Summary: The explosive growth of computer interconnectivity is transforming the workings of our nation, its government, and its critical infrastructures. But with the enormous benefits of this interconnectivity comes a threat: both physical and cyber assets are potentially vulnerable to computer-based attack. In response, Presidential Decision Directive 63 (PDD 63, May 1998) called for a range of actions to improve the nation's ability to detect and respond to serious infrastructure attacks. For specific agencies under the Committee on Energy and Commerce's jurisdiction and for private-sector organizations for which these agencies have responsibilities, GAO was asked, among other things, to assess their progress and challenges in undertaking critical infrastructure protection (CIP) activities.
Federal efforts to protect our nation's critical public and private infrastructures have had mixed progress. GAO examined four specific agencies--the Departments of Health and Human Services (HHS), Energy, and Commerce, and the Environmental Protection Agency (EPA)--and found that the agencies have made progress in implementing several PDD 63 requirements, such as appointing chief information assurance officers and preparing initial CIP plans. However, none of the agencies has fully implemented all requirements, including the fundamental processes of identifying agency assets that are critical to the nation and determining their dependencies on other public and private assets, as well as assessing these assets' vulnerabilities. In addition, although most agencies have tentatively identified their critical assets, these efforts could take years to complete given the current pace and estimated time and resource needs. GAO also examined private-sector groups known as Information Sharing and Analysis Centers (ISACs) for five specific industry sectors--information technology, telecommunications, energy, electricity, and water supply. PDD 63 suggested voluntary ISAC creation to, among other things, serve as mechanisms for information sharing between infrastructure sectors and the government. In response, ISACs have been established and are serving as clearinghouses for their sectors to share information. For other suggested activities, such as establishing baseline statistics on computer security incidents, progress is mixed. Both the agencies and the ISACs identified challenges and obstacles to undertaking CIP activities. Agency-identified challenges included coordinating security efforts for critical assets with the General Services Administration, which may often be responsible for protecting agency facilities that house critical assets. The ISACs identified obstacles to information sharing, both between the sectors and the government and within the sectors. In particular, they noted concerns that information reported to the government could be subject to public release under the Freedom of Information Act.