Years after orders from the White House to beef up the security of the nation's most important computer systems, the government is having trouble identifying which organizations should be involved and how they should be coordinated, according to a new report.
President Bush's recent proposal to create a Cabinet-level Department of Homeland Security said at least 12 organizations oversee protection of important infrastructure. But the General Accounting Office, the investigating arm of Congress, said it identified at least 50 organizations already involved in such efforts, usually focused on protecting vital computer networks.
The GAO said those groups include five advisory committees, six organizations under the White House, 38 groups under executive agencies and three others. Within the Defense Department alone, the GAO found seven organizations.
Those numbers might go up. Richard Clarke, the chairman of Bush's cyber-security protection board, said the Sept. 11 terror attacks and their aftermath have caused the administration to consider broadening definitions of critical infrastructure to include national monuments and chemical industries.
"We have learned from the tragedy on Sept. 11 that our enemies will increasingly strike where they believe we are vulnerable," said Sen. Joseph Lieberman, D-Conn., who asked for the GAO report as chairman of the Governmental Affairs Committee. "As this report shows, our cyberspace infrastructure is ripe for attack today."
Clarke also noted that most of the networks needing protection are owned by private companies, universities, state and local governments and even home computer users. "This presents a unique strategic challenge," Clarke said in a letter to the GAO.
"Because 90 percent of our infrastructure is privately owned, it is essential that this government analysis and coordination extends to the private sector," Sen. Bob Bennett said in a statement. "This report reaffirms our call for information sharing."
The Utah Republican has introduced legislation that would increase information sharing and threat analysis for critical infrastructure.
The government previously defined critical infrastructures to include banks, hospitals, water and food supplies, communications networks, energy and transportation systems and the postal system.
The GAO report warned that the problem can't be solved at least until it's defined well. "The opportunity for ensuring that all relevant organizations are addressed exists in the development of the new national strategy," it said.
Even organizations already involved are slowly discovering the scope of the problems from an increasingly interconnected world. An early warning network for the nation's food manufacturers recently decided it needed to coordinate with the Interior Department because that agency controls many of the country's water supplies and hydroelectric dams for electricity.
The GAO also noted that it was nearly impossible to know how much the U.S. government was spending on the protection of its infrastructure, because the organizations involved don't receive money for specific projects and don't track such spending.