Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

U.S.'s Defenseless Department

From: InfoSec News <isn () c4i org>
Date: Wed, 23 May 2001 18:41:27 -0500 (CDT)
http://www.wired.com/news/politics/0,1283,44019,00.html

[Not a suprising report in my book. Longtime ISN readers might
remember Lew Koch's story about the failings of the NIPC in his
November 2000 article that covers a fair amount of what the GAO
discovered and reported on. Since I am not a subscriber of the NIPC
Daily Brief, I have to wonder how they will report on this?  - WK]
 

By Declan McCullagh 
12:30 p.m. May 23, 2001 PDT 

WASHINGTON -- When the U.S. government created the National
Infrastructure Protection Center in February 1998 to thwart "cyber
criminals," officials couldn't stop talking about how the feds were
finally fighting back against the hacker menace.

Former Attorney General Janet Reno said at the time that the new
agency would "pursue criminals who attack or employ global networks"
-- and that without the NIPC, "the nation will be at peril."

Three years later, it's the NIPC that's in peril -- of being dubbed a
poorly-organized, ill-conceived bureaucracy that more established
agencies routinely ignore and that has not lived up to the promises
its proponents once made.

Instead of becoming a highly-sensitive nerve center that responds to
computer intrusions, congressional investigators have concluded that
the NIPC has turned into a federal backwater that is surprisingly
ineffective in pursing malicious hackers or devising a plan to protect
electronic infrastructures. The NIPC received $32 million in 1999 and
$28 million in 2000, not counting items like office space and
telephones provided by the FBI.

The remarkable 108-page report from the General Accounting Office that
was released Tuesday shows how bureaucracy can defeat the best
intentions of Congress and the White House. It says:


* It's not clear where the agency belongs. The White House staff claim
  they're directly responsible for NIPC oversight, but the Justice
  Department approves its budget and the FBI notes that the NIPC
  director reports to an assistant FBI director. Because of
  long-standing regulations, NIPC staff can't even share sensitive
  information with the White House without the Justice Department's
  permission. The GAO concludes in a typical understatement: "This
  situation may be impeding the NIPC's ability to carry out its
  mission."

* Nobody seems to listen. Other intelligence agencies, such as the CIA
  and National Security Agency, have a procedure they use to alert the
  president of serious threats to "national security." NIPC
  representatives in 1998 and 1999 met with the National Intelligence
  Council and the Joint Chiefs of Staff, but couldn't reach an
  agreement  -- so NIPC has been kept out of the alert process. 

* Tight-lipped agencies refuse to share information. In Washington,
  protecting your turf means protecting your databases. NIPC
  representatives met with the Defense Department and the National
  Communications System, but couldn't agree on how to share data. The
  Commerce Department's Critical Infrastructure Assurance Office,
  which has a related effort, insists that entries in their databases
  actually belong to individual federal agencies and can't be shared
  without their permission. Plus, the White House has told civilian
  agencies to report attempted intrusions to the General Services
  Administration's incident response center instead of the NIPC. 

* Nobody can define an electronic threat to "national
  security." Everyone agrees that some attacks -- a successful
  intrusion into classified Pentagon computers, for instance -- would
  fall in that category. But nobody's figured out how to define it
  yet. This is important because in some cases, U.S. law gives the
  Defense Department the primary responsibility for responding to
  terrorist threats. Th White House turned down NIPC's suggestions. 

* Other agencies won't cooperate. Bureaucratic wrangling is alive and
  well in Washington, as a frustrated FBI Director Louis Freeh said in
  a November 2000 letter to the White House. He complained that "some
  agencies appear to question PDD 63 itself and would like to take
  parts of the NIPC's mission." Freeh is talking about former
  President Clinton's Presidential Decision Directive 63, which
  expanded NIPC's responsibilities. In 1999, the Secret Service
  withdrew two agents it had posted at the NIPC, saying they didn't
  have enough responsibilities. 

* NIPC has been sluggish in outreach. A 1999 FBI computer intrusion
  plan called for the NIPC to send representatives to the 56 FBI field
  offices in the United States. But as of Dec. 31, 2000, the
  Pittsburgh office was the only one to receive agents, probably
  because of its ties with the local Computer Emergency Response Team
  at Carnegie Mellon University. The NIPC has also failed to find
  enough qualified agents. 

* Other agencies don't like an upstart. The GAO reports that the
  intelligence community views the NIPC as a "second-tier" agency that
  is to be fed information, not generate it. When the NIPC wanted to
  create an advisory board with senior representatives from other
  agencies, the FBI director approved the idea -- but the White House
  nixed it. Even inside the FBI, there's tension: NIPC is part of the
  FBI's Counterterrorism Division, one of 11 divisions inside the
  FBI's Washington headquarters. Its director reports to the FBI's
  assistant director for counterterrorism, and the agency fears that
  protecting critical infrastructure may conflict with the FBI's law
  enforcement mission to arrest suspects. 


In a letter responding to the GAO's report, NIPC director Ronald Dick
tries to strike an upbeat tone, but concedes that "without removing
the barriers the NIPC has faced in the past, it is unlikely that the
NIPC can ever fully meet" expectations.

Dick's letter pointed fingers, saying that many other agencies "simply
have not heeded the call" in PDD63 to help the NIPC when asked. PDD 63
says: "All executive departments and agencies shall cooperate with the
NIPC and provide such assistance, information and advice that the NIPC
may request."

The GAO seems to agree, and recommends that the NIPC's
responsibilities and powers be clarified.

Dick also complained that businesses weren't sharing enough
information with the NIPC, perhaps because of a fear that proprietary
information could leak out through requests under the Freedom of
Information Act.

Attorney General John Ashcroft echoed this on Tuesday, saying in a
speech that "a company that does not report cybercrime to law
enforcement may find itself in a far worse position than it ever
imagined." The reason, Ashcroft said, is that the intruder may strike
again.

The National Security Council, which is part of the White House, had
probably the harshest words for the NIPC.

In a letter to the GAO, the council suggested that some of the NIPC's
critical infrastructure functions "might be better accomplished by
distributing the tasks among several existing federal agencies."


[GAO report on the NIPC: http://www.gao.gov/new.items/d01323.pdf

Lew Koch's story on the NIPC: 
http://www.zdnet.com/intweek/stories/columns/0,4164,2649836,00.html ]





ISN is hosted by SecurityFocus.com
---
To unsubscribe email isn-unsubscribe () SecurityFocus com.
Previous By Date Next
Previous By Thread Next

Current thread: