Fed Agencies Asleep at the Wheel

[InfoSec News <isn () c4i org>]

http://www.wired.com/news/politics/0,1283,58327,00.html

By Noah Shachtman
April 03, 2003

This is how ill-prepared the federal government is to protect itself 
against terrorist attacks: Many of its agencies don't even know which 
buildings and computer networks to defend. 

In 1998, the Clinton administration ordered the Departments of Energy, 
Commerce, and Health and Human Services, as well as the Environmental 
Protection Agency, to each come up with a list of crucial equipment, 
buildings and information technology that must be protected under any 
circumstance. 

But nearly five years later -- and more than 18 months after Sept. 11 
-- none of these agencies has completed its list, according to a 
report released Wednesday by the Government Accounting Office, 
Congress' investigative arm. And none of the agencies has 
comprehensive plans for keeping these assets safe. 

"For most of us, this would seem to be a matter of common sense," said 
Ken Johnson, a spokesman for the House Energy Committee. "But these 
agencies still aren't taking the threat of terrorism seriously enough. 
In our own homes, we know the things that are most valuable to us. 
It's not unreasonable to ask these departments to do the same." 

How would the Energy Department keep tabs on the country's stockpile 
of nuclear weapons if a truck bomb rammed into its headquarters? What 
labs would need to be secured if a nuclear "dirty bomb" went off near 
the Centers for Disease Control and Prevention in Atlanta? What 
financial databases would have to be maintained if hackers broke into 
the Commerce Department's computers? These are the sorts of questions 
the agencies are supposed to be asking themselves. 

"In military terms, these would be the 'command and control' 
structures -- the things needed to maintain continuity of operations 
if their headquarters were gone or inaccessible," said Phil Anderson, 
a senior fellow at the Center for Strategic and International Studies. 

The idea behind the Clinton directive was that the departments clearly 
can't protect all their assets equally. So they should concentrate 
their resources on the areas that matter most -- the "assets, nodes 
and networks that, if incapacitated or destroyed, would jeopardize the 
nation's survival" or "have a serious, deleterious effect on the 
nation at large," according to the GAO report. 

But the agencies haven't complied with the executive branch directive. 
Instead, the GAO report alleges, they're relying on years-old defense 
plans "focused on protecting hundreds of assets considered essential 
to the agencies' missions, rather than focusing on those assets that 
are critical to the nation." 

The departments seem to be in no hurry to settle on which areas are 
the most essential. 

"It could take years for these agencies to complete their analyses for 
all critical assets at their current pace," the report (PDF) said. 

In written comments submitted to the GAO, the Department of Health and 
Human Services vigorously disagreed with this assessment. The agency 
said it identified its assets "more than two years ago," and is 
currently reviewing them again. Representatives from the other 
agencies investigated either refused to comment or did not return 
calls. 

The Center for Strategic and International Studies' Anderson isn't 
surprised the agencies haven't finished their assessments. Large 
federal bureaucracies take time to build up speed on an issue, he 
said. And before Sept. 11, reasons for these agencies to hustle on 
security matters were not pressing. 

"How much motivation can there be when you don't believe you're at 
risk?" he said. 

Equally slow to develop are the ties between these federal agencies 
and the private sector. Commercial interests are responsible for more 
than 80 percent of the country's so-called critical infrastructure -- 
power plants, dams and the like. So it's vital that business and 
government exchange information about possible weaknesses and possible 
threats. 

Right now, however, this information is brokered through a dozen 
different Information Sharing and Analysis Centers, known as ISACs, 
each representing a different industry. 

But these groups aren't living up to their names, because they're not 
actually sharing what they know with the government, according to the 
GAO report. 

If they do, the ISACs reason, then the information can be released to 
the public under the Freedom of Information Act, which gives 
journalists and private citizens access to federal material that's not 
classified. And that could be dangerous, industry leaders said. 

"If we do a vulnerability assessment at one of our facilities, we'll 
share it with the other (industry) players, but not with the Energy 
Department," said Bobby Gillham, global security manager for 
ConocoPhillips and chairman of the Energy ISAC. "We don't want it to 
get on some website and be a roadmap for some terrorist." 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.