Critical Infrastructure Protection: Comments on the National Plan for Information Systems Protection, Statement for the Record by Jack L. Brock, Jr., Director, Governmentwide and Defense Information Systems Accounting and Information Management Division, Testimony before the Subcommittee on Technology, Terrorism and Government Information, Committee on the Judiciary, U.S. Senate [open pdf - 166KB]
Government officials are increasingly concerned about computer attacks from individuals and groups with malicious intentions, including terrorists and nations engaging in information warfare. The dramatic rise in the interconnectivity of computer systems has compounded this threat. Today, massive computer networks provide pathways among systems that, if not properly secured, can be used to gain unauthorized access to data and operations from remote locations. The National Plan for Information Systems Protection calls for strengthening the defenses against threats to critical public and private-sector computer systems--particularly those supporting public utilities, telecommunications, finance, emergency services, and government operations. The Plan is intended to begin a dialogue and help develop plans to protect other elements of the nation's infrastructure, including the physical infrastructure and the roles and responsibilities of state and local governments and private industry. In GAO's view, the Plan is an important and positive step toward building the cyber defenses necessary to protect critical information and infrastructures. It (1) identifies the risks arising from the nation's dependence on computer networks for critical services, (2) recognizes the need for the federal government to take the lead in addressing critical infrastructure risks and to serve as a model for information security, and (3) outlines key concepts and general initiatives to help achieve these goals. Opportunities exist, however, to improve the plan and address significant challenges to building the public-private partnership necessary for comprehensive infrastructure protections. GAO believes that, rather than emphasizing intrusion detection capabilities, the plan should strive to provide agencies with the incentives and the tools to implement the management controls essential to comprehensive computer security programs. Also, the plan relies heavily on legislation and requirements already in place that, as a whole, are outmoded and inadequate as well as poorly implemented by the agencies.