According to the July 2002 Office of Homeland Security's, "National Strategy for Homeland Security," terrorists may seek to cause widespread disruption and damage, including casualties, by attacking electronic and computer networks which are linked to other critical infrastructures. Terrorist groups exploit new information technology and the Internet to plan attacks, raise funds, spread propaganda, collect information, and communicate securely. Cyber attacks are anticipated to become an increasingly significant threat as terrorists further develop their technical capabilities and become more familiar with potential targets.

The February 2003 Office of Homeland Security's National Strategy to Secure Cyberspace indicates that a spectrum of malicious actors can and do conduct attacks against our critical information infrastructures.⁷ Of primary concern is the threat of organized cyber attacks capable of causing debilitating disruption to the nation's critical infrastructures, economy, or national security. The required technical sophistication to carry out such an attack is high and partially explains the lack of a debilitating attack to date. However, there have been instances where attackers have exploited vulnerabilities that may be indicative of more destructive capabilities.

According to the National Plan for Information Systems Protection, the threat is that a group or nation hostile to the United States will seek to "inflict economic damage, disruption and death, and degradation of our defense response" by attacking our critical infrastructure. Presidential Decision Directive 63 (PDD 63) requires that the Department of Justice's (Department) critical infrastructure protection plans include an inventory of the Department's mission-essential assets, an assessment of each asset's vulnerabilities, and plans to remediate those vulnerabilities.

The terrorist attacks of September 11, 2001, prompted the Attorney General to make counterterrorism the Department's highest priority. The Department reflected this new priority in its Strategic Plan for Fiscal Years 2001 - 2006, which was issued in November 2001. In the Strategic Plan, the Attorney General recognized that in the fight against terrorism, the Department would need to improve the integrity and security of computer systems and make more effective use of information technology. PDD 63 issued in May 1998 called for a national effort to assure the security of the nation's critical infrastructure. The critical infrastructure consists of physical and computer-based systems essential to the minimum operations of the economy and government. This includes, but is not limited to telecommunications, banking and finance, energy, transportation, and essential government services. The minimum essential infrastructure (MEI) is the framework of critical organizations, personnel, systems, and facilities that are absolutely required in order to provide the inputs and outputs necessary to support the core processes essential to accomplishing an organization's core mission as they relate to national security, national economic security, or continuity of government services.

PDD 63 requires that agencies take measures to eliminate any significant vulnerability to both physical and cyber attacks on the nation's critical infrastructures. Each federal department and agency was required to prepare a plan for protecting its own critical infrastructure, including an inventory of the department's or agency's mission-essential assets and an assessment of the vulnerabilities of those essential assets.

Under PDD 63, by December 2000 departments and agencies were to have assessed information system vulnerabilities and adopted a multi-year funding plan to remedy the vulnerabilities. By May 2003, departments and agencies were to have achieved "full operating capability." The National Plan for Information Systems Protection, Version 1.0, issued by the Critical Infrastructure Assurance Office (CIAO), describes full operating capability as the ability to ensure that any interruption or manipulation of critical functions is "brief, infrequent, manageable, geographically isolated, and minimally detrimental to the welfare of the United States." The Draft Critical Infrastructure Protection (CIP) Plan indicates that full operating capability for the Department is comprised of:

• identifying the MEI, interdependencies, vulnerabilities, and developing plans to address the vulnerabilities;

• detecting attacks and unauthorized intrusions;

• sharing attack warning and information in a secure and timely manner; and

• responding to attacks, and reconstituting and recovering assets that were subject to attacks.

A. The Department's Management of Critical Information Technology Assets

The Justice Management Division (JMD) develops, promulgates, and reviews implementation of departmentwide policies, standards, and procedures for the management of automated information processing resources. Within JMD, the Chief Information Officer (CIO) has oversight responsibility for the implementation of CIP within the Department. Within the Office of the CIO, the Information Technology Security Staff (ITSS) has primary responsibility for critical infrastructure planning and implementation.⁸

The ITSS was established within the Office of the CIO in May 2003, and its 14-member staff is responsible for developing and implementing policies and procedures for IT investment management and information systems security programs. Prior to May 2003 the responsibilities now managed by the ITSS were managed by the IMSS. With the change of name in May 2003, the ITSS retained the prior staff of the IMSS and the prior IMSS's responsibilities for oversight of the CIP program. In addition, the ITSS gained responsibility from JMD Computer Services Staff (CSS) for managing the Department of Justice Computer Emergency Response Team (DOJCERT). The DOJCERT assists component organizations with incident handling and resolution, and it is the centralized reporting entity for the Department. All components are required to report incidents to the DOJCERT. The DOJCERT issues any necessary alerts to components and external agencies.

Within the Department, critical infrastructure protection is a shared responsibility among JMD and various component organizations. Each component aids the IMSS in identifying its MEI, developing remediation and funding plans, and ensuring the implementation of the plans. JMD is responsible for coordinating the departmentwide effort and ensuring that the components comply with applicable requirements.

In our November 2000 report on "Department Critical Infrastructure Protection - Planning for the Protection of Computer Based Infrastructure," we stated that as required by PDD 63, JMD submitted the Department's initial critical infrastructure plan to the CIAO in November 1998 (November 1998 Plan). In January 1999, the Expert Review Team returned the results of its review and asked the Department to revise the plan accordingly.⁹ The Department addressed some of the Expert Review Team's comments and submitted its revised plan to the CIAO in April 1999.

In response to the Department's new priorities following September 11, 2001, JMD made changes in its strategic priorities and business practices. Among these changes, JMD issued guidance that there would be an equal emphasis on the protection of critical assets, whether physical, personnel, or cyber-based. A revalidated MEI was completed December 2002. The revalidation process incorporated the change in emphasis on physical assets and personnel, a 72-hour loss criteria developed by the CIAO, and changes in the goals and strategic objectives in the Department's Strategic Plan.

The Department's MEI has evolved over time as a result of policy changes and JMD's refinement of its inventory of critical assets. The December 2002 version of the MEI consists of 21 systems from three Department components - the Drug Enforcement Agency (DEA), Federal Bureau of Investigation (FBI), and JMD. By contrast, the January 2001 version of the MEI consisted of 20 systems from those same components and the Immigration and Naturalization Service (INS). Both inventories are contained in Appendix 5 of this report. When the MEI was revalidated in December 2002, eight assets were removed from the January 2001 version, and nine others were added. During the period of our review, the IMSS, at various times, had CIP oversight responsibilities for 29 critical assets.¹⁰

B. Framework for Assessing Adequacy of CIP Program

In 1999 the President's Council on Integrity and Efficiency (PCIE) initiated a governmentwide review of the nation's critical infrastructure assurance program.¹¹ The review is being completed in four phases. The objective of the Phase 1 review was to assess the adequacy of the agency planning and assessment activities for protecting critical cyber-based infrastructures. The objective of Phase 2 was to assess the adequacy of agency implementation activities for protecting their critical cyber-based infrastructure. In Phase 3 we assessed the adequacy of agency planning and assessment activities for protecting the Department's critical noncyber-based infrastructures. The objective of Phase 4 will be to assess the adequacy of implementation activities for protecting noncyber-based infrastructures. In the Department, we previously completed audits for Phases 1 and 3.¹² This audit is performed as part of Phase 2 of the PCIE effort.

During Phase 1, we reviewed the adequacy of Department plans, asset identification efforts, and initial vulnerability assessments. Over 20 Inspectors General conducted similar audits in their own agencies as part of an effort sponsored by the PCIE. The Phase 1 report, issued November 2000, stated that the Department had submitted its initial critical infrastructure protection plan to the CIAO as required. The Phase 1 report also stated that the Department revised its initial plan according to comments received from an Expert Review Team.

Our Phase 1 audit assessed the Department's compliance with the following requirements:

• development of a CIP Plan;

• Expert Review Team Review;

• appointment of a Chief Infrastructure Assurance Officer;

• identification of cyber-based MEI;

• vulnerability assessments;

• risk mitigation plans to stem potential damage from each vulnerability;

• establishment of an emergency management program;

• incorporation of critical infrastructure into strategic planning and the performance measurement framework;

• identification of resource and organizational requirements;

• development of a program to ensure that the Department has the personnel and skills necessary to implement a sound infrastructure protection program; and

• establishment of effective CIP coordination with other applicable entities (foreign, state and local governments, and private industry).

Asset identification efforts are the Department's measures employed to identify its MEI. The Department's CIP Plan indicated that the methodology to identify its MEI was to create a rank-ordered list of assets including a brief description of the asset, location, specific mission-based criteria used to identify the asset, estimated replacement costs, planned life cycle, and a brief statement as to the potential impact of the asset not being available.

A vulnerability assessment is a systematic examination of the ability of a system or application, including current security procedures and controls, to withstand assault. Agencies use vulnerability assessments to identify weaknesses that could be exploited and to predict the effectiveness of additional security measures in protecting critical assets from attack. The outcome of the assessment is a list of flaws or omissions in controls that may affect the integrity, confidentiality, accountability, and availability of resources that are essential to critical assets.

In Phase 2 of the governmentwide PCIE review, the subject of this report, we audited the adequacy of implementation activities for protecting critical cyber-based infrastructures. Specifically, we assessed the adequacy of agency activities in the following areas: 1) risk mitigation; 2) emergency management; 3) interagency coordination; 4) resource and organizational requirements; and 5) recruitment, education, and awareness.

Risk mitigation involves the selection and implementation of security controls to reduce risk to a level acceptable to management. Risk mitigation follows the Department's identification of critical assets and performance of a vulnerability assessment that identifies weaknesses that could be exploited.

The goal of the emergency management program is to minimize the known vulnerabilities associated with the most critical asset and infrastructure dependencies in an expeditious and cost-effective manner, and to permit the operations of critical functions in the event of disruptions. The emergency management program should include such items as indications and warnings (of an attack), incident collection, reporting and analysis, response and continuity-of-operation plans, and plans to reconstitute minimum required capabilities following a successful attack.

Interagency coordination is important because many federal government programs rely on the resources of other government agencies to fulfill their missions. Because of such reliance, the Department should identify and characterize the level to which Department assets provide support to other government agencies. Additionally, it is necessary to identify liaisons, and the nature of the coordination link between the entities.

Recruitment refers to the Department's efforts to acquire highly skilled information technology (IT) security personnel to implement the CIP program. Education, training, and awareness are also necessary to the successful implementation of any information security program. These three elements are related, but the elements involve distinctly different levels of learning. Training is geared to understanding the security aspects of the particular IT systems and applications that the individual uses. Education differs from training in both breadth and depth of knowledge and skills acquired. Security education, including formal courses and certification programs, is most appropriate for an organization's designated security specialists. Awareness is not training but is a prerequisite to it. The purpose of an awareness program is to focus attention on security. Awareness provides a baseline of security knowledge for all users, regardless of job duties or position.

In our Phase 3 report, issued November 2001, we reviewed the adequacy of the Department's planning and assessment activities for protecting its critical noncyber-based infrastructures. Specifically, we assessed the adequacy of agency plans, asset identification efforts, and initial vulnerability assessments of personnel and physical assets. The report indicated that the Department had not yet: 1) adequately identified all of its mission essential assets, 2) assessed the vulnerabilities of each of its systems, 3) developed remedial action plans for identified vulnerabilities, and 4) developed a multi-year funding plan for reducing vulnerabilities.

Phase 4, if pursued, will target the adequacy of implementation activities for protecting critical noncyber-based infrastructures. Specifically, it will review the adequacy of agency activities in the following areas: risk mitigation; emergency management; interagency coordination; resource and organizational requirements; and recruitment, education and awareness.

C. Prior Office of the Inspector General Reports

We have recently performed two types of audits relevant to the Department's management of critical infrastructure. These audits are: 1) program audits of JMD's CIP management efforts and 2) computer security audits performed pursuant to the Government Information Security Reform Act (GISRA).¹³

1. Program Audits

In our November 2000 report on "Department Critical Infrastructure Protection - Planning for the Protection of Computer Based Infrastructure," we found that the Department had not yet: 1) identified adequately all of its mission-essential assets, 2) assessed the vulnerabilities of each critical asset, 3) developed remedial action plans for identified vulnerabilities, and 4) developed a multi-year funding plan for reducing vulnerabilities. As a result, the Department's ability to perform certain vital missions was at risk from terrorist attacks or similar threats.

Specifically, the Department's identification of mission-essential assets did not meet the intent of PDD 63 because it did not include personnel, interdependencies, and a complete list of facilities. Further, the methodology used did not link the MEI to those Department missions absolutely necessary to national security, national economic security, or the continuity of government services, and it did not document the criteria used to select each asset.

Additionally, in our November 2000 report, we noted that the Department decided not to fund an adequate vulnerability assessment. The vulnerability assessment included in a draft plan differed from the assessment plan in the previous version. The draft plan was based on a framework sponsored by the CIAO and reviewed by the Expert Review Team, two organizations outside of the Department with responsibility for implementing PDD 63. The revised vulnerability assessment was based on a review of past audits, compliance reviews, and assessments. As a result, the Department had not developed an inventory of flaws or omissions in controls (vulnerabilities) that may affect the integrity, confidentiality, accountability, and availability of resources that are essential to critical assets.¹⁴ Department officials said that vulnerability assessments would be performed as part of a certification and accreditation (C&A) process as ordered by the Assistant Attorney General for Administration.¹⁵

In our November 2001 report on "Department Critical Infrastructure Protection - Planning for the Protection of Physical Infrastructure," we found that the Department had not yet: 1) adequately identified its physical MEI, 2) ensured that complete vulnerability assessments of all of its physical mission-essential assets have been performed, 3) developed plans to remediate weaknesses identified in the vulnerability assessments of its physical MEI, and 4) developed a multi-year funding plan for reducing vulnerabilities. While the Department initially disagreed with the results of this audit, in May 2003 JMD agreed to carry out the recommended corrective action.

2. GISRA Audits¹⁶

For FY 2001, we audited the security of four classified and five SBU computer systems. We issued two separate reports consolidating our results, one for unclassified systems and one for classified systems.¹⁷ The report on SBU systems was issued without recommendations. Both reports stated that the Department did not adequately:

• identify and assess risks to determine needed security measures,

• establish and implement policies and controls to meet those needs,

• promote awareness so that users understand the risks and the related policies and controls required to mitigate them, or

• monitor and evaluate established policies and controls to ensure that the policies and procedures were both appropriate and effective.

Three of the five SBU systems tested had one or more of the following vulnerabilities related to contingency planning.

• Restoration priorities were not identified and an interagency agreement did not exist for the alternative processing site.

• Contingency plans were not properly reviewed or approved.

• Contingency plans were not tested.

• Contingency plan training was not conducted.

D. General Accounting Office Reports

The General Accounting Office (GAO) has conducted several reviews of CIP-related efforts within the government. The following reports are among its most recent in areas related to CIP.

In a January 2003 report titled "Protecting Information Systems Supporting the Federal Government and the Nation's Critical Infrastructures" (GAO-03-121), the GAO noted cyber CIP as a high-risk area because, in part, terrorist groups and others have stated their intentions of attacking critical infrastructures. Failure to adequately protect these infrastructures could adversely affect national security, economic security, and/or public health and safety. The GAO acknowledged that improvements are underway. The GAO reported that recent audits of 24 of the largest agencies continue to identify significant information security weaknesses that put critical federal operations and assets in each of these agencies at risk.

In an October 2001 report titled "Information Sharing - Practices that Can Benefit Critical Infrastructure Protection" (GAO-02-24), the GAO noted that information sharing and coordination among organizations are central to producing comprehensive and practical approaches and solutions to combating computer-based threats. The GAO indicated that trust is the essential underlying element to successful information-sharing relationships. The GAO identified three other critical factors for successful information-sharing relationships:

• establishing effective and appropriately secure communication mechanisms (such as regular meetings and secure websites),

• obtaining support of senior managers at member organizations regarding the sharing of potentially sensitive member information and the commitment of resources, and

• ensuring organization leadership continuity.

The GAO noted that one of the most difficult challenges was overcoming organizations' initial reluctance to share information. Other challenges included: 1) developing agreements on the use and protection of shared information, 2) obtaining adequate funding to cover the cost of items such as websites and meetings while avoiding seeking contributions intended primarily to promote the interests of an individual organization, 3) maintaining a focus on emerging issues of interest to members, and 4) maintaining professional and administrative staff with appropriate skills.

7. On March 1, 2003, the Department of Homeland Security (DHS) was created, and all of the functions and duties of the Office of Homeland Security were transferred to it. The National Strategy to Secure Cyberspace is an implementing component of the National Strategy of Homeland Security.
8. Prior to September 11, 2002, JMD Security and Emergency Planning Staff (SEPS) had oversight for information technology (IT) security for the classified systems of the Department and Information Management and Security Staff (IMSS) had oversight for the sensitive but unclassified (SBU) systems. Since that time, the CIO is responsible for overseeing and implementing security policy and practices for both National Security Information (NSI) and SBU systems. The standards, procedures, and guidelines are coordinated with the Department's Security Officer.
9. PDD 63 created an interagency Expert Review Team. The Expert Review Team reviewed and commented on agency plans in accordance with a set of essential plan elements to ensure quality, continuity, and effective implementation of agency plans to protect critical infrastructures.
10. During the course of our audit, the Bureau of Alcohol, Tobacco, Firearms, and Explosives (ATF) joined the Department of Justice and the INS transferred to the DHS. The CIP efforts that we evaluated did not include any CIP efforts associated with the ATF, except as noted on page 23.
11. The PCIE, comprising all Presidentially-appointed Inspectors General, coordinates interagency and intra-entity audit, inspections, and investigations dealing with governmentwide issues of waste, fraud, and abuse. See Appendix 7 for more details on the PCIE.
12. The PCIE/ECIE (Executive Council on Integrity and Efficiency) delayed the Phase 2 Review until after Phase 3 to allow agencies sufficient time to implement their CIP programs.
13. Beginning in November 2000, GISRA required the Office of the Inspector General (OIG) to perform independent evaluations of the Department's information security program and practices. Beginning in FY 2003, these audits are now being conducted under the provisions of Federal Information Security Management Act of 2002.
14. In Finding 6 of this report, we provide an assessment of JMD's corrective actions with regard to the findings of our November 2000 report.
15. Certification consists of a technical evaluation of a sensitive application to see how well it meets security requirements. Accreditation is the official management authorization for the operation of the application and is based on the certification process as well as other management considerations.
16. In fulfilling its FY 2002 GISRA review requirements, the OIG reported on both classified and SBU systems in its "Independent Evaluation Pursuant to the Government Information Security Reform Act Fiscal Year 2002 Consolidated Report," Report Number 03-19. The report is a classified document and has not been released publicly.
17. The report for the unclassified systems is "Summary of the Independent Evaluation Pursuant to the Government Information Security Reform Act, Fiscal Year 2001 Sensitive But Unclassified Systems," Report Number 02-18. The report for the classified systems is "Summary of the Independent Evaluation Pursuant to the Government Information Security Reform Act, Fiscal Year 2001 Classified Systems," Report Number 02-21.