http://www.wired.com/news/politics/0,1283,44019,00.html [Not a suprising report in my book. Longtime ISN readers might remember Lew Koch's story about the failings of the NIPC in his November 2000 article that covers a fair amount of what the GAO discovered and reported on. Since I am not a subscriber of the NIPC Daily Brief, I have to wonder how they will report on this? - WK] By Declan McCullagh 12:30 p.m. May 23, 2001 PDT WASHINGTON -- When the U.S. government created the National Infrastructure Protection Center in February 1998 to thwart "cyber criminals," officials couldn't stop talking about how the feds were finally fighting back against the hacker menace. Former Attorney General Janet Reno said at the time that the new agency would "pursue criminals who attack or employ global networks" -- and that without the NIPC, "the nation will be at peril." Three years later, it's the NIPC that's in peril -- of being dubbed a poorly-organized, ill-conceived bureaucracy that more established agencies routinely ignore and that has not lived up to the promises its proponents once made. Instead of becoming a highly-sensitive nerve center that responds to computer intrusions, congressional investigators have concluded that the NIPC has turned into a federal backwater that is surprisingly ineffective in pursing malicious hackers or devising a plan to protect electronic infrastructures. The NIPC received $32 million in 1999 and $28 million in 2000, not counting items like office space and telephones provided by the FBI. The remarkable 108-page report from the General Accounting Office that was released Tuesday shows how bureaucracy can defeat the best intentions of Congress and the White House. It says: * It's not clear where the agency belongs. The White House staff claim they're directly responsible for NIPC oversight, but the Justice Department approves its budget and the FBI notes that the NIPC director reports to an assistant FBI director. Because of long-standing regulations, NIPC staff can't even share sensitive information with the White House without the Justice Department's permission. The GAO concludes in a typical understatement: "This situation may be impeding the NIPC's ability to carry out its mission." * Nobody seems to listen. Other intelligence agencies, such as the CIA and National Security Agency, have a procedure they use to alert the president of serious threats to "national security." NIPC representatives in 1998 and 1999 met with the National Intelligence Council and the Joint Chiefs of Staff, but couldn't reach an agreement -- so NIPC has been kept out of the alert process. * Tight-lipped agencies refuse to share information. In Washington, protecting your turf means protecting your databases. NIPC representatives met with the Defense Department and the National Communications System, but couldn't agree on how to share data. The Commerce Department's Critical Infrastructure Assurance Office, which has a related effort, insists that entries in their databases actually belong to individual federal agencies and can't be shared without their permission. Plus, the White House has told civilian agencies to report attempted intrusions to the General Services Administration's incident response center instead of the NIPC. * Nobody can define an electronic threat to "national security." Everyone agrees that some attacks -- a successful intrusion into classified Pentagon computers, for instance -- would fall in that category. But nobody's figured out how to define it yet. This is important because in some cases, U.S. law gives the Defense Department the primary responsibility for responding to terrorist threats. Th White House turned down NIPC's suggestions. * Other agencies won't cooperate. Bureaucratic wrangling is alive and well in Washington, as a frustrated FBI Director Louis Freeh said in a November 2000 letter to the White House. He complained that "some agencies appear to question PDD 63 itself and would like to take parts of the NIPC's mission." Freeh is talking about former President Clinton's Presidential Decision Directive 63, which expanded NIPC's responsibilities. In 1999, the Secret Service withdrew two agents it had posted at the NIPC, saying they didn't have enough responsibilities. * NIPC has been sluggish in outreach. A 1999 FBI computer intrusion plan called for the NIPC to send representatives to the 56 FBI field offices in the United States. But as of Dec. 31, 2000, the Pittsburgh office was the only one to receive agents, probably because of its ties with the local Computer Emergency Response Team at Carnegie Mellon University. The NIPC has also failed to find enough qualified agents. * Other agencies don't like an upstart. The GAO reports that the intelligence community views the NIPC as a "second-tier" agency that is to be fed information, not generate it. When the NIPC wanted to create an advisory board with senior representatives from other agencies, the FBI director approved the idea -- but the White House nixed it. Even inside the FBI, there's tension: NIPC is part of the FBI's Counterterrorism Division, one of 11 divisions inside the FBI's Washington headquarters. Its director reports to the FBI's assistant director for counterterrorism, and the agency fears that protecting critical infrastructure may conflict with the FBI's law enforcement mission to arrest suspects. In a letter responding to the GAO's report, NIPC director Ronald Dick tries to strike an upbeat tone, but concedes that "without removing the barriers the NIPC has faced in the past, it is unlikely that the NIPC can ever fully meet" expectations. Dick's letter pointed fingers, saying that many other agencies "simply have not heeded the call" in PDD63 to help the NIPC when asked. PDD 63 says: "All executive departments and agencies shall cooperate with the NIPC and provide such assistance, information and advice that the NIPC may request." The GAO seems to agree, and recommends that the NIPC's responsibilities and powers be clarified. Dick also complained that businesses weren't sharing enough information with the NIPC, perhaps because of a fear that proprietary information could leak out through requests under the Freedom of Information Act. Attorney General John Ashcroft echoed this on Tuesday, saying in a speech that "a company that does not report cybercrime to law enforcement may find itself in a far worse position than it ever imagined." The reason, Ashcroft said, is that the intruder may strike again. The National Security Council, which is part of the White House, had probably the harshest words for the NIPC. In a letter to the GAO, the council suggested that some of the NIPC's critical infrastructure functions "might be better accomplished by distributing the tasks among several existing federal agencies." [GAO report on the NIPC: http://www.gao.gov/new.items/d01323.pdf Lew Koch's story on the NIPC: http://www.zdnet.com/intweek/stories/columns/0,4164,2649836,00.html ] ISN is hosted by SecurityFocus.com --- To unsubscribe email isn-unsubscribeat_private
This archive was generated by hypermail 2b30 : Thu May 24 2001 - 00:35:19 PDT