WASHINGTON – Created three years ago to organize government resources in the fight against computer-based crime, the FBI’s National Infrastructure Protection Center is not up to the job facing it. That’s the conclusion of a 10-page report presented by the General Accounting Office to a Senate subcommittee.
The Internet and other interconnections of computer systems have made communications faster, easier and more efficient, but have also increased the risk to these computer networks “and, more importantly, to the critical operations and infrastructures these systems support,” the GAO told the Senate Subcommittee on Technology of the Judiciary Committee.
Many foreign governments already have or are developing capabilities to attack computer systems, and “there is a growing risk that terrorists or hostile foreign states could severely damage or disrupt national defense or vital public operations through computer-based attacks,” the GAO said. The NIPC was formed to analyze such threats, coordinate resources to investigate and counter them, and issue timely warnings of attacks.
But the NIPC is short of staff. Several senior management positions have been unfilled for a year or longer, and it has only about half of the number of analysts it needs.
The agency also has not adopted standard terminology to describe cyberattacks and has not established thresholds to evaluate the sophistication of an attack. It also lacks industry-specific information that would allow it to identify areas that are vulnerable to attack and the interdependencies that would tell it what secondary damage would result if an attack crashed a computer system.
“A more fundamental impediment,” said Robert F. Dacey, who headed the GAO’s study, is that it is not clear who is supposed to be in charge of setting the NIPC’s priorities and overseeing its activities. At least four agencies are involved in its operations.
The NIPC is supposed to work closely with industry. But so far it has developed an information-sharing partnership only with the electric power industry. The NIPC provides information to other industries, but does receive information in return.
Ronald Dick, director of the NIPC, said that his organization has made some progress since the GAO did its review. But he acknowledged that many companies are reluctant to provide detailed information about their computer systems. One reasons is that his agency could be compelled to disclose that information, even to competitors, under terms of the Freedom of Information Act.
