboratory's Computer Security Division.
* Private sector: Carnegie Mellon University's CERT® Coordination
Center, Internet Storm Center, LUMETA, Microsoft, MITRE, National
Association of State Chief Information Officers, SANS Institute, SRI
International, and Symantec.
* Information sharing and analysis centers representing the following
sectors: financial services, information technology, states, surface
transportation, and research and education.
* Federal agencies in the intelligence community.
On the basis of the evidence gathered and our observations regarding
each entity's capabilities and operations, we determined the key common
attributes of cyber analysis and warning capabilities. To verify the
attributes we identified, we solicited comments from each entity
regarding the attributes identified and incorporated the comments as
appropriate.
To determine US-CERT's current national analysis and warning
capabilities and compare them with the attributes identified to
determine whether there were any gaps, we gathered and analyzed a
variety of US-CERT policies, procedures, and program plans to identify
the organization's key activities related to cyber analysis and
warning. We also observed US-CERT operations. In addition, we held
interviews with key US-CERT officials, including the Director and
Acting Director of the National Cyber Security Division, the Acting
Director and Deputy Director of the US-CERT, and other relevant
officials, to further clarify and confirm the key initiatives we
identified through our analysis of the aforementioned documents. In
addition, we interviewed the Director of Intelligence for the
Department of Homeland Security's Homeland Infrastructure Threat and
Risk Analysis Center to determine that organization's interaction with
US-CERT and its role regarding identifying cyber threats. We also
interviewed the Deputy Director of the Department of Homeland
Security's National Cybersecurity Center to obtain information about
its concept-of-operations document. We then compared those activities
to the key attributes of cyber analysis and warning capabilities in
order to determine US-CERT's ability to provide cyber analysis and
warning and identify any related gaps.
To identify US-CERT's challenges to developing and implementing the key
attributes and a successful national cyber analysis and warning
capability, we gathered and analyzed relevant documents, such as past
GAO reports and studies by various cybersecurity-related entities, and
interviewed key federal and nonfederal officials regarding the
challenges associated with cyber analysis and warning. On the basis of
the information received and our knowledge of the issues, we determined
the major challenges to developing and implementing the key attributes
and a successful national cyber analysis and warning capability.
We performed this performance audit between June 2007 and July 2008 in
the Washington, D.C., metropolitan area; Atlanta, Georgia; Bloomington,
Indiana; Pittsburgh, Pennsylvania; and Norfolk, Virginia; in accordance
with generally accepted government auditing standards. Those standards
require that we plan and perform the audit to obtain sufficient,
appropriate evidence to provide a reasonable basis for our findings and
conclusions based on our audit objectives. We believe that the evidence
obtained provides a reasonable basis for our findings and conclusions
based on our audit objectives.
[End of section]
Appendix II: Comments from the Department of Homeland Security:
U.S. Department of Homeland Security:
Washington, DC 20528:
[hyperlink, http://www.dhs.gov]
July 2, 2008:
Mr. David Powner:
Director:
Information Technology Management Issues:
United States Government Accountability Office:
441 G Street, N.W.
Washington, DC 20001:
Dear Mr. Powner:
Re: Draft Report GAO-08-588, Cyber Analysis and Warning: DHS Faces
Challenges in Establishing a Comprehensive National Capability (GAO Job
Code 310851):
The Department of Homeland Security (DHS) appreciates the opportunity
to review and comment on the subject draft report. We recognize that
cyber threats are growing and are increasing in sophistication and
accuracy. We also realize that as technology advances and our
dependence on an interconnected cyberspace grows, the risks associated
with cyber threats increase. The Department's National Protection and
Programs Directorate (NPPD) National Cyber Security Division (NCSD) and
its United States Computer Emergency Readiness Team (US-CERT) [Footnote
37] are significantly changing and growing to address these cyber
threats.
The federal government has undertaken a National Cybersecurity
Initiative (NCI), which includes programs that strengthen US-CERT's
capabilities for analyzing malicious activity, issuing warnings, and
responding to incidents. With its newly expanded mission, budget and
staff and a more customer-driven and outcome oriented culture, US-CERT
will continue to increase its cyber analysis and warning capabilities.
As US-CERT moves forward, the organization will work to address various
recommendations set forth by GAO.
US-CERT is continually working to establish more effective outcome
measures that will inform our program delivery and focus our resources
on the most prevalent and highest risk issues. In addition to metrics
analysis, US-CERT will continue to work with partners to determine how
we can address the deficiencies identified by the GAO.
GAO Recommendation 1: We recommend that the Secretary of Homeland
Security-to fully establish a national cyber analysis and warning
capability-specifically address deficiencies in monitoring, including
establish a comprehensive baseline understanding of the nation's
critical information infrastructure and engage appropriate nonfederal
stakeholders to support a national-level cyber monitoring capability.
Response: US-CERT concurs with this recommendation. Under the NCI, US-
CERT is expanding its initial EINSTEIN program, referred to as EINSTEIN
1. The expanded program, referred to as EINSTEIN 2, is a 24x7 intrusion
detection system that gathers network flow data from federal agencies
and analyzes traffic patterns and behaviors. To improve US-CERT's
capability to maintain situational awareness, all federal executive
agencies, in accordance with the Office of Management and Budget (OMB)
November 20, 2007, Memorandum M-08-05, Implementation of Trusted
Internet Connection, will be required to use EINSTEIN 2. This expanded
use of EINSTEIN 2 enables the US-CERT to gain increased situational
awareness from all the federal executive agencies and fulfill its
mandate to act as a central point for computer network security of the
federal enterprise.
US-CERT does not directly monitor malicious activity involving
nonfederal networks. However, NPPD and US-CERT actively reach out to
private sector partners via various mechanisms to develop a baseline
understanding of the nation's critical information infrastructure. NPPD
Protective Security Advisors (PSAs) within the Office of Infrastructure
Protection are located in field offices across the country and
regularly conduct site visits to assess vulnerabilities, including
cyber vulnerabilities, at Critical Infrastructure/Key Resource (CIKR)
facilities. Further, NCSD co-chairs the Cross Sector Cyber Security
Working Group under the National Infrastructure Protection Plan (NIPP)
Framework, which includes representatives from all CIKR sectors and
provides a monthly venue for engagement, collaboration and information
sharing on cyber security issues.
A specific example of how the Department identifies specific
vulnerabilities in the Nation's critical information infrastructure is
the AURORA scenario, which involves the protective control systems used
in the Nation's electric power grid. As soon as DHS identified this
vulnerability, a Tiger Team of subject matter experts from government
and industry was convened to determine the scope, potential
consequences of this vulnerability, and to develop a better system for
guiding private industry efforts to secure control systems. DHS is
currently working with its government and industry partners to closely
monitor this vulnerability, asses the risk it poses, and take
appropriate proactive measures.
GAO Recommendation 2: We recommend that the Secretary of Homeland
Security-to fully establish a national cyber analysis and warning
capability-specifically address deficiencies in analysis, including
expanding its capabilities to investigate incidents.
Response: We concur and are actively implementing improvements that
will address the recommendation. Since January 2008, there has been an
increase in funding of $115M in Fiscal Year 2008 for US-CERT. This
funding includes salaries and benefits for 35 additional federal
personnel and related costs, which will allow US-CERT to increase its
cyber analysis and warning capabilities.
Much of the increased funding will be focused on developing and
deploying EINSTEIN 2. EINSTEIN 2, like EINSTEIN 1, will continue to
passively observe network traffic to and from participating federal
executive agencies' networks. In addition, EINSTEIN 2 will alert when
specific malicious network activity is detected and provide US-CERT
with increased insight into the nature of that activity. Through
EINSTEIN 2, US-CERT will be able to analyze malicious activity
occurring across the federal IT networks resulting in improved computer
network security situational awareness. This increase in situational
awareness can then be shared with federal executive agencies in an
effort to reduce and prevent computer network vulnerabilities.
EINSTEIN 2 adds to EINSTEIN 1 a network intrusion detection technology
that will monitor for malicious activity in network traffic to and from
participating federal executive agencies. EINSTEIN 2 will alert US-CERT
when the system identifies malicious network traffic occurring in a
federal executive agencies' network in response to specific predefined
signatures. By scanning communications during transmission, EINSTEIN 2
identifies harmful communications that warrant analysis. A US-CERT
analyst may then query that specific information in EINSTEIN 2 to
analyze the potentially harmful network traffic identified by the
alert.
EINSTEIN 2 is to augment -- not replace or reduce -- the current
computer network security practices of participating federal executive
agencies. Participating agencies will continue to operate their own
intrusion detection and prevention systems, perform network monitoring,
and use other information security technologies. EINSTEIN 2 enables US-
CERT to correlate activity across the entire federal enterprise. With
the enhanced correlation capability, US-CERT achieves increased
situational awareness of federal executive agency computer networks
which is required to perform the computer network security
responsibilities assigned to DHS.
GAO Recommendation 3: We recommend that the Secretary of Homeland
Security-to fully establish a national cyber analysis and warning
capability-specifically address deficiencies in warning, including
ensuring consistent notifications that are targeted, actionable, and
timely.
Response: We concur with the recommendation. A key goal of US-CERT is
to ensure that alerts-Critical Infrastructure Information Notices
(CIINs) in particular-reach the appropriate stakeholders. US-CERT
recognizes the importance of targeted information sharing and is
working with NCSD's Outreach and Awareness Program and other cross
sector working groups to increase awareness and communication channels.
The following communication channels are currently used for
notification and activation in the event of a Cyber Incident:
* The National Cyber Alert System: This system provides an
infrastructure, managed by US-CERT, for relaying timely and actionable
computer security updates and warning information to all users.
* National Operations Center: This is the primary national-level hub
for domestic incident management communications and operations.
* Homeland Security Information Network (HSIN) Critical Sector (CS):
This communications network provides States and critical infrastructure
owners and operators with real-time interactive connectivity to the
National Operations Center (NOC) on a Sensitive-but-Unclassified (SBU)
level to all users. HSIN-CS is the NOC's primary suite of tools for
information sharing, coordination, planning, mitigation, and response.
* US-CERT Portal: This secure collaboration tool enables private and
public sectors to actively share information about cyber security
vulnerabilities, exploits, and incidents in a trusted and secure
environment among members.
* US-CERT Public Web Site: [hyperlink, http://www.uscert.gov] provides
the primary means for US-CERT to convey information to the public at
large. The site includes relevant information on cyber security issues,
cyber activity, and vulnerability resources.
* Information Sharing and Analysis Centers (ISACs): Through secure
websites and secure e-mail, information on infrastructure threats and
vulnerabilities is provided to the members.
We do not agree with the report's repeated description of US-CERT's
warnings and notifications as "not consistently actionable or timely
(i.e., providing the right information to the right person or group
when needed)." We believe this statement inaccurately generalizes all
US-CERT products. While US-CERT is charged with analyzing cyber threats
and disseminating warning information, it relies on other stakeholders
and entities such as ISACs, State, local, and tribal entities to review
and maintain an accurate list of members who disseminate information to
the correct personnel within their organization.[Footnote 38]
GAO Recommendation 4: We recommend that the Secretary of Homeland
Security-to fully establish a national cyber analysis and warning
capability-specifically address deficiencies in response, including
ensuring that US-CERT provides assistance in the mitigation and
recovery from simultaneous severe incidents, including incidents of
national significance.
Response: We concur and are actively implementing improvements for
addressing the recommendation. While the Department is constantly
enhancing its capabilities and currently increasing its budget and
staffing, we do have recent examples of success in mitigating the
effects of cyber incidents.
The GAO report mentioned the May 2007 denial-of-service cyber attack in
Estonia; US-CERT successfully mitigated the effects of this attack. Bot-
networks were flooding Estonia's IT systems with traffic, causing a
denial of service for many of their government sites. US-CERT
coordinated with its federal, international, and private sector
partners to identify over 2,500 unique sources from 21 NATO countries
participating in the attacking botnets on Estonia. The information was
shared with military, intelligence, law enforcement, and US-CERT
personnel from NATO member nations.
The GAO report also mentioned the Cyber Storm II exercise. The Cyber
Storm II exercise, hosted by the Department of Homeland Security,
helped participating organizations-public and private-prepare for,
respond to, and mitigate cyber attacks that could affect their ability
to deliver critical services. This exercise is one of DHS's primary
methods for enhancing crisis management and improving risk management
across all participating organizations and highlights the
interdependencies that exist between cyber and physical infrastructure.
The exercise included elements of the private sector in the
transportation, chemical, information technology, and communications
sectors as well as federal agencies and departments and several
international partners.
Also, EINSTEIN has proven successful in enhancing security within the
federal government. Through the Department of Transportation's (DOT's)
participation in the EINSTEIN program, US-CERT was able to quickly
detect malicious activity and prevent it from infecting other
government computers. In this case, a computer worm had infected an
unsecured government computer in a U.S. Government agency. When the
worm attempted to attack DOT's network, EINSTEIN detected the unusual
traffic, and the subsequent US-CERT investigation uncovered the worm
and worked with the affected departments and agencies to prevent its
spread.
GAO Recommendation 5: We recommend that the Secretary address the
challenges that impede DHS from fully implementing the key attributes,
including engaging appropriate stakeholders in federal and nonfederal
entities to determine ways to develop closer working and more trusted
relationships.
Response: We concur and are actively implementing approaches for
addressing the recommendation. Significant progress has been made in
establishing or strengthening relationships with stakeholders, both
internationally and domestically. The Department will continue to build
new relationships and grow existing ones.
US-CERT coordinates information sharing and incident response
activities with international partners to improve cyber incident
response at the international level. US-CERT representatives
participate in conferences to enhance international cyber coordination.
US-CERT also meets individually with other countries' CERTs to discuss
cyber incident mitigation and response strategies.
NCSD is committed to providing timely and actionable information on
cyber incidents so that State cyber security responders can take
appropriate action. Also, the information provided by State/local
partners supplies important situational awareness for NCSD. There are
channels in place that DHS uses to disseminate cyber information to
State and local homeland security
stakeholders.
* Government Forum of Incident Response and Security Teams (GFIRST):
NCSD recently extended GFIRST membership to State and local
governments. This is very significant as it links technical cyber
experts in federal agencies with their counterparts in State/local
governments and provides State/local governments access to tools and
additional technical analysis. The GFIRST forum provides these
technical experts with a collaborative space that will increase States'
situational awareness of cyber incident response activity. US-CERT
products and alerts are sent via the US-CERT-managed GFIRST portal.
* Multi-State Information Sharing and Analysis Center (MS-ISAC): The MS-
ISAC membership is comprised of cyber officials from all States. NCSD
provides funding to the MS-ISAC to assist with State/local coordination
and information sharing on operational and other cyber security
activities. NCSD provides a dedicated secure compartment within the US-
CERT portal to enable collaboration among the State/local community and
with NCSD/US-CERT. NCSD uses the Portal to both coordinate cyber
awareness activities and initiatives, as well as disseminate critical
cyber alerts and information. The MS-ISAC also maintains a distribution
list of State and local points of contact, which allows NCSD to reach
out to State/local decision makers regarding challenges, needs, and
opportunities. In addition, NCSD participates in monthly calls with MS-
ISAC membership and provides updates on Department activities and works
with State/local representatives through established working groups
that meet via monthly conference calls.
* Lessons Learned Information Sharing: NCSD has created a cyber
security page on the LLIS.GOV site, which all homeland security
personnel at the State and local level can access. NCSD populated this
page with information regarding exercise after action reports,
awareness materials, policies, plans, and other information on cyber
security. States can post their best practices and materials here as
well.
* Direct Contact: NCSD/US-CERT maintains positive relationships with
numerous State points of contact and communicates/collaborates with
them directly on a variety of topics.
GAO Recommendation 6: We recommend that the Secretary address the
challenges that impede DHS from fully implementing the key attributes,
including expeditiously hiring sufficiently trained cyber analysts and
developing strategies for hiring and retaining highly qualified cyber
analysts.
Response: We concur with the recommendation, and a strategy is already
in place to address this need. DHS has recently entered into a contract
to develop and implement a recruitment strategy to assist with cyber-
related vacancies. NPPD has established an agreement with the Office of
Personnel Management (OPM) to put a contracted human capital team in
place to support the hiring requirement.
Vacancies are posted through a variety of internal and external
mechanisms, including less traditional federal government venues, such
as recruiting websites and various local newspapers. DHS and US-CERT
participate in various career fairs and accepts referrals from other
agencies and employees. Graduating students are also targeted through
the Scholarship for Service program.
GAO Recommendation 7: We recommend that the Secretary address the
challenges that impede DHS from fully implementing the key attributes,
including identifying and acquiring technological tools to strengthen
cyber analytical capabilities and handling the steadily increasing
workload.
Response: We concur and are actively implementing approaches that
address the recommendation. As described above, US-CERT is implementing
an upgraded version of Einstein. Einstein 2 is an automated process for
collecting, correlating, analyzing, and sharing computer security
information across the Federal government so that Federal agencies are
aware, in near real-time, of threats to infrastructure and can act
swiftly to take corrective measures. It will incorporate network
intrusion detection technology capable of alerting US-CERT to the
presence of malicious or potentially harmful computer network activity
in Federal executive agencies' network traffic.
In addition to implementing US-CERT's Einstein 2, DHS' Office of
Science and Technology (S&T) and CS&C collaborate on cyber research and
development (R&D) priorities to identify and develop technological
tools to strengthen cyber analytical capabilities. Specifically, S&T
created an Integrated Product Team (IPT) process to ensure proponents
of R&D requirements, such as CS&C, are able to provide their
requirements to S&T (i.e., existing capability shortfalls). A Research,
Development, Test and Evaluation (RDT&E) program was established by S&T
to address these requirements. CS&C developed a list of cyber security
RDT&E requirements for the NCI which are in the process of being
forwarded to S&T. These cyber related RDT&E requirements for critical
infrastructures have been developed in a government-industry consensus
process and are specified in the R&D portions of the Communications and
IT Sector Specific Plans.
GAO Recommendation 8: We recommend that the Secretary address the
challenges that impede DHS from fully implementing the key attributes,
including developing predictive analysis capabilities by defining
terminology, methodologies, and indicators, and engaging appropriate
stakeholders in other federal and nonfederal entities.
Response: We concur and are actively implementing approaches that
address the recommendation. EINSTEIN 2 uses anomaly-based detection
methods to identify harmful or malicious computer network incidents.
Anomaly-based detection, as defined in NIST Special Publication 800-94,
is defined as "the process of comparing definitions of what activity is
considered normal against observed events to identify significant
deviations."
While an intrusion detection system uses a defined set of rules or
filters that have been crafted to catch a specific, malicious event,
the EINSTEIN 2 anomaly detection capability utilizes the network flow
data and alerts to focus on the system's baseline of normal activity.
As described above, behavior that varies from this standard is noted.
Intrusion detection systems look for a misuse signature and anomaly
detection looks for a strange event.
NCSD is also working with other Departmental and Interagency components
to develop the strategic analysis of the Nation's critical cyber
infrastructure, integrating all relevant and appropriate sources of
information to support predictive analysis. NCSD is also seeking to
engage stakeholders in other federal and nonfederal agencies to provide
them with actionable information based on this predictive analysis.
GAO Recommendation 9: We recommend that the Secretary address the
challenges that impede DHS from fully implementing the key attributes,
including filling key management positions and developing strategies
for hiring and retaining those officials.
Response: We concur with this recommendation. However, it is important
to note that since the Exit Conference NCSD has filled several key
management positions, including the positions of NCSD Director, US-CERT
Director of Operations, and NCSD Chief of Staff. Further, DHS has
recently entered into a contract to develop and implement a recruitment
strategy to assist with cyber-related vacancies. NPPD has established
an agreement with the Office of Personnel Management (OPM) to put a
contracted human capital team in place to support the hiring
requirement.
GAO Recommendation 10: We recommend that the Secretary address the
challenges that impede DHS from fully implementing the key attributes,
including ensuring that there are distinct and transparent lines of
authority and responsibility assigned to DHS organizations with
cybersecurity roles and responsibilities, including the Office of Cyber
Security and Communications and the National Cyber Security Center.
Response: We do not concur with this recommendation. During the time
period that GAO conducted their Cyber Analysis and Warning review,
extensive interagency collaboration and coordination took place. This
resulted in a NCSC Concept of Operations (CONOPS) with clearly defined
roles and responsibilities for NCSC and NCSD. NCSC coordinates cyber
security efforts and improves situational awareness and information
sharing to support the entities defending government networks, such as
US-CERT. US-CERT's ability to synthesize information and provide
situational awareness will be enhanced through its work with the NCSC.
The NCSC does not duplicate the roles and responsibilities of the
participating organizations, such as US-CERT, but supports them in
their mission and ensures coordination and shared cyber security
situational awareness across these organizations.
Sincerely,
Signed by:
Jerald E. Levine:
Director:
Departmental GAO/OIG Liaison Office
[End of section]
Appendix III: GAO Contacts and Staff Acknowledgments:
GAO Contacts:
David A. Powner, (202) 512-9286 or pownerd@gao.gov Dr. Nabajyoti
Barkakati, (202) 512-4499 or barkakatin@gao.gov:
Staff Acknowledgments:
In addition to the persons named above, Neil Doherty, Michael Gilmore,
Barbarol James, Kenneth A. Johnson, Kush K. Malhotra, Gary Mountjoy,
Jennifer Stavros-Turner, and Amos Tevelow made key contributions to
this report.
[End of section]
Footnotes:
[1] Nonfederal entities include state and local governments, private
sector entities, and academic institutions.
[2] Critical infrastructure is systems and assets, whether physical or
virtual, so vital to the United States that their incapacity or
destruction would have a debilitating impact on national security,
national economic security, national public health or safety, or any
combination of those matters. There are 18 critical infrastructure
sectors: agriculture and food, banking and finance, chemical,
commercial facilities, communications, critical manufacturing, dams,
defense industrial base, emergency services, energy, government
facilities, information technology, national monuments and icons,
nuclear reactors, materials and waste, postal and shipping, public
health and health care, transportation systems, and water.
[3] Statement of the Director of National Intelligence before the
Senate Select Committee on Intelligence, Annual Threat Assessment of
the Director of National Intelligence for the Senate Select Committee
on Intelligence (Feb. 5, 2008).
[4] Robert McMillan, "Seagate Ships Virus-Laden Hard Drives," InfoWorld
(San Francisco, California: InfoWorld Media Group, Nov. 12, 2007),
[hyperlink, http://www.infoworld.com/article/07/11/12/Seagate-ships-
virus-laden-hard-drives_1.html] (accessed Apr. 9, 2008).
[5] GAO, Critical Infrastructure Protection: Department of Homeland
Security Faces Challenges in Fulfilling Cybersecurity Responsibilities,
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-05-434] (Washington,
D.C.: May 26, 2005).
[6] GAO, Critical Infrastructure Protection: Multiple Efforts to Secure
Control Systems Are Under Way, but Challenges Remain, [hyperlink,
http://www.gao.gov/cgi-bin/getrpt?GAO-08-119T] (Washington, D.C.: Oct.
17, 2007).
[7] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-08-119T].
[8] Computer Emergency Response Team of Estonia, "Malicious Cyber
Attacks Against Estonia Come from Abroad," April 29, 2007, and Remarks
by Homeland Security Secretary Michael Chertoff to the 2008 RSA
Conference, April 8, 2008.
[9] Office of the Secretary of Defense, Annual Report to Congress:
Military Power of the People's Republic of China 2008.
[10] Homeland Security Act of 2002, Pub. L. 107-296 (Nov. 25, 2002).
[11] The White House, The National Strategy to Secure Cyberspace
(Washington, D.C.: February 2003).
[12] The White House, Homeland Security Presidential Directive 7,
Critical Infrastructure Identification, Prioritization, and Protection
(Washington, D.C.: Dec. 17, 2003).
[13] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-05-434].
[14] GAO, Critical Infrastructure Protection: Significant Challenges in
Developing National Capabilities, [hyperlink, http://www.gao.gov/cgi-
bin/getrpt?GAO-01-323] (Washington, D.C.: Apr. 25, 2001).
[15] Department of Homeland Security, National Response Framework
(Washington, D.C.: January 2008).
[16] The White House, National Security Presidential Directive 54/
Homeland Security Presidential Directive 23 (Washington, D.C.: Jan. 8,
2008).
[17] Nonfederal entities include state and local governments, private
sector entities, and individuals.
[18] The CERT Coordination Center is a center of Internet security
expertise at the Software Engineering Institute, a federally funded
research and development center operated by the Carnegie Mellon
University. CERT Coordination Center is registered in the U.S. Patent
and Trademark Office by Carnegie Mellon University.
[19] ISACs are to facilitate the private sector's participation in
critical infrastructure protection efforts by serving as mechanisms for
gathering and analyzing information and sharing it among the critical
infrastructure sectors and between the private sector and government.
ISACs have been established for many sectors, including financial
services, electricity, information technology, research and education,
the states, and telecommunications.
[20] According to the National Institute of Standards and Technology,
the National Vulnerability Database is the U.S. government repository
of standards-based vulnerability management data. These data enable
automation of vulnerability management, security measurement, and
compliance (e.g., to meet the requirements of the Federal Information
Security Management Act). This database includes databases of security
checklists, security-related software flaws, misconfigurations, product
names, and impact metrics.
[21] According to MITRE, the Common Vulnerabilities and Exposures
(CVE®) list is a dictionary of common names (i.e., CVE Identifiers) for
publicly known information security vulnerabilities. CVE's common
identifiers make it easier to share data across separate information
security databases and tools, and provide a baseline for evaluating the
coverage of an organization's security tools.
[22] According to NIST, the Common Vulnerability Scoring System (CVSS)
is an open framework for communicating the characteristics and impacts
of IT vulnerabilities. Specifically, CVSS provides a standard
measurement system for industries, organizations, and governments that
need accurate and consistent vulnerability impact scores.
[23] According to MITRE, Open Vulnerability and Assessment Language
(OVAL™) is an international information security community standard to
promote open and publicly available security content, and to
standardize the transfer of this information across the entire spectrum
of security tools and services.
[24] The SANS Internet Storm Center (ISC) is an example of a
cooperative cyber analysis and warning center. The ISC provides free
analysis and warning services for those who monitor the Web site.
Participation is voluntary. In addition, the SANS Institute sponsors
intrusion detection software that acts as a monitoring sensor for data
collection from which threat information and data trends can be
analyzed.
[25] Computer forensics is the practice of gathering, retaining, and
analyzing computer-related data for investigative purposes in a manner
that maintains the integrity of the data.
[26] A honeypot is an intentionally underprotected computer host that
is designed to collect data on suspicious activity. It generally has no
authorized users other than its administrators. A sandbox is an
isolated computer host used by analysts to let them observe cyber
threats in order to gather data about how a specific threat might act.
It is used to observe threats without endangering a live network and
proprietary data.
[27] NIST, Computer Security Incident Handling Guide: Recommendations
of the National Institute of Standards and Technology, Special
Publication 800-61 Revision 1 (Gaithersburg, Maryland: March 2008).
This guide was issued to assist organizations in establishing computer
security incident response capabilities and in handling incidents
efficiently and effectively.
[28] NIST Special Pub. 800-61 Rev. 1.
[29] NIST Special Pub. 800-61, Rev. 1.
[30] Cyber Storm is a biennial national-level exercise to test the
ability of federal and nonfederal stakeholders, including federal,
state, and local agencies; private sector entities; and foreign
governments, to respond to major cyber attacks. The last exercise,
referred to as Cyber Storm II, was held in March 2008.
[31] GAO, Critical Infrastructure Protection: Multiple Efforts to
Secure Control Systems Are Under Way, but Challenges Remain,
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-1036] (Washington,
D.C.: Sept. 10, 2007).
[32] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-01-323].
[33] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-05-434].
[34] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-05-207].
[35] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-05-434].
[36] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-05-434].
[37] Note: The Department requests that GAO use the acronym, "US-CERT,"
when referring to the United States Computer Emergency Readiness Team
and remove any references to it as "the center." US-CERT is not
classified or defined as a center by the Department or any other
entity. The GAO's use of the term "the center" can be confusing because
the report also refers to the National Cyber Security Center (NCSC),
which is an organization separate from NCSD. The NCSC will not
duplicate the roles and responsibilities of the participating
organizations, such as US-CERT, but will support them and ensure
coordination and shared cyber security situational awareness across
these organizations.
[38] With regard to targeted dissemination of US-CERT's vetted products
[e.g., Federal Information Notices (FINs), US-CERT CIINs issued via the
Homeland Security Information Network - Critical Sectors (HSIN-CS)
portal, and Situational Awareness Reports (SARs) US-CERT only vets the
membership for the Government Forum of Incident Response and Security
Teams (GFIRST)].
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office:
441 G Street NW, Room LM:
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548:
