Agencies tasked with developing backup plans for federally run GPS systems are making insufficient progress.
The federal agencies responsible for developing backup capabilities for GPS -- the government-run global positioning system that has become part of daily life -- are not making sufficient progress in meeting a presidential directive issued nearly a decade ago, according to a new report by the Government Accountability Office, the nonpartisan investigative arm of Congress.
GPS Block II/IIA satellite. (Source: GPS.gov)
The threat of disruptions in the satellite network and support systems that provide precise positioning and timing data to the public (and to the nation's 16 critical infrastructure sectors) has been a concern for many years. That's why a National Security Policy Directive (NSPD-39) tasked the Department of Transportation and the Department of Homeland Security in December 2004 to jointly develop backup capabilities in response to potential natural and manmade GPS disruptions.
The directive instructed the DOT and DHS to create a plan for detecting and mitigating GPS interference. It also required them to coordinate efforts to "develop, acquire, operate, and maintain backup capabilities that can support critical civilian and commercial infrastructure during a GPS disruption," the GAO report said.
The DHS is responsible for coordinating the government's national effort to protect critical infrastructure. The DOT is the lead agency for all civilian bodies involved in the development, management, and operation of GPS products and services.
The agencies have launched a number of efforts to fulfill the directive. The DOT has been researching GPS alternatives for aviation, while the DHS has an initiative dedicated to GPS interference detection and mitigation. It is also exploring a potential nationwide backup to GPS timing -- a feature widely used in critical infrastructure. However, GAO investigators found many of these tasks remain incomplete.
In 2012, the DHS published the GPS National Risk Estimate after conducting a scenario-based risk assessment for four critical infrastructure sectors: communications, energy, financial services, and transportation systems. However, the GAO found that the risk estimate lacks key characteristics of risk assessments outlined in the DHS risk management guidance. Consequently, it remains unfinished and unsuitable for mitigation planning, setting priorities, and resource allocation.
"A plan to collect and assess additional data and subsequent efforts to ensure that the risk assessment is consistent with DHS guidance would contribute to more effective GPS risk management," the report said.
Another shortcoming is the lack of collaboration between the agencies; DOT and DHS leaders haven't clearly defined their roles to meet the directive. The report recommended that they establish a formal, written agreement that explains how the agencies plan to share responsibility, and that they "set forth the agencies' plans for examining relevant issues."
The US government has invested more than $5 billion in GPS since 2009 but provides the service free of direct charge to users worldwide, according to the report. The service consists of three segments: the user segment, which depends on receivers to collect and process signals from orbiting satellites; the ground-control segment, a global network of ground facilities that track satellites and monitor their transmissions; and the space segment, which consists of at least 24 satellites. The ground and space segments are operated by the US Air Force.
The GAO said the inability to mitigate GPS disruptions could result in billions of dollars of economic loss. GPS experts associated with the risk estimate and others interviewed by the GAO expressed concern that current strategies may not be sufficient to mitigate GPS disruptions.
In a letter to GAO leaders regarding the report, the DHS did not agree with all the recommendations, and it remains to be seen what actions the department will take in response.
InformationWeek 500 companies take a practical view of even trendy tech such as the cloud, big data analytics, and mobile. Read all about what they're doing in our special issue. Also in the InformationWeek 500 issue: a ranking of our top 250 winners, profiles of the top five companies, and 20 great ideas that you can steal (free registration required).
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.