The report, undertaken at the behest of the US Senate Subcommittee on Technology, Terrorism and Government Information, reviewed the role and effectiveness of the National Infrastructure Protection Center, an office led by the Federal Bureau of Investigation.
As a result of its investigation, the GAO recommended that the NIPC establish a staff of experts capable of providing analysis of computer-related threats and their potential effects; develop a comprehensive data collection and analysis framework; and develop a more clearly defined role as it relates to other government agencies and the private sector.
The NIPC's shortage of personnel--and the poorly defined roles of the staff it does have--are preventing it from fulfilling its main objective, which is to protect the nation's information systems from attacks by issuing early warnings of threats. Instead, NIPC has become more reactionary in nature.
"The analytical and information-sharing techniques that... are needed to protect the nation's critical infrastructures have not yet been achieved," the report says. "The NIPC... has developed only limited capabilities for strategic analysis of threat and vulnerability data. Accordingly, the NIPC is not able to provide timely information on changes in threat conditions or warnings of imminent attacks."
The report goes on to say that NIPC is also hamstrung by the lack of information provided to it by other government agencies and private companies. It does praise the centre's work in the FBI's computer-crime investigations, where NIPC staff often provide computer forensic expertise.
The NIPC also has no clearly defined role in the government hierarchy and early-warning process, the report says, which further reduces its effectiveness.
