Inspector General Reviews of Presidential Decision
Directive 63 Implementation
ROBERTA L. GROSS
NATIONAL AERONAUTICS AND SPACE ADMINISTRATION
Senate Committee on Governmental Affairs
Hearing on “How Safe Is Our Critical Infrastructure?”
September 12, 2001
As a nation, we have become more aware
about the vulnerability of critical infrastructures, particularly to
Just consider recent NewsBites published by the SANS (Security
Administration, Networking and Security) Institute.
August 30, Invalid Worm: “The
"Invalid" Worm arrives as an attachment purporting to be a
patch from Microsoft.” The
worm mass mails itself to users and, once launched from an attachment,
encrypts executable files rendering them unusable.
August 31, Two Arrested in Encryption
Device Export Plot: "A
four month long investigation led to the arrest of two men who allegedly
tried to smuggle encryption devices to China.
The devices in question are designed for government use."
August 31, British Business Group
Wants Government Help With Cybercrime:
"The UK's Confederation of British Industry (CBI) wants
the government to take action against cybercrime by establishing a center
for incident reporting and by updating the 1990 Computer Misuses Act
to include attacks on computer systems.
CBI says that the fear of financial losses due to cybercrime
is preventing e-commerce from blossoming.”
August 29, Bank Replacing Compromised
Debit Cards: "Three
thousand Riggs Bank Customers will receive new Visa debit cards after
an apparent breach of security on a server that processes Visa transactions.
While no resulting instances of credit(sic) card fraud have been
reported, the bank did not want to take any chances."
by the NASA Office of Inspector General (OIG) Computer Crimes Division
(CCD) result in similar articles and headlines.
For example, a joint investigation by NASA OIG computer crime
sleuths, the Department of Defense Criminal Investigation Service, and
the Federal Bureau of Investigation (FBI) resulted in a 16 year old
juvenile from Miami, FL, being sentenced to 6 months in a detention
facility. (This was the
first time a juvenile computer hacker was sentenced to serve time.)
The individual admitted to illegally accessing 143 computers
at the Marshall Space Flight Center, Huntsville, Alabama.
He obtained and downloaded proprietary software from NASA valued
at approximately $1.7 million.
The software supported the International Space Station’s physical
environments, including control of the temperature and humidity of the
living space. The juvenile’s
actions required that the systems be shut down, which caused delivery
delays of the program software.
This resulted in additional costs of $41,000 in labor and equipment
replacement. He also had
illegally accessed Department of Defense computer networks and obtained
more than 3,300 electronic messages and 19 user names and passwords. His intrusion specifically targeted a U. S. Army procurement
system computer and copied and transferred a highly sensitive password
file. This activity caused
a costly computer shutdown and subsequent maintenance and restoration
hacker activity can be more than a mere nuisance!
recent investigation by the OIG CCD, a former NASA contractor employee
and two others were sentenced for using NASA computer equipment to develop
programs that allowed them to illegally capture ATM accounts and Personal
Identification Number (PIN) numbers to steal large sums of money from
unsuspecting bank customers.
The harm caused
by hackers is compounded because many hackers share their access with
countless others by publicizing their exploits, tools and stolen passwords
on Internet chat rooms. For
example, OIG CCD agents, together with local law enforcement officials,
arrested a hacker who illegally accessed a NASA computer system at one
of NASA’s research centers, obtained passwords and posted this information
on the Internet.
are also from international sources.
Consider the following investigations conducted in parallel by
the NASA OIG CCD and the FBI.
In March 1998, CCD agents arrested one of the U. S. ringleaders
of the Internet hacking group known as “ViRii”.
Our investigation revealed evidence about “ViRii” breaking into
a large number of government, corporate, and university Internet-based
systems. The NASA investigation
into “ViRii” began in June 1997, when it became known that a NASA Jet
Propulsion Laboratory (JPL) (Pasadena, CA) server was controlled and
used by a number of U. S. and foreign hackers.
The OIG CCD investigation identified the “ViRii” ringleader and
others as possible suspects, including an Israeli national known as
“Analyzer”. In February
1998, separate attacks against other U. S. government sites caused the
FBI and the Air Force Office of Special Investigations (AFOSI) to focus
on “Analyzer”. The FBI
executed search warrants against two juveniles on February 25, 1998,
in Cloverdale, California, to recover evidence of “Analyzer” related
is an Israeli citizen who was subsequently arrested in Israel based
on evidence provided to Israeli authorities by a delegation of U. S.
Federal Agents from Air Force Office of Special Investigations, FBI
and the NASA CCD. The “ViRii”
leader, the juvenile, and the Israeli all have been sentenced and/or
adjudicated for their activities.
demonstrate that network interconnectivity, while increasing productivity,
clearly creates serious vulnerabilities.
The threats from the network even reach into our personal lives.
The Internet exposes our very identities to theft when hackers
steal vital information, including social security numbers, credit card
numbers, etc. The NASA
OIG has published a guide on preventing identity theft through computers
in a brochure, “Protect Yourself and NASA Before Getting Rid of That
Old Home Computer” (http://www.hq.nasa.gov/office/oig/hq/identify/html).
Even simple acts of charity performed individually or as a government
can be harmful (e.g., donating
excess computers to organizations such as schools and prisons.
Failure to properly and completely clear hard drives may expose
confidential, sensitive, or proprietary information to unauthorized
persons. The NASA OIG has
issued several reports to NASA on this topic following inspections of
excessed or surplused hard drives containing sensitive information.
We also published a brochure widely distributed to the Agency,
the IG community, and to Congress on the risks of carelessly excessing
computers without sufficiently clearing hard drives.
This brochure, “Clearing Information From Your Computer’s hard
Drive,” is available at http://www.hq.nasa.gov/office/oig/hq/harddrive.pdf.
PDD 63: ROLE OF
The current Administration views securing
the nation’s critical infrastructure as a priority. The previous Administration established this priority through
the issuance of Presidential Decision Directive 63 (PDD 63) on May 22,
1998. PDD 63 sets forth
the mandate to protect our Nation's critical infrastructures
from acts that would significantly diminish the abilities of:
the Federal government to perform essential
national security missions and to ensure the general public health and
state and local governments to maintain
order and to deliver minimum essential services; and
the private sector to ensure the orderly
functioning of the economy and the delivery of essential telecommunications,
energy, financial, and transportation services.
PDD 63 assigns
responsibilities to various groups, agencies and offices to achieve
the protection of the Nation's critical infrastructure. Because of the importance of implementing this initiative,
21 agency and departmental (hereinafter agency) IGs agreed to review
the progress by their agencies in carrying out their responsibilities
to protect the nation’s and their agencies’ critical infrastructures.
My office is coordinating this effort on behalf of the President's
Council on Integrity and Efficiency (PCIE) and the Executive Council
on Integrity and Efficiency (ECIE).
As an aside, it is fitting that IGs are
reviewing their agencies’ infrastructure protection readiness.
Since the Revolutionary War, military IGs have been tasked with
independently reviewing the combat readiness of American troops.
Today, the readiness needs of this nation call for different
rules of engagement and the tools of future conflicts will be more diverse.
PDD 63 was promulgated as a step in implementing an adequate
defense system for future potential conflicts.
The IGs are performing this important
role in the infrastructure protection of the United States by establishing
a Government-wide approach for assessing each agency’s readiness for
this critical challenge. The
approach consists of four phases.
Phase I relates to the adequacy of agency planning and assessment
activities for protecting cyber-based infrastructures.
Phase I has been completed and will be discussed below.
Phase II, the review of the implementation of cyber plans, has
been deferred to allow the agencies time to develop, implement, and
evaluate their plans. Phase
III, now in progress, will monitor agencies’ planning and assessment
activities related to critical physical structures.
Phase IV will review the implementation of the plans related
to the critical physical structures.
We anticipate the completion of Phase III and the initiation
of Phase II will occur sometime this Fall after the IGs forward their
GISR reports related to their agencies’ information security.
The GISR effort complements PDD 63 activities.
63 PHASE I REVIEW RESULTS:
On March 21, 2001, the PCIE/ECIE issued
a report to the Honorable Mitchell E. Daniels, Jr., Director, Office
of Management and Budget, reflecting generally the Phase I findings
of the 21 participating OIGs.
Our reviews summarized below, demonstrated collectively that
the Federal Government can improve its PDD 63 planning and assessment
activities for cyber-based critical infrastructures.
It is, however, important to view these criticisms in the proper
context; that is, because of the focus on critical infrastructure required
by PDD 63, the nation is already in a better position because it is
starting down the path towards a more robust effort to protect the Nation’s
I will briefly highlight our collective
findings in five areas:
Misunderstanding of the applicability
of PDD 63
Imprecise performance measures
Untimely identification of critical infrastructures
Lack of coordinated management of PDD
Failure to advance beyond the planning
of PDD 63
Not all agencies
began to implement PDD 63. Several
agencies mistakenly believed that PDD 63 only applied to the specific
agencies listed in the Directive and its addendum.
This misimpression was reinforced by an inaccurate interpretation
by a key Federal player in overseeing the implementation of PDD 63.
However, PDD 63 clearly applied to all agencies.
PDD 63 Section VII, Protecting Federal Government Critical
department and agency of the Federal Government shall be responsible
for protecting its own critical infrastructure, especially its cyber-based
systems. Every department
and agency Chief Information Officer (CIO) shall be responsible
for information assurance. Every
department and agency shall appoint a Chief Infrastructure Assurance
Officer (CIAO) who shall be responsible for the protection of the other
aspects of that department’s critical infrastructure.
As a result
of the misinterpretation, certain agencies did not prepare the required
critical infrastructure plans and did not identify minimum essential
infrastructures (MEIs). MEIs
are defined as "the framework of critical organizations, personnel,
systems and facilities that are absolutely required in order to provide
the inputs and outputs necessary to support the core processes, essential
to accomplishing an organization's core mission as they relate to national
security, national economic security or continuity of government services".
The agencies also did not perform vulnerability assessments of
their MEI assets or develop remediation plans.
Most of the
agencies that did not know PDD 63 applied to them began to address the
Directive requirements as a result of the IG reviews.
told they were required to achieve a level of security preparedness,
or “Initial Operating Capability” (IOC), no later than December 31,
2000. However, agencies
were not provided a uniform definition of IOC and so there was no consistent
implementation. For example,
one agency defined IOC to mean “completion of those initial mediation
measures that are identified as needed by that time during the vulnerability
assessment/mitigation planning process.”
Representatives responsible for implementing PDD 63 in that agency
said they could not understand the agency’s definition of IOC.
Another agency gave an entirely different definition of IOC: "(1) a broad level assessment of MEIs should be completed,
(2) remediation plans should be completed for assets considered to be
the most at risk, and (3) fixes should be in place for the most vulnerable
assets." Without an adequate
and consistent definition, the Federal Government can not adequately
measure progress towards achieving full security preparedness.
of Critical Infrastructure
At the time
of the reviews, for a variety of reasons, most of the agencies which
had submitted Critical Infrastructure Plans (CIPs)
had not identified and/or adequately identified their critical, cyber
infrastructure assets. The
reasons included lack of funds, poor methodology for identifying assets,
and “higher priority” work.
Branch announced a standardized but non-mandatory process for identifying
critical infrastructure assets entitled “Practices for Security Critical
Information Assets.” It
also initiated Project Matrix, an ongoing effort that utilizes a multi-agency
team evaluation to apply the Practices.
Project Matrix involves a three-step process.
In Step 1, the Project Matrix team identifies and prioritizes
each agency’s PDD 63-relevant assets.
In Step 2, the
the major nodes
and networks upon which the most critical assets depend and identifies
significant points of failure.
In Step 3, the team identifies the infrastructure dependencies
associated with select assets identified in Step 1 and analyzed in-depth
in Step 2. The project Matrix guidance and process were not mandatory
and generally had to be funded by the subject agency. Its success was limited by the amount of time and funds available
to implement the process.
of PDD 63 Activities
organizations primarily responsible for implementing PDD 63 did not
coordinate and manage their PDD 63 activities.
The following organizations are among those responsible for coordinating
and/or managing PDD 63 implementation:
The National Coordinator for Security,
Infrastructure Protection and Counter-Terrorism is responsible for coordinating
and implementing the Directive.
The National Coordinator cannot direct departments and agencies
but will ensure interagency coordination for policy development and
The Office of Management and Budget is
responsible for developing information security policies and overseeing
The National Institute of Standards and
Technology is responsible for developing technical standards and providing
related guidance for sensitive data.
The National Security Agency is responsible
for setting information security standards for national security agencies.
The National CIAO, an interagency office,
is responsible for developing an integrated National Infrastructure
Assurance Plan to address threats to the Nation’s critical infrastructure.
The General Services Administration is
the designated lead agency for the Federal sector.
The absence of coordinated oversight
and management of PDD 63 has caused certain fundamental elements of
the Directive to receive less than adequate attention.
As discussed earlier, several agencies had mistakenly decided
not to implement PDD 63 because they believed, based in part on guidance
from a key player in PDD 63 implementation, that they were exempt from
Beyond the Planning Phase
Some agencies have not performed vulnerability
assessments of their critical infrastructure assets or prepared the
related remediation plans. This
condition occurred because the budget requests that the agencies submitted
to the OMB were rejected by OMB as not sufficiently detailed to justify
funding the agencies’ Critical Infrastructure Plans (CIPs) requirements.
The National Plan for Information Systems
Protection, Version 1.0, “An Invitation to a Dialogue,” acknowledged
that the quality of the agencies’ CIP budget requests did not meet OMB’s
Agency budget systems don’t readily support
collection of CIP data. Until
these systems are modified, collection of information on CIP programs
and budgets will be manual and inexact.
The newness of CIP also means that the government is still on
the steep part of a precipitous learning curve.
Individual agencies are still grappling with the issue internally
and the interagency process is still coming together.
. . . When OMB issued its first CIP Budget Data Request (BDR)
last year, it sought information at an activity level.
But because of inadequate activity descriptions and data presentation
problems, it was unable to consolidate the data, making it difficult
to identify programmatic duplications and gaps that point up inconsistencies
needing analysis and remedy. All
this reduced confidence in the data.
We made general suggestions to OMB based
on our findings. Generally,
these suggestions related to the need to better define terms, measures,
and expectations set forth in PDD 63.
Our suggestions also covered the need to ensure better coordination
among the entities and organizations responsible for PDD 63 implementation.
We understand that in the very near future
the White House will be issuing further guidance on protection of the
nation's critical infrastructure.
The PCIE/ECIE effort (coordinated by the NASA OIG) will play
a part in this national effort by continuing the Government-wide review.
This review will provide important feedback to heads of departments,
OMB, other Executive entities, and the Congress. Also, individual IGs will have a vital role to play in the
detection, deterrence, and prosecution of those committing cyber crimes
against their victim agencies.
With the Federal Government expanding
e-government and e-commerce, the IGs
necessarily will increase their criminal investigations in the cyberworld.
PDD 63 provides an important focus on
the Nation’s critical infrastructure.
The PCIE/ECIE found mixed progress in the Federal Government’s
implementation of this Directive.
However, important steps have been taken.
These steps must continue to ensure that our Nation has the capability
to meet the growing threat of physical and computer-based attacks that
potentially could cripple, disrupt and/or damage our critical infrastructure.
IGs have a unique role in assisting their
agencies’ critical infrastructure and planning implementation because
of their ability to coordinate audits, inspections, and criminal investigation
resources. They also will
individually and collectively play a key role in the Nation’s infrastructure
protection through their reviews and cybercrime investigations.