A congressionally appointed panel of national security experts yesterday recommended the creation of a National Homeland Security Agency (NHSA) to oversee government and private sector efforts to protect the nation's critical infrastructure from cyber- and physical attacks.
The U.S. Commission on National Security, headed by former senators Gary Hart and Warren B. Rudman, urged the Bush administration to form the new agency and to include a National Crisis Action Center as a "focal point for monitoring emergencies and for coordinating federal support in a crisis to state and local governments, as well as to the private sector."
Some analysts said they were doubtful, however, whether a proposal for a new security agency would fly, given the large number of agencies and organizations seeking the same funds and authority.
Central to the new agency would be a directorate of critical infrastructure protection (CIP) that would manage cyberdefenses for the various sectors of the economy, including banking and finance, telecommunications, transportation and utilities. Most of the nation's critical infrastructure is owned and operated by private sector companies.
"An attack on any one of several highly interdependent networks can cause collateral damage to other networks and the systems they connect," the report states. "Some forms of disruption will lead merely to nuisance and economic loss, but other forms will jeopardize lives. One need only note the dependence of hospitals, air-traffic-control systems and the food processing industry on computer controls to appreciate the point."
According to the commission's recommendations, the CIP directorate would have two primary responsibilities. The first would be to oversee the physical assets and information networks that make up the U.S. critical infrastructure. The second would be to coordinate government and private sector efforts to address the nation's vulnerability to electronic or physical attacks.
"In partnership with the private sector, where most cyberassets are developed and owned, the Critical Infrastructure Protection Directorate would be responsible for enhancing information sharing on cyber- and physical security, tracking vulnerabilities and proposing improved risk management policies and delineating the roles of various government agencies in preventing, defending and recovering from attacks," the report says.
That effort is now done through a maze of different agencies and private sector partnerships, such as the National Infrastructure Protection Center, the Critical Infrastructure Assurance Office and the various information-sharing centers formed in the private sector. As a result, the commission recommended that the Bush administration consolidate these efforts.
"To do this, the government needs to institutionalize better its private sector liaison across the board with the owners and operators of critical infrastructures, hardware and software developers, server [and] service providers, manufacturers [and] producers and applied technology developers," the report says.
The commission's report, "Road Map For National Security: Imperative For Change," is the third installment of a three-phase study of how the U.S. can best face new and emerging threats posed by the spread of technology and weapons of mass destruction. However, it comes at an important time for the CIP effort, which is struggling to define itself in the face of rising criticism about its inability to share information in a timely manner and calls for a more centrally managed program.
"I think the commission may have done a disservice to infrastructure protection by tying it to the unachievable goal of creating a new agency," said Steven Aftergood, an analyst at the Federation of American Scientists in Washington. "In the absence of an actual crisis, the existing national security bureaucracy is unlikely to permit the establishment of a major new competitor for authority and funds," he said.
Harris Miller, president of the Information Technology Association of America, which was instrumental in forming the IT sector's Information Sharing and Analysis Center (IT-ISAC), said organizations like the ISACs don't want to duplicate the efforts of other groups, and they try to work closely together to avoid the problem.
"The creation of the ISACs does not mean the end of the other organizations and the role they play," said Miller. "Rather, they are complementary."
However, with a Congress split down the middle and a profound lack of consensus about security policy, any attempt at a sweeping reorganization right now seems doomed, said Aftergood. "Infrastructure protection will have to proceed on its own track," he said.
This story, "Panel wants cyberdefense agency" was originally published by Computerworld.