Untitled Document

"IMPROVING OUR ABILITY TO FIGHT CYBERCRIME: OVERSIGHT OF THE NATIONAL INFRASTRUCTURE PROTECTION CENTER"
Senate Judiciary Committee
Statement of U.S. Senator Dianne Feinstein
July 25, 2001

Introduction
It is my pleasure to welcome everyone to this hearing of the Subcommittee on Technology, Terrorism, and Government Information. The hearing will be on a General Accounting Office report on the National Infrastructure Protection Center or NIPC, as it is called for short.

The NIPC is the leading government body that combats cybercrime and cyberterrorism. This is the first hearing I have chaired of this subcommittee.Thus, I am especially pleased that the hearing will cover all three parts of the subcommittee's name: technology, terrorism, and government information.

NIPC
NIPC, which was only founded a few years ago, has a broad mission to prevent, warn against, analyze, and respond to cyberattacks. However, many experts within both the government and the private sector have suggested that NIPC has not fulfilled this mission.

First, critics have argued that NIPC has done a poor job at analyzing and warning against cyber threats and attacks. For example, some have said that NIPC's efforts to provide warnings about the May 2000 "Iloveyou" virus and the February 2000 distributed denial of service attacks on major Internet sites were slow and inadequate.

Second, while NIPC was intended to be an interagency organization, critics have contended that the FBI has dominated the NIPC and has done a poor job coordinating with other federal agencies in fighting cybercrime.

Third, critics have suggested that NIPC has not done a good job at ensuring information sharing between the NIPC and private sector and government entities. For instance, NIPC has established a two-way, information-sharing partnership with only one private organization: the information sharing and analysis center or ISAC for the electric power industry.

That is why Senator Kyl, Senator Grassley, and I asked GAO to examine NIPC's operations and report back findings and recommendations.

The GAO report generally confirms problems identified by critics of the NIPC.

First, the report finds that, while NIPC has issued many analyses of individual incidents, it hasn't done good job at developing strategic analysis of threat and vulnerability data. This is because of NIPC's failure to adopt a methodology to analyze strategic cyberthreats, lack of adequate staff expertise, and an absence of sufficient industry-specific data on vulnerabilities. The result has been confusion about NIPC's role and responsibilities.

The report also finds that the NIPC has not done enough to establish information-sharing and cooperative relationships with the private sector and other government agencies.

According to GAO, the NIPC should:

• create procedures to ensure more information sharing with ISACs
• make more progress in developing a database of the most important components of the nation's critical infrastructures–what is called the Key Asset Initiative, and
• develop better relationships with the Defense Department and law enforcement and civilian agencies.

The report also concludes that NIPC has generally done good investigative field work. However, NIPC still needs additional resources and new procedures to ensure that information flows more efficiently from the field to the NIPC.

I am pleased that the NIPC has taken the GAO's investigation very seriously and shows every intention of improving its operations. In fact, the NIPC made several improvements during the GAO audit itself. For example, until recently, NIPC has generally not done much to recruit companies to its InfraGard program, a voluntary information sharing network for private companies. However, just in the last six months, NIPC has tripled the number of InfraGard members.

Spending to combat terrorism
As we conduct oversight over the NIPC, I believe we also need to look broadly at how and why the government spends money on combating cyberterrorism–and terrorism in general.
This is why yesterday, Senator Kyl, Senator Graham, Senator Shelby, Congressman Sensenbrenner, Congressman Conyers, and I have asked for the first "top to bottom" review of the government budget to combat terrorism. This review will be conducted by GAO and the Senate Intelligence Committee audit staff.

This fiscal year, the terrorism budget was over $12 billion. Just 3 years ago, it was less than $8 billion. That is a lot of money. It is also a huge increase in appropriations in just a few years. We want to be sure that the government is budgeting for and spending this money appropriately and efficiently.

I look forward to hearing testimony from the witnesses today and working with subcommittee members on cyberterrorism and other terrorism issues. I would now like to turn to my good friend, Senator Kyl, the ranking member of the subcommittee, to see if he wishes to make a statement.