http://www.wired.com/news/politics/0,1283,44019,00.html
[Not a suprising report in my book. Longtime ISN readers might
remember Lew Koch's story about the failings of the NIPC in his
November 2000 article that covers a fair amount of what the GAO
discovered and reported on. Since I am not a subscriber of the NIPC
Daily Brief, I have to wonder how they will report on this? - WK]
By Declan McCullagh
12:30 p.m. May 23, 2001 PDT
WASHINGTON -- When the U.S. government created the National
Infrastructure Protection Center in February 1998 to thwart "cyber
criminals," officials couldn't stop talking about how the feds were
finally fighting back against the hacker menace.
Former Attorney General Janet Reno said at the time that the new
agency would "pursue criminals who attack or employ global networks"
-- and that without the NIPC, "the nation will be at peril."
Three years later, it's the NIPC that's in peril -- of being dubbed a
poorly-organized, ill-conceived bureaucracy that more established
agencies routinely ignore and that has not lived up to the promises
its proponents once made.
Instead of becoming a highly-sensitive nerve center that responds to
computer intrusions, congressional investigators have concluded that
the NIPC has turned into a federal backwater that is surprisingly
ineffective in pursing malicious hackers or devising a plan to protect
electronic infrastructures. The NIPC received $32 million in 1999 and
$28 million in 2000, not counting items like office space and
telephones provided by the FBI.
The remarkable 108-page report from the General Accounting Office that
was released Tuesday shows how bureaucracy can defeat the best
intentions of Congress and the White House. It says:
* It's not clear where the agency belongs. The White House staff claim
they're directly responsible for NIPC oversight, but the Justice
Department approves its budget and the FBI notes that the NIPC
director reports to an assistant FBI director. Because of
long-standing regulations, NIPC staff can't even share sensitive
information with the White House without the Justice Department's
permission. The GAO concludes in a typical understatement: "This
situation may be impeding the NIPC's ability to carry out its
mission."
* Nobody seems to listen. Other intelligence agencies, such as the CIA
and National Security Agency, have a procedure they use to alert the
president of serious threats to "national security." NIPC
representatives in 1998 and 1999 met with the National Intelligence
Council and the Joint Chiefs of Staff, but couldn't reach an
agreement -- so NIPC has been kept out of the alert process.
* Tight-lipped agencies refuse to share information. In Washington,
protecting your turf means protecting your databases. NIPC
representatives met with the Defense Department and the National
Communications System, but couldn't agree on how to share data. The
Commerce Department's Critical Infrastructure Assurance Office,
which has a related effort, insists that entries in their databases
actually belong to individual federal agencies and can't be shared
without their permission. Plus, the White House has told civilian
agencies to report attempted intrusions to the General Services
Administration's incident response center instead of the NIPC.
* Nobody can define an electronic threat to "national
security." Everyone agrees that some attacks -- a successful
intrusion into classified Pentagon computers, for instance -- would
fall in that category. But nobody's figured out how to define it
yet. This is important because in some cases, U.S. law gives the
Defense Department the primary responsibility for responding to
terrorist threats. Th White House turned down NIPC's suggestions.
* Other agencies won't cooperate. Bureaucratic wrangling is alive and
well in Washington, as a frustrated FBI Director Louis Freeh said in
a November 2000 letter to the White House. He complained that "some
agencies appear to question PDD 63 itself and would like to take
parts of the NIPC's mission." Freeh is talking about former
President Clinton's Presidential Decision Directive 63, which
expanded NIPC's responsibilities. In 1999, the Secret Service
withdrew two agents it had posted at the NIPC, saying they didn't
have enough responsibilities.
* NIPC has been sluggish in outreach. A 1999 FBI computer intrusion
plan called for the NIPC to send representatives to the 56 FBI field
offices in the United States. But as of Dec. 31, 2000, the
Pittsburgh office was the only one to receive agents, probably
because of its ties with the local Computer Emergency Response Team
at Carnegie Mellon University. The NIPC has also failed to find
enough qualified agents.
* Other agencies don't like an upstart. The GAO reports that the
intelligence community views the NIPC as a "second-tier" agency that
is to be fed information, not generate it. When the NIPC wanted to
create an advisory board with senior representatives from other
agencies, the FBI director approved the idea -- but the White House
nixed it. Even inside the FBI, there's tension: NIPC is part of the
FBI's Counterterrorism Division, one of 11 divisions inside the
FBI's Washington headquarters. Its director reports to the FBI's
assistant director for counterterrorism, and the agency fears that
protecting critical infrastructure may conflict with the FBI's law
enforcement mission to arrest suspects.
In a letter responding to the GAO's report, NIPC director Ronald Dick
tries to strike an upbeat tone, but concedes that "without removing
the barriers the NIPC has faced in the past, it is unlikely that the
NIPC can ever fully meet" expectations.
Dick's letter pointed fingers, saying that many other agencies "simply
have not heeded the call" in PDD63 to help the NIPC when asked. PDD 63
says: "All executive departments and agencies shall cooperate with the
NIPC and provide such assistance, information and advice that the NIPC
may request."
The GAO seems to agree, and recommends that the NIPC's
responsibilities and powers be clarified.
Dick also complained that businesses weren't sharing enough
information with the NIPC, perhaps because of a fear that proprietary
information could leak out through requests under the Freedom of
Information Act.
Attorney General John Ashcroft echoed this on Tuesday, saying in a
speech that "a company that does not report cybercrime to law
enforcement may find itself in a far worse position than it ever
imagined." The reason, Ashcroft said, is that the intruder may strike
again.
The National Security Council, which is part of the White House, had
probably the harshest words for the NIPC.
In a letter to the GAO, the council suggested that some of the NIPC's
critical infrastructure functions "might be better accomplished by
distributing the tasks among several existing federal agencies."
[GAO report on the NIPC: http://www.gao.gov/new.items/d01323.pdf
Lew Koch's story on the NIPC:
http://www.zdnet.com/intweek/stories/columns/0,4164,2649836,00.html ]
ISN is hosted by SecurityFocus.com
---
To unsubscribe email isn-unsubscribe@SecurityFocus.com.
Received on Thu May 24 02:37 CDT 2001