The director of the U.S. Federal Bureau of Investigation unit charged with investigating computer crimes and issuing cyberthreat warnings to businesses and federal agencies said yesterday that a congressional report on the progress his organization has made to date was "fair" but that critics have ignored the agency's lack of resources to do more.
Ronald Dick, director of the National Infrastructure Protection Center (NIPC), said that a report released yesterday by the U.S. General Accounting Office, which evaluated the role and performance of the NIPC, highlighted more accomplishments than shortcomings.
For example, the report praised the NIPC's outreach initiatives, as well as its development of effective crisis management teams to respond to potentially serious cybersecurity incidents. The NIPC's main deficiency, however, remains its inability to provide timely "strategic" analysis and warnings of cyberthreats, according to the GAO, the investigative arm of Congress. However, the report also alludes to the failure of senior administration and congressional leaders to better define the NIPC's role and responsibilities.
According to the GAO report, the NIPC has operated with just 13 of the 24 analysts that are needed to analyze and produce timely information on strategic cyberthreats.
"Frankly, their conclusions are right," said Dick, a 24-year veteran of the FBI, who took the helm of the NIPC in March. "There aren't enough resources at the NIPC" to do the type of strategic warning that critics of the center have been calling for, he said.
However, the focus of early press reports, some of which specifically highlighted the NIPC's inability to effectively warn of virus outbreaks, didn't accurately reflect the overall mission of the NIPC, said Dick. "You don't want the NIPC solely in the virus-warning business," he said. There are plenty of other organizations that do that, including dozens of antivirus companies, he said.
The GAO study comes as the Bush administration is undertaking a top-to-bottom review of federal cybersecurity programs that will form the foundation for the next version of the national plan to defend cyberspace. That plan, which is being led by Cisco Systems Inc.'s Ken Watson, who is also president of the Partnership for Critical Infrastructure Protection, an industry alliance, as well as Dick Clarke, the White House's national coordinator for security, infrastructure protection and counterterrorism, is scheduled for release later this year.
Although the GAO report notes that the results of information-sharing efforts between government agencies and individual businesses have been "mixed," experts who are directly involved in coordinating the effort said those shortcomings aren't exclusively the fault of the NIPC. In fact, while the NIPC has enrolled more than 500 companies in its information-sharing program known as InfraGard, only one of the four industry-led Information Sharing and Analysis Centers (ISAC) -- that of the electric power industry -- has set up a two-way information-sharing partnership with the NIPC, according to the GAO report.
"Right now, what we have is a series of stovepipes," said Clarke, during a keynote speech at the Trust in the Internet conference, sponsored by the Information Technology Association of America. Although there exists "a series of rich deposits" of data on vulnerabilities and threats, there is "very little capability to do data mining across the public/private gap," said Clarke. "The expertise lies far more outside the government than in."
Since lawmakers in the Senate postponed yesterday's hearing on the GAO report, Howard Schmidt, chief security officer at Microsoft Corp. and chairman of the IT industry ISAC, said he spent most of the day in meetings on Capitol Hill answering questions about what organizations like the NIPC need to be more effective.
"We've been doing information sharing for a very long time," said Schmidt. "The barriers are not as dramatically difficult as we often make them appear. Fundamentally, [the NIPC] needs resources."
Dick said additional resources, including expertise from the Department of Energy and the intelligence community, have been requested as part of the overall FBI budget. However, "these are very austere budget times, and we have to compete with everybody else," he said.
There's no other place in government, said Dick, where all of the information necessary to do national-level cybersecurity analysis and warning can be collected and processed legally. "I don't see the NIPC going away," he said.
However, the role of the NIPC remains a contentious issue on Capitol Hill, where the national security community has complained of what they see as the NIPC's inability to share strategic warning information in a timely manner. "To the NIPC, everything looks like a criminal investigation," said one source, who requested anonymity. "This has been going on for far too long."
Kim Kotlar, an assistant to U.S. Rep. Mac Thornberry (R-Texas), declined to comment specifically on the role of the NIPC but said the issue of cybersecurity "goes way beyond the Justice Department and way beyond the role of the federal government." Thornberry recently introduced legislation that would roll up various federal agencies, including the NIPC, into a new National Homeland Security Agency.
Frank Cilluffo, co-chairman of the Cyber Threats of the Future Task Force at the Center for Strategic and International Studies, a policy think tank in Washington, said the FBI should be "leveraging its strength and its core competency, which is investigations," but that it isn't suited culturally to deal with the whole problem of national cybersecurity.
Tracking every computer virus that pops up, for example, is "probably mission impossible," said Cilluffo. "They can't be responsible for everything."