Critical Infrastructure Protection: Comments on the National Plan for Information Systems Protection (Statement/Record, 02/01/2000, GAO/T-AIMD-00-72). Pursuant to a congressional request, GAO discussed the National Plan for Information Systems Protection, focusing on: (1) a detailed overview of the plan; (2) opportunities for sharpening the plan's proposals for improving the federal government's security programs; and (3) the challenges facing the government in building the public-private partnerships necessary for comprehensive infrastructure protections. GAO noted that: (1) the National Plan for Information Systems Protection is intended as a first major element of a more comprehensive effort to protect the nation's information systems and critical assets from future attacks; (2) this preliminary version focuses largely on federal efforts being undertaken to protect the nation's critical cyber-based infrastructures; (3) subsequent versions are to address a broader range of concerns, including the specific role industry and state and local governments will play in protecting physical and cyber-based infrastructures from deliberate attack as well as international aspects of critical infrastructure protection; (4) the end goal of this process is to develop a comprehensive national strategy for infrastructure assurance as envisioned by Presidential Decision Directive 63; (5) making the federal government a model of good information security is essential to the plan's success; (6) recent audits conducted by GAO and agency inspectors general show that 22 of the largest federal agencies have significant computer security weaknesses, ranging from poor controls over access to sensitive systems and data, to poor control over software development and changes, and nonexistent or weak continuity of service plans; (7) agencies have not established security management programs to ensure that controls, once implemented properly, are effective on an ongoing basis; (8) GAO also observed that other crosscutting actions--ranging from clarifying the roles and responsibilities of the many entities involved in information security to strengthening oversight, to securing adequate technical expertise and funding--were needed in seven key areas to provide greater assurance that critical infrastructure objectives can be met; (9) the second facet of the plan focuses on developing a public-private partnership to protect the nation's infrastructure; and (10) in doing so, the plan proposes developing mechanisms and improving incentives for the private sector to cooperate voluntarily with the federal government, as well as with state and local governments, to work together to provide for the common defense of the infrastructure. --------------------------- Indexing Terms ----------------------------- REPORTNUM: T-AIMD-00-72 TITLE: Critical Infrastructure Protection: Comments on the National Plan for Information Systems Protection DATE: 02/01/2000 SUBJECT: Internal controls Computer networks Data integrity Information resources management Information systems Computer security Strategic information systems planning Joint ventures IDENTIFIER: National Plan for Information Systems Protection ****************************************************************** ** This file contains an ASCII representation of the text of a ** ** GAO Testimony. ** ** ** ** No attempt has been made to display graphic images, although ** ** figure captions are reproduced. Tables are included, but ** ** may not resemble those in the printed version. ** ** ** ** Please see the PDF (Portable Document Format) file, when ** ** available, for a complete electronic file of the printed ** ** document's contents. ** ** ** ****************************************************************** * For Release at * 10 a.m. * Tuesday, * February 1, 2000 GAO/T-AIMD-00-72 critical infrastructure protection Comments on the National Plan for Information Systems Protection Statement for the Record by Jack L. Brock, Jr., Director Governmentwide and Defense Information Systems Accounting and Information Management Division Testimony Before the Subcommittee on Technology, Terrorism and Government Information, Committee on the Judiciary, U.S. Senate United States General Accounting Office GAO Mr. Chairman and Members of the Subcommittee: I am pleased to be here today to discuss the National Plan for Information Systems Protection. This plan calls for new initiatives to strengthen the nation's defenses against threats to public and private sector information systems that are critical to the country's economic and social welfare, particularly those supporting public utilities, telecommunications, finance, emergency services, and government operations. As a "preliminary" document, it is intended to begin a dialogue on its proposals and lead to the development of plans for protecting other elements of the nation's infrastructure, including those pertaining to the physical infrastructure and specific roles and responsibilities for state and local governments and the private sector. Beginning this dialogue is vital. As I stressed at this Subcommittee's October 1999 hearing on critical infrastructure protection, our nation's computer-based infrastructures are at increasing risk of severe disruption. The dramatic increase of computer interconnectivity-while facilitating communications, business processes, and access to information-has increased the risk that problems affecting one system will also affect other interconnected systems. Massive computer networks provide pathways among systems that, if not properly secured, can be used to gain unauthorized access to data and operations from remote locations. While the threats or sources of these problems can include natural disasters, such as earthquakes, and system-induced problems, government officials are increasingly concerned about attacks from individuals and groups with malicious intentions, such as terrorists and nations engaging in information warfare. This plan is an important and positive step forward toward building the cyber defense necessary to protect critical information assets and infrastructures. * It identifies risks associated with our nation's dependence on computers and computer networks for critical services. * It recognizes the need for the federal government to take the lead in addressing critical infrastructure risks and to serve as a model for information security. * It outlines key concepts and general initiatives to assist in achieving these goals. In doing this, the plan addresses many of the same points we raised at last October's hearing, including the need for improved standards, strengthened evaluations and oversight of agency performance, increased technical expertise, adequate funding, and improved incident detection and response capabilities. However, there are opportunities for improvement as the plan is further developed as well as significant challenges that must be addressed to build the public-private partnerships necessary for infrastructure protection. In particular, we believe the plan should place more emphasis on providing agencies the incentives and tools to implement the management controls necessary to assure comprehensive computer security programs, as opposed to its current strong emphasis on implementing intrusion detection capabilities. In addition, the plan relies heavily on legislation and requirements already in place that, as a whole, are outmoded and inadequate as well as poorly implemented by the agencies. Mr. Chairman, my testimony today will provide a more detailed overview of the plan, identify opportunities for sharpening the plan's proposals for improving the federal government's security programs, and outline the challenges facing the government in building the public-private partnerships necessary for comprehensive infrastructure protections. Overview of the National Plan for Information Systems Protection The plan proposes achieving its twin goals of making the U.S. government a model of information security and developing a public-private partnership to defend our national infrastructure through the following 10 programs which are intended to serve three crosscutting infrastructure protection objectives. Table 1: Infrastructure Protection Objectives and Programs Crosscutting Objective Program The steps necessary to minimize the possibility of significant and successful Identify critical infrastructure Prepare and attack on our critical assets and shared Prevent information networks, and interdependencies and address build an infrastructure that vulnerabilities. remains effective in the face of such attacks. Detect attacks and unauthorized intrusions. The actions required to Develop intelligence and law identify enforcement capabilities to and assess an attack in a protect critical information Detect and timely way, and then to systems. Respond contain the attack, quickly recover from it, and Share attack warning and reconstitute affected information in a timely manner. systems. Create capabilities for response, reconstitution, and recovery. Enhance research and development. Train and employ adequate numbers of information security The steps needed to create specialists. and nourish the people, organizations, laws, and Outreach to make Americans aware of the need for improved cyber Build Strongtraditions that will make us security. Foundations better able to prepare for and prevent, detect, and respond to attacks on our Adopt legislation and critical information appropriations to support networks. infrastructure protections. Ensure the full protection of American citizen's civil liberties, their rights to privacy, and their rights to the protection of proprietary data. Making the Federal Government a Model Making the federal government a model of good information security is essential to the plan's success. However, the gap between expectations and actual agency performance is significant. As we testified last October and in subsequent written responses to your questions, our government is not adequately protecting critical federal operations and assets from computer-based attacks. In particular, recent audits conducted by GAO and agency inspectors general show that 22 of the largest federal agencies have significant computer security weaknesses, ranging from poor controls over access to sensitive systems and data, to poor control over software development and changes, and nonexistent or weak continuity of service plans. Importantly, our audits have repeatedly identified serious deficiencies in the most basic controls over access to federal systems. For example, managers often provided overly broad access privileges to very large groups of users, affording far more individuals than necessary the ability to browse, and sometimes, modify or delete sensitive or critical information. In addition, access was often not appropriately authorized or documented; users often shared accounts and passwords or posted passwords in plain view; software access controls were improperly implemented; and user activity was not adequately monitored to deter and identify inappropriate actions. While a number of factors have contributed to weak federal information security, such as insufficient understanding of risks, technical staff shortages, and a lack of system and security architectures, the fundamental underlying problem is poor security program management. As we reported in 1996 and, again, in 1998, agencies have not established security management programs to ensure that controls, once implemented properly, are effective on an ongoing basis. This framework of effective access controls and management oversight is fundamental to any good computer security program. At last October's hearing, we also observed that other crosscutting actions-ranging from clarifying the roles and responsibilities of the many entities involved in information security, to strengthening oversight, to securing adequate technical expertise and funding-were needed in seven key areas to provide greater assurance that critical infrastructure objectives can be met. I would like to discuss how the plan addresses each of these areas and what additional actions need to be taken. Clearly Defined Roles and Responsibilities The plan takes some positive steps to resolve this problem. For example, it discusses in very general terms how tasks associated with accomplishing the plan's objectives relate to computer security responsibilities outlined in existing laws and related guidance. These include the federal computer security and information resource management responsibilities of OMB, agency Chief Information Officers, Chief Financial Officers as well as the CIO Council. It describes OMB's core responsibility for managing federal computer security and information technology. And it generally defines the roles of the major entities created by PDD 63, including the National Coordinator for Security, Infrastructure Protection and Counter-Terrorism, the Critical Infrastructure Assurance Office, and the National Infrastructure Protection Center. In this regard, the plan makes a start at better defining the critical infrastructure protection responsibilities of the many federal entities involved. The plan also introduces or formalizes a number of new entities, interagency working groups, and projects that will have to be integrated into the existing framework of computer security activities. Examples of these new entities and efforts include an Expert Review Team for evaluating agency infrastructure protection plans, a Federal Intrusion Detection Network, and an interagency working group on system security practices. Because of the number of entities involved (some established by law, some by executive order, and others with less formal mandates), strong and effective leadership will be essential to ensure that their efforts are coordinated and adequately communicated to individual agency personnel and that critical infrastructure protection efforts are appropriately linked with broader computer security efforts. Risk-Based Standards Currently, agencies have wide discretion in deciding (1) what computer controls to implement and (2) the level of rigor with which to enforce these controls. In theory, this is appropriate since, as OMB and NIST guidance states, the level of protection provided should be commensurate with the related risk to operations and assets. In security, one size does not fit all. The risks associated with different types of data and operations vary, depending on their sensitivity and criticality. For example, for undercover law enforcement operations, data confidentiality must be protected at all cost, while for other types of data, such as current information on financial markets, data integrity is the uppermost concern. Our audit work has shown that agencies have generally done a very poor job of evaluating their information security risks and implementing appropriate controls. As a result, we believe that more specific guidance on what types of controls are appropriate for specific types of systems and data and the ways in which these controls should be implemented would be helpful. Specifically, a more prescriptive set of control standards, supported by a range of data classifications and related minimum requirements, would help clarify expectations for information protection, provide a framework for assessing information security risk, and help ensure that similar types of data and shared data are provided the same level of protection from one agency to another. In essence, risk-based standards would assist agencies in ensuring that their most critical operations and assets are protected at the highest levels, while providing agencies the flexibility to apply less rigorous (and often less expensive and less cumbersome) controls to lower-risk operations and assets. Routine Evaluations of Agency Performance The plan takes some constructive steps in this regard. Particularly, it calls on federal agencies to put in place programs to carry out several types of vulnerability testing and analysis, including routine automated system configuration/integrity/vulnerability testing using commercial-off-the-shelf tools, regular internal self-assessments, and independent external critical reviews. At an agency's request, NSA and NIST are to perform independent analyses of critical federal information infrastructure and provide independent reports of their results to the agency's CIO. And, as mentioned earlier, the plan anticipates establishing a permanent Expert Review Team at NIST to assist governmentwide agencies in adhering to federal computer security requirements. Nevertheless, we believe that the plan's provisions for testing agency controls may not be rigorous enough. Tests initiated by agency officials are essential because they provide information needed to fulfill their ongoing responsibility for managing security programs. However, routine in-depth tests and evaluations initiated by independent auditors, such as agency inspectors general, are also critical because they serve as an independent check on management evaluations and provide reliable information on actual control effectiveness for congressional and executive branch oversight. Our audits at individual agencies and our best practices work have shown that a continuous cycle of testing, reassessment of risk, and adjustments to policies and controls is needed to ensure that efforts to protect information remain appropriate and effective on an ongoing basis. Establishing such a cycle of activity will require a significant commitment by agency management, the federal audit community, and federal centers of technical expertise, such as NSA and NIST. It will be important for any new audit requirements, including those associated with the Expert Review Team, to be conducted in this context. Executive Branch and Congressional Oversight The administration's call to action through this plan's development and increased congressional interest indicates a heightened concern over cyber security and provides a basis for increased oversight. As noted in the previous section, initial oversight must provide a heavy focus on agency management's fulfillment of its obligations to set and evaluate meaningful controls over its information environment. Adequate Technical Expertise The plan does a good job of addressing this issue. It describes a program to develop a cadre of highly skilled computer science and information security personnel. This program, if implemented, would include estimating personnel and training needs; establishing centers for information technology excellence that will provide web-based and classroom information security training to federal employees, college and high school students; initiating a scholarship program under which recipients would agree to a pre-determined commitment to federal government service; and establishing a high school and secondary school outreach program. Adequate Funding In releasing the plan on January 7, the President announced that he was proposing a 16 percent increase in funding for critical infrastructure protection in his fiscal year 2001 budget proposal. To jumpstart fiscal year 01 initiatives, the President also proposed $9 million in supplemental funding for this spring. We have not had the opportunity to examine this proposal in detail. However, as this plan evolves, it will be important to secure OMB and congressional oversight of spending in order to ensure that expenditures are targeted toward reducing the most significant risks and that controls implemented are effective. Our audits have shown that, in the past, agencies have expended resources on controls that, when tested, proved to be ineffective. In addition, they have often addressed identified weaknesses in an ad hoc, piecemeal fashion that resulted in limited improvement. It will be important for future security budgets to be based primarily on risk-based needs and for expenditures be evaluated, to the extent possible, in terms of actual risk reduction. Incident Detection and Response The plan proposes to strengthen incident detection and response by developing mechanisms for regular sharing of federal threats, vulnerability, and warning data; and sponsoring conferences to further the coordination and development of common operating systems. In particular, it calls for a governmentwide system for analyzing and correlating attack data consisting of three elements: one for the Department of Defense and national security communities (the Joint Task Force-Computer Network Defense, which is already deployed), a second for non-Defense federal departments and agencies (the Federal Intrusion Detection Network, or FIDNet which will build on existing DOD and other security technology expertise), and a third that provides information to both systems (the National Security Incident Response Center, or NSIRC, which has already been deployed to provide expert assistance to the national security community in isolating, containing, and resolving incidents threatening national security systems). We agree that developing improved intrusion detection and response capabilities is important. However, available tools and methods for analyzing network traffic and detecting intrusions are still evolving and cannot yet be relied on to serve as an effective "burglar alarm," as envisioned by the plan. While holding promise for the future, such tools and methods currently raise many questions regarding technical feasibility, cost-effectiveness, and the appropriate extent of centralized federal oversight. Accordingly, these efforts merit close congressional oversight. Legislative Framework At present, there is legislation pending in both Houses that seeks to correct some of these underlying deficiencies. Among other things, these proposals call for a more comprehensive framework for establishing and ensuring the effectiveness of controls over information resources that support federal operations and assets; recognize the highly networked nature of the federal computing environment; and provide better oversight mechanisms. Such efforts could play an integral role in further strengthening the plan. Engaging Public-Private Partnerships For instance, the plan seeks to establish a Partnership for Critical Infrastructure Security and a National Infrastructure Assurance Council to increase corporate and government communications about shared threats to critical information systems. It also proposes establishing Information Sharing and Analysis Centers to facilitate public-private sector information sharing about actual threats and vulnerabilities in individual infrastructure sectors. These, as well as other proposals, however, are presented in broad terms, with the intent that future versions of the plan will describe a full spectrum of specific actions and programs that have been jointly agreed upon by industry and all levels of government. We believe this approach is reasonable given the formidable challenges involved in developing effective partnerships with the private sector. The plan itself recognizes some of these challenges. For example, it acknowledges that critical infrastructure protection is not exclusively, even largely, within the province of the federal government, and, as a result, the federal government is limited in what it can do to protect critical infrastructures. It also recognizes that while the nature of the threat to our national infrastructure has changed, the true extent of that threat, our vulnerability to it, and possible means of defense are not entirely clear. Furthermore, the plan appreciates that solutions to critical infrastructure protection must be tailored sector by sector, through consultation about vulnerabilities, threats, and possible response strategies. At the same time the plan recognizes such challenges, it proposes several initiatives that may have a significant impact on the private sector and affected interest groups. For example, the plan raises the possibility of reviewing laws for possible amendments to remove barriers that discourage private sector companies from sharing information with government agencies about infrastructure protection issues. Specifically, it raises the idea of more explicit confidentiality protections (so that federal law enforcement or defense agencies could assure private companies that such information would not be accessible through the Freedom of Information Act) as well as changes to antitrust or tort liability laws. Because such changes could involve important tradeoffs among significant policy concerns as well as affected interest groups, it will be important to proceed carefully in addressing the concerns of affected parties while at the same time providing the incentives needed to garner private sector cooperation. The plan also suggests increasing employer rights to monitor employees. This would provide one means of protecting organizations from the "insiders," who as a practical matter, probably pose a greater threat to organizational security than do external threats. Again, the challenge will lie in balancing individual privacy concerns with the need to protect sensitive assets and the common welfare. These are just two examples of possible changes that may have the potential of improving the public-private partnership for information protection, but that will require extensive public dialogue before they could or should be implemented. Mr. Chairman, this concludes my statement. The plan fulfills the commitment made on its title page: it does invite a meaningful dialogue. The plan is an engaging step forward in improving the nation's cyber infrastructure. As noted in the statement, much more needs to be done to strengthen the plan's ambitious goal of making the government a model. And serious consideration of changes in the computer security legislative framework is necessary to better assure agency compliance with good practice and process. Finally, the challenges facing the establishment of a meaningful public-private partnership require a level of continuous, long-term commitment on all sides that will be difficult to sustain but that are certainly achievable. (511693) *** End of document. *** sustain but that are certainly achievable.