GAO: Computer Infrastructure Security Needed

In a report issued just one day after the U.S. terrorist attacks, the General Accounting Office (GAO) offered testimony before the Senate's Committee on Governmental Affairs that poor information security on interconnected computer systems to support federal and private operations and infrastructures -- including the energy industry -- "could have potentially devastating implications for our country." GAO found that federal computer systems are "riddled with weaknesses that continue to put critical operations and assets at risk."

Among other things, the GAO found that information sharing and coordination among private-sector and government organizations are "essential for thoroughly understanding cyber threats and quickly identifying and mitigating attacks," but only one industry so far -- the electric power industry -- had thus far formed a two-way information-sharing partnership with the National Infrastructure Protection Center (NIPC), an interagency center housed in the Federal Bureau of Investigation. The NIPC provides analysis, warning and other response capabilities for combating computer-based attacks.

Joel C. Willemssen, managing director of GAO's Information Technology Issues division, testified that while computer interconnectivity, especially in the use of the Internet, has revolutionized the way the U.S. government conducts business with the rest of the world, it "poses significant risks to our computer systems, and more important, to the critical operations and infrastructures they support." Among other things, Willemssen named power distribution on the list of industries that depend on the security of their computer operations, and "if not properly controlled, allow individuals and organizations to inexpensively eavesdrop on or interfere with these operations from remote locations for mischievous or malicious purposes, including fraud or sabotage."

The GAO noted in its Sept. 12 report that "attacks and disruptions are growing," citing the number of computer-security incidents reported to the CERT Coordination Center rose to 21,756 in 2000, up from 9,859 in 1999. For the first six months of 2001, there were 15,476 incidents reported. "Recent attacks over the past two months illustrate the risks. These attacks, referred to as Code Red, Code Red II and SirCam, have affected millions of computer users, shut down web sites, slowed Internet service and disrupted business and government operations," already causing "billions" in damage to government and business operations, including these examples:

The White House had to change its web site address;

The Department of Defense had to briefly shut down its public web sites;

The US. Treasury's Financial Management Service had to disconnect its infected systems from the Internet;

Users of Qwest's high-speed Internet service nationwide had outages; and

Federal Express deliveries had been delayed.

Although it did not cite any trading site problems, Willemssen said in written testimony, "As greater amounts of money are transferred through computer systems, as more sensitive economic and commercial information is exchanged electronically, and as the nation's defense and intelligence communities increasingly rely on commercially available information technology, the likelihood that information attacks will threaten vital national interests increases. In addition, the disgruntled organization insider is a significant threat, since such individuals with little knowledge about computer intrusions often have knowledge that allows them to gain unrestricted access and inflict damage or steal assets."

Of the four information sharing and analysis centers that have been established as focal points for infrastructure sectors, a two-way partnership with the power industry was the only one cited as successful, GAO noted. The "indications, analysis and warning program" established with the North American Electric Reliability Council (NERC) on behalf of the power industry has provided useful information to both the NIPC and industry, and could offer a model for other industry sectors' efforts, said GAO.

Also, because the power industry and the FBI already have established a working relationship, it can build on the existing work. NERC is encouraging industry to voluntarily supply the NIPC with information on unscheduled outages, degraded operations and threats to facilities, activities and information systems.

The GAO testimony, found in its report, "Critical Infrastructure Protection: Significant Challenges in Protecting Federal Systems and Developing Analysis and Warning Capabilities" is available on the web site at www.gao.gov, and was released Sept. 12.

©Copyright 2001 Intelligence Press Inc. All rights reserved. The preceding news report may not be republished or redistributed, in whole or in part, in any form, without prior written consent of Intelligence Press, Inc.