http://www.wired.com/news/politics/0,1283,58327,00.html By Noah Shachtman April 03, 2003 This is how ill-prepared the federal government is to protect itself against terrorist attacks: Many of its agencies don't even know which buildings and computer networks to defend. In 1998, the Clinton administration ordered the Departments of Energy, Commerce, and Health and Human Services, as well as the Environmental Protection Agency, to each come up with a list of crucial equipment, buildings and information technology that must be protected under any circumstance. But nearly five years later -- and more than 18 months after Sept. 11 -- none of these agencies has completed its list, according to a report released Wednesday by the Government Accounting Office, Congress' investigative arm. And none of the agencies has comprehensive plans for keeping these assets safe. "For most of us, this would seem to be a matter of common sense," said Ken Johnson, a spokesman for the House Energy Committee. "But these agencies still aren't taking the threat of terrorism seriously enough. In our own homes, we know the things that are most valuable to us. It's not unreasonable to ask these departments to do the same." How would the Energy Department keep tabs on the country's stockpile of nuclear weapons if a truck bomb rammed into its headquarters? What labs would need to be secured if a nuclear "dirty bomb" went off near the Centers for Disease Control and Prevention in Atlanta? What financial databases would have to be maintained if hackers broke into the Commerce Department's computers? These are the sorts of questions the agencies are supposed to be asking themselves. "In military terms, these would be the 'command and control' structures -- the things needed to maintain continuity of operations if their headquarters were gone or inaccessible," said Phil Anderson, a senior fellow at the Center for Strategic and International Studies. The idea behind the Clinton directive was that the departments clearly can't protect all their assets equally. So they should concentrate their resources on the areas that matter most -- the "assets, nodes and networks that, if incapacitated or destroyed, would jeopardize the nation's survival" or "have a serious, deleterious effect on the nation at large," according to the GAO report. But the agencies haven't complied with the executive branch directive. Instead, the GAO report alleges, they're relying on years-old defense plans "focused on protecting hundreds of assets considered essential to the agencies' missions, rather than focusing on those assets that are critical to the nation." The departments seem to be in no hurry to settle on which areas are the most essential. "It could take years for these agencies to complete their analyses for all critical assets at their current pace," the report (PDF) said. In written comments submitted to the GAO, the Department of Health and Human Services vigorously disagreed with this assessment. The agency said it identified its assets "more than two years ago," and is currently reviewing them again. Representatives from the other agencies investigated either refused to comment or did not return calls. The Center for Strategic and International Studies' Anderson isn't surprised the agencies haven't finished their assessments. Large federal bureaucracies take time to build up speed on an issue, he said. And before Sept. 11, reasons for these agencies to hustle on security matters were not pressing. "How much motivation can there be when you don't believe you're at risk?" he said. Equally slow to develop are the ties between these federal agencies and the private sector. Commercial interests are responsible for more than 80 percent of the country's so-called critical infrastructure -- power plants, dams and the like. So it's vital that business and government exchange information about possible weaknesses and possible threats. Right now, however, this information is brokered through a dozen different Information Sharing and Analysis Centers, known as ISACs, each representing a different industry. But these groups aren't living up to their names, because they're not actually sharing what they know with the government, according to the GAO report. If they do, the ISACs reason, then the information can be released to the public under the Freedom of Information Act, which gives journalists and private citizens access to federal material that's not classified. And that could be dangerous, industry leaders said. "If we do a vulnerability assessment at one of our facilities, we'll share it with the other (industry) players, but not with the Energy Department," said Bobby Gillham, global security manager for ConocoPhillips and chairman of the Energy ISAC. "We don't want it to get on some website and be a roadmap for some terrorist." - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Apr 04 2003 - 01:31:04 PST