[ISN] U.S.'s Defenseless Department

From: InfoSec News (isnat_private)
Date: Wed May 23 2001 - 16:41:27 PDT

  • Next message: InfoSec News: "[ISN] Russian police bust 63-year-old computer hacker"

    [Not a suprising report in my book. Longtime ISN readers might
    remember Lew Koch's story about the failings of the NIPC in his
    November 2000 article that covers a fair amount of what the GAO
    discovered and reported on. Since I am not a subscriber of the NIPC
    Daily Brief, I have to wonder how they will report on this?  - WK]
    By Declan McCullagh 
    12:30 p.m. May 23, 2001 PDT 
    WASHINGTON -- When the U.S. government created the National
    Infrastructure Protection Center in February 1998 to thwart "cyber
    criminals," officials couldn't stop talking about how the feds were
    finally fighting back against the hacker menace.
    Former Attorney General Janet Reno said at the time that the new
    agency would "pursue criminals who attack or employ global networks"
    -- and that without the NIPC, "the nation will be at peril."
    Three years later, it's the NIPC that's in peril -- of being dubbed a
    poorly-organized, ill-conceived bureaucracy that more established
    agencies routinely ignore and that has not lived up to the promises
    its proponents once made.
    Instead of becoming a highly-sensitive nerve center that responds to
    computer intrusions, congressional investigators have concluded that
    the NIPC has turned into a federal backwater that is surprisingly
    ineffective in pursing malicious hackers or devising a plan to protect
    electronic infrastructures. The NIPC received $32 million in 1999 and
    $28 million in 2000, not counting items like office space and
    telephones provided by the FBI.
    The remarkable 108-page report from the General Accounting Office that
    was released Tuesday shows how bureaucracy can defeat the best
    intentions of Congress and the White House. It says:
    * It's not clear where the agency belongs. The White House staff claim
      they're directly responsible for NIPC oversight, but the Justice
      Department approves its budget and the FBI notes that the NIPC
      director reports to an assistant FBI director. Because of
      long-standing regulations, NIPC staff can't even share sensitive
      information with the White House without the Justice Department's
      permission. The GAO concludes in a typical understatement: "This
      situation may be impeding the NIPC's ability to carry out its
    * Nobody seems to listen. Other intelligence agencies, such as the CIA
      and National Security Agency, have a procedure they use to alert the
      president of serious threats to "national security." NIPC
      representatives in 1998 and 1999 met with the National Intelligence
      Council and the Joint Chiefs of Staff, but couldn't reach an
      agreement  -- so NIPC has been kept out of the alert process. 
    * Tight-lipped agencies refuse to share information. In Washington,
      protecting your turf means protecting your databases. NIPC
      representatives met with the Defense Department and the National
      Communications System, but couldn't agree on how to share data. The
      Commerce Department's Critical Infrastructure Assurance Office,
      which has a related effort, insists that entries in their databases
      actually belong to individual federal agencies and can't be shared
      without their permission. Plus, the White House has told civilian
      agencies to report attempted intrusions to the General Services
      Administration's incident response center instead of the NIPC. 
    * Nobody can define an electronic threat to "national
      security." Everyone agrees that some attacks -- a successful
      intrusion into classified Pentagon computers, for instance -- would
      fall in that category. But nobody's figured out how to define it
      yet. This is important because in some cases, U.S. law gives the
      Defense Department the primary responsibility for responding to
      terrorist threats. Th White House turned down NIPC's suggestions. 
    * Other agencies won't cooperate. Bureaucratic wrangling is alive and
      well in Washington, as a frustrated FBI Director Louis Freeh said in
      a November 2000 letter to the White House. He complained that "some
      agencies appear to question PDD 63 itself and would like to take
      parts of the NIPC's mission." Freeh is talking about former
      President Clinton's Presidential Decision Directive 63, which
      expanded NIPC's responsibilities. In 1999, the Secret Service
      withdrew two agents it had posted at the NIPC, saying they didn't
      have enough responsibilities. 
    * NIPC has been sluggish in outreach. A 1999 FBI computer intrusion
      plan called for the NIPC to send representatives to the 56 FBI field
      offices in the United States. But as of Dec. 31, 2000, the
      Pittsburgh office was the only one to receive agents, probably
      because of its ties with the local Computer Emergency Response Team
      at Carnegie Mellon University. The NIPC has also failed to find
      enough qualified agents. 
    * Other agencies don't like an upstart. The GAO reports that the
      intelligence community views the NIPC as a "second-tier" agency that
      is to be fed information, not generate it. When the NIPC wanted to
      create an advisory board with senior representatives from other
      agencies, the FBI director approved the idea -- but the White House
      nixed it. Even inside the FBI, there's tension: NIPC is part of the
      FBI's Counterterrorism Division, one of 11 divisions inside the
      FBI's Washington headquarters. Its director reports to the FBI's
      assistant director for counterterrorism, and the agency fears that
      protecting critical infrastructure may conflict with the FBI's law
      enforcement mission to arrest suspects. 
    In a letter responding to the GAO's report, NIPC director Ronald Dick
    tries to strike an upbeat tone, but concedes that "without removing
    the barriers the NIPC has faced in the past, it is unlikely that the
    NIPC can ever fully meet" expectations.
    Dick's letter pointed fingers, saying that many other agencies "simply
    have not heeded the call" in PDD63 to help the NIPC when asked. PDD 63
    says: "All executive departments and agencies shall cooperate with the
    NIPC and provide such assistance, information and advice that the NIPC
    may request."
    The GAO seems to agree, and recommends that the NIPC's
    responsibilities and powers be clarified.
    Dick also complained that businesses weren't sharing enough
    information with the NIPC, perhaps because of a fear that proprietary
    information could leak out through requests under the Freedom of
    Information Act.
    Attorney General John Ashcroft echoed this on Tuesday, saying in a
    speech that "a company that does not report cybercrime to law
    enforcement may find itself in a far worse position than it ever
    imagined." The reason, Ashcroft said, is that the intruder may strike
    The National Security Council, which is part of the White House, had
    probably the harshest words for the NIPC.
    In a letter to the GAO, the council suggested that some of the NIPC's
    critical infrastructure functions "might be better accomplished by
    distributing the tasks among several existing federal agencies."
    [GAO report on the NIPC: http://www.gao.gov/new.items/d01323.pdf
    Lew Koch's story on the NIPC: 
    http://www.zdnet.com/intweek/stories/columns/0,4164,2649836,00.html ]
    ISN is hosted by SecurityFocus.com
    To unsubscribe email isn-unsubscribeat_private

    This archive was generated by hypermail 2b30 : Thu May 24 2001 - 00:35:19 PDT