The report, expected to be released Tuesday by the General Accounting Office, the investigative arm of Congress, says that while some of the center's more than 80 warnings about computer attacks since 1998 were issued in time to avert damage, most, especially those related to viruses, came when the attacks were already under way.
The GAO report echoes similar criticism by security experts and industry groups of the FBI's $27-million-a-year National Infrastructure Protection Center, the government's centerpiece in its cyber-protection efforts. It comes amid a string of recent embarrassments for the bureau, including disclosures about an alleged spy for Russia within its ranks and failures to turn over documents in the death-penalty trial of convicted bomber Timothy McVeigh.
The center, in operation since 1998, suffers from poor morale, inadequate staffing and a lack of expertise, the report says, and doesn't do a good job of cooperating with other agencies or private groups. The center is staffed by FBI agents, with assistance from investigators in other federal agencies. But people who have been assigned there say some agencies have recalled their employees from the center after complaints that they were treated poorly. Of 25 non-FBI workers interviewed for the GAO report, 16 made negative comments about working at the center.
As one example of the tensions, the report said that until last summer, workers at the center assigned from other agencies wore different-colored badges than their FBI counterparts and weren't given the same access to some computerized databases. An internal Defense Department memo in March 2000 complained that for the center's non-FBI workers, "it is often a struggle to even get access to the internal e-mail."
In a letter to the GAO published with the study, George M. Andricos, director of legislative affairs for the National Security Council, said some of the center's efforts "might be better accomplished by distributing the tasks across several existing federal agencies." He also suggested a new "virtual analysis center" could be created to issue emergency cyber-warnings.
Industry groups such as the Financial Services Information Sharing and Analysis Center, a computer-attack early-warning network set up by the nation's biggest banks, have criticized the NIPC for failing to quickly share warnings with businesses. The Center for Strategic and International Studies, a Washington think tank, said the NIPC sometimes fails to inform companies under attack for weeks or months after learning of a problem.
The report doesn't recommend disbanding the center, as some security experts have suggested. But its release coincides with a broad continuing review by the Bush administration to reorganize U.S. efforts to protect the most important computer networks. The review likely will recommend altering the FBI's role.
The enemy's within?
The center's director, Ronald L. Dick, said it hasn't been supported by other agencies. "Many of those on whom the NIPC relies to accomplish its mission might prefer that the NIPC, especially as housed in the FBI, not succeed," he wrote in a letter to the GAO.
FBI officials have expressed frustration that businesses don't always share sensitive information about threats with the bureau. The GAO noted, for example, that the banks' warning network, knew about the devastating "Love Bug" virus last year hours before the FBI did, but didn't warn the government. The FBI's own warning about the virus was issued only after widespread damage to U.S. e-mail systems had occurred.
The GAO study praised the center for providing technical support and coordination for federal investigations of serious computer crimes, such as the Melissa virus in 1999 and attacks against major commercial Web sites last year.