oversight

Transportation Security Research: Coordination Needed in Selecting and Implementing Infrastructure Vulnerability Assessments

Published by the Government Accountability Office on 2003-05-01.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

             United States General Accounting Office

GAO          Report to the Committee on
             Appropriations, House of
             Representatives


May 2003
             TRANSPORTATION
             SECURITY
             RESEARCH
             Coordination Needed
             in Selecting and
             Implementing
             Infrastructure
             Vulnerability
             Assessments




GAO-03-502
                                               May 2003


                                               TRANSPORTATION SECURITY
                                               RESEARCH

Highlights of GAO-03-502, a report to the
House Committee on Appropriations
                                               Coordination Needed in Selecting and
                                               Implementing Infrastructure Vulnerability
                                               Assessments

The events of September 11, 2001,              The Transportation Infrastructure Assessment program is scheduled to
increased attention on efforts to              end in December 2003 after the completion of four transportation
assess the vulnerabilities of the              vulnerability assessments. Congress appropriated $1 million in each of
nation’s transportation
infrastructure and develop needed
                                               the fiscal years from 2001 through 2003 to RSPA for the program. RSPA
improvements in security. The                  plans to disseminate reports, conduct workshops, and post information
Department of Transportation’s                 on the Internet to inform decision-makers in the transportation
(DOT) Research and Special                     community about the results.
Programs Administration (RSPA)
had already begun research in this             Program Vulnerability Assessments
area in June 2001. The goals of
RSPA’s Transportation
Infrastructure Assurance program
are to identify, and develop ways to
mitigate the impact of, threats to
the nation’s transportation
infrastructure. DOT’s Office of
Intelligence and Security is
responsible for defining the
requirements for transportation
infrastructure protection, ensuring
that vulnerability assessments of
transportation infrastructure are
conducted, and taking action to
mitigate those vulnerabilities.

The House Committee on
Appropriations asked GAO to
determine (1) the status and
anticipated results of the
Transportation Infrastructure
Assurance (TIA) program, and (2)
the extent to which RSPA and the
Office of Intelligence and Security
have coordinated their activities in
selecting the vulnerabilities to be
assessed and implementing the
vulnerability assessments for the
program. DOT and RSPA officials
reviewed a draft of the report,
agreed with its contents, and
provided technical clarifications              Prior to March 2003, RSPA did not fully coordinate their activities with
that we incorporated.                          the Office of Intelligence and Security in selecting the vulnerabilities to
www.gao.gov/cgi-bin/getrpt?GAO-03-502.
                                               be assessed, or in implementing the assessments for the program. We
                                               discussed this problem with officials from both offices who agreed that
To view the full report, including the scope   closer coordination would be beneficial, particularly to discuss options
and methodology, click on the link above.
For more information, contact Katherine        for addressing the challenges facing program researchers in conducting
Siggerud at (202) 512-2834 or                  the program’s vulnerability assessments. In March 2003, officials from
siggerudk@gao.gov.
.
                                               both offices began regular meetings to facilitate this coordination.
Contents


Letter                                                                                       1
               Results in Brief                                                              2
               Background                                                                    3
               TIA Program Is Scheduled to End in December 2003 with
                 Completion of Four Vulnerability Assessments                                5
               RSPA Has Not Fully Coordinated Their Activities with OIS in
                 Selecting the Vulnerabilities to Be Assessed and in Implementing
                 the Assessments for the TIA Program                                       13
               Agency Comments and Our Evaluation                                          16

Appendix I     Volpe National Transportation System Center
               Studies Related to Transportation Infrastructure
               Assurance                                                                   18



Appendix II    Stakeholders Involved and Criteria Used in
               Selecting the Vulnerabilities Assessed Under the
               TIA Program                                                                 19



Appendix III   Entities Reported by RSPA Who Were Involved
               during the Implementation of the TIA Program                                20



Table
               Table 1: TIA Program Planned Products and Progress to Date                  11


Figures
               Figure 1: Beginning and Completion Dates of Vulnerability
                        Assessments                                                          6
               Figure 2: An Air Traffic Controller Uses a Digital Radar Display and
                        Workstation Computers Interconnected through
                        Telecommunications Systems for Air Traffic Management                7
               Figure 3: Emergency Response Teams Transported to the Site of
                        the World Trade Center in New York City Work to Clear
                        Debris After the Terrorist Attack on September 11, 2001              8
               Figure 4: A Global Positioning Satellite                                      9


               Page i                              GAO-03-502 Transportation Security Research
Figure 5: Air, Marine and Surface Modes of Transportation of
         Hazardous Materials Being Assessed by RSPA                                       10
Figure 6: TIA Program Funding by Vulnerability Assessment
         (Fiscal Years 2001 – 2003)                                                       12




Abbreviations

DOT       Department of Transportation
FAA       Federal Aviation Administration
OIS       Office of Intelligence and Security
OMB       Office of Management and Budget
PDD       Presidential Decision Directive
RSPA      Research and Special Programs Administration
TIA       Transportation Infrastructure Assurance
TSA       Transportation Security Administration



This is a work of the U.S. Government and is not subject to copyright protection in the
United States. It may be reproduced and distributed in its entirety without further
permission from GAO. It may contain copyrighted graphics, images or other materials.
Permission from the copyright holder may be necessary should you wish to reproduce
copyrighted materials separately from GAO’s product.




Page ii                                    GAO-03-502 Transportation Security Research
United States General Accounting Office
Washington, DC 20548




                                   May 1, 2003

                                   The Honorable C. W. Bill Young
                                   Chairman
                                   The Honorable David R. Obey
                                   Ranking Minority Member
                                   Committee on Appropriations
                                   House of Representatives

                                   The terrorist attacks on the United States on September 11, 2001,
                                   increased attention on federal efforts to assess the vulnerabilities of the
                                   nation’s transportation infrastructure and develop needed improvements
                                   in security. The Department of Transportation (DOT) formally began one
                                   such effort in June 2001—the Transportation Infrastructure Assurance
                                   program—within its Research and Special Programs Administration
                                   (RSPA). The Transportation Infrastructure Assurance program focuses on
                                   identifying and mitigating against threats, such as from acts of terrorism
                                   and sabotage, which could adversely affect the operation of the nation’s
                                   transportation infrastructure and cause harm to humans. The program is
                                   crosscutting, defining “transportation infrastructure” to include highways,
                                   transit systems, railroads, airports, waterways, pipelines and ports, as well
                                   as the vehicles, aircraft, and vessels that operate on these networks. The
                                   program is also directly related to the mission of DOT’s key transportation
                                   security stakeholder. DOT’s Office of Intelligence and Security is
                                   responsible on behalf of the Secretary for defining the requirements for
                                   transportation infrastructure protection, ensuring that vulnerability
                                   assessments of transportation infrastructure are conducted, and taking
                                   action to mitigate those vulnerabilities.

                                   In House Report 107-722, accompanying DOT and Related Agencies
                                   Appropriations Bill for fiscal year 2003, the House Appropriations
                                   Committee asked us to examine the Transportation Infrastructure
                                   Assurance program. In subsequent discussions with Committee staff we
                                   agreed to address the following questions: (1) What is the status and what
                                   are the anticipated results of the Transportation Infrastructure Assurance
                                   program? and (2) To what extent has RSPA coordinated their activities
                                   with DOT’s Office of Intelligence and Security in selecting the
                                   vulnerabilities to be assessed and implementing the assessments for the
                                   program?

                                   To answer these questions, we examined Transportation Infrastructure
                                   Assurance program documents, including budget data and project plans.


                                   Page 1                               GAO-03-502 Transportation Security Research
                   We also interviewed officials from RSPA’s Office of Innovation, Research
                   and Education—which manages the program, and the Volpe National
                   Transportation Systems Center—which is conducting the program
                   research—regarding the status, management, and operation of the
                   program, as well as plans for disseminating and evaluating program
                   results. In addition, we interviewed officials from the Office of Intelligence
                   and Security about the extent of their participation in the program.

                   Although the Transportation Security Administration was formally part of
                   DOT during the course of our review, it was not established until after the
                   Transportation Infrastructure Assurance program began. Moreover, the
                   Transportation Security Administration’s initial efforts focused on
                   safeguarding the nation’s aviation industry; as a result, the Office of
                   Intelligence and Security continued to lead DOT’s efforts in fulfilling
                   national critical infrastructure protection responsibilities. Consequently,
                   our review focused on the Office of Intelligence and Security’s
                   involvement in the program. We did, however, talk with officials from the
                   Transportation Security Administration regarding their role in identifying
                   and undertaking future research activities necessary to enhance
                   transportation security.

                   We conducted our review from September 2002 through February 2003 in
                   accordance with generally accepted government auditing standards.


                   The Transportation Infrastructure Assurance program is scheduled to end
Results in Brief   in December 2003 after completing four vulnerability assessments aimed
                   at identifying and finding ways to mitigate threats against the nation’s
                   transportation infrastructure. RSPA’s research center, the Volpe National
                   Transportation System Center, in Cambridge, Massachusetts, is
                   conducting the assessments to (1) examine the interdependency of the
                   nation’s transportation system with other critical infrastructures, such as
                   energy and telecommunications; (2) identify the transportation and
                   logistical requirements for emergency response teams in dealing with
                   weapons of mass destruction; (3) examine the feasibility of alternative
                   backup systems for the global positioning system, upon which aviation,
                   maritime, and surface transportation industries rely; and (4) assess the
                   options to transition from hazardous materials transportation security
                   guidelines to security requirements. According to RSPA officials, RSPA
                   plans to work with the Office of Intelligence and Security to disseminate
                   program results to decision-makers in the transportation community
                   through published reports, workshops, and the Internet. Congress



                   Page 2                               GAO-03-502 Transportation Security Research
             appropriated $1 million in each of the fiscal years from 2001 through 2003
             to RSPA for the Transportation Infrastructure Assurance program.

             Prior to March 2003, RSPA did not fully coordinate their activities with the
             Office of Intelligence and Security in selecting the vulnerabilities to assess,
             or in implementing the assessments for the Transportation Infrastructure
             Assurance program. RSPA coordinated with the Office of Intelligence and
             Security in selecting two vulnerability assessments in fiscal year 2001.
             However, RSPA selected two additional transportation vulnerabilities for
             assessment in fiscal year 2002 without coordinating with the Office of
             Intelligence and Security. According to officials from RSPA and the Office
             of Intelligence and Security, this lack of coordination resulted in part from
             disagreements and misunderstandings about each other’s respective role
             in the program. RSPA’s coordination with the Office of Intelligence and
             Security during the research program’s implementation has been limited to
             only one of the four vulnerability assessments under review. Greater
             coordination might have enabled officials from the Office of Intelligence
             and Security to obtain industry-sensitive information for RSPA’s
             assessments and possibly increased the program’s value, according to the
             Office of Intelligence and Security’s Associate Director. During the course
             of our review, officials from both offices agreed with us that closer
             coordination would be beneficial to the program and agreed to meet
             regularly. We verified that in March 2003 officials from RSPA and the
             Office of Intelligence and Security began to meet regularly to facilitate this
             coordination. As a result, this report is making no recommendations. We
             provided a copy of the draft report to DOT and RSPA officials who agreed
             with the contents of the report and provided technical clarifications that
             we incorporated into the report.


             On May 22, 1998, President Clinton issued a pair of directives to guide
Background   federal efforts to address critical infrastructure vulnerabilities.
             Presidential Decision Directive 62 (PDD 62) highlighted the growing threat
             of unconventional attacks against the United States. It described a new
             and more systematic approach to fighting terrorism through interagency
             efforts to prepare for response to incidents involving weapons of mass
             destruction. Presidential Decision Directive 63 (PDD 63) further directed
             federal agencies to conduct risk assessments and planning efforts to
             reduce exposure to attack. Specifically, the assessments were to consider
             attacks that could significantly diminish the abilities of (1) the federal
             government to perform essential national security missions and ensure the
             general public health and safety; (2) state and local governments to
             maintain order and to deliver minimum essential public services; and (3)


             Page 3                               GAO-03-502 Transportation Security Research
the private sector to ensure the orderly functioning of the economy and
the delivery of essential telecommunications, energy, financial, and
transportation services. PDD 63 called for the government to complete
these assessment efforts no later than May 2003. According to the Office of
Intelligence and Security’s (OIS) Associate Director for National Security
(hereafter referred to as the Associate Director), the Transportation
Infrastructure Assurance (TIA) program is, in part, DOT’s effort to meet
these Presidential Decision Directive requirements.

RSPA concentrates on multimodal issues (research that applies to more
than one mode of transportation) that affect the entire U.S. transportation
system rather than on a specific sector of the system. RSPA’s Office of
Innovation, Research and Education is responsible for managing the TIA
program. The Volpe National Transportation Systems Center, located in
Cambridge, Massachusetts, is the research arm of RSPA and is conducting
the program’s vulnerability assessments. OIS is the key transportation
security stakeholder within DOT responsible for analyzing, developing,
and coordinating departmental and national policies addressing national
defense, border security, and transportation infrastructure assurance and
protection issues. Other OIS responsibilities include: coordinating with the
public and private sectors, international organizations, academia, and
interest groups regarding issues of infrastructure protection; acting as the
Secretary of Transportation’s liaison with the intelligence, law
enforcement, and national defense communities and assisting
departmental organizations in establishing and maintaining direct ties with
those communities; and serving as the Secretary of Transportation’s
primary advisor on significant intelligence issues affecting the traveling
public, the transportation industry, and national security. According to
OIS’s Associate Director, OIS has historically been involved in the
department’s transportation security research efforts. He added that OIS’s
lead role in fulfilling the department’s critical infrastructure
responsibilities, including the implementation of Presidential Decision
Directives addressing critical infrastructure vulnerabilities, is likely to
change as the roles and responsibilities of the Transportation Security
Administration (TSA) and the newly created Department of Homeland
Security are defined.

Congress established TSA in November 20011 to be responsible for
ensuring transportation security, including identifying and undertaking


1
Aviation and Transportation Security Act, Public Law 107-71, 115 Stat. 597, Nov. 19, 2001.




Page 4                                     GAO-03-502 Transportation Security Research
                      research and development activities necessary to enhance transportation
                      security. For fiscal year 2003, TSA received $110 million to fund
                      transportation security research activities for all modes of transportation.
                      Further, on November 25, 2002, the President signed the Homeland
                      Security Act of 2002,2 which established the Department of Homeland
                      Security with the responsibility of, among other tasks, coordinating efforts
                      in securing America’s critical infrastructure. On March 1, 2003, TSA
                      became part of the newly created Department of Homeland Security.


                      The TIA program is scheduled to end in December 2003, resulting in the
TIA Program Is        completion of four vulnerability assessments aimed at identifying and
Scheduled to End in   finding ways to mitigate threats against the nation’s transportation
                      infrastructure. RSPA officials said that two of these assessments (the
December 2003 with    interdependency of the transportation system with other critical
Completion of Four    infrastructures and transportation and logistical requirements for
                      emergency response teams in dealing with weapons of mass destruction)
Vulnerability         were selected, in part, to meet DOT’s PDD 62 and 63 requirements, and are
Assessments           scheduled for completion in mid-2003 to meet the deadlines outlined in the
                      presidential directives. The other two assessments (the feasibility of
                      alternative backup systems for the global positioning system, and an
                      assessment of the options to transition from hazardous materials
                      transportation security guidelines to security requirements) were selected
                      based upon a perceived need for assessments in these areas as defined by
                      officials from RSPA’s Office of Hazardous Materials Safety and the Volpe
                      National Transportation Systems Center, and are scheduled for
                      completion in December 2003. RSPA’s Volpe Center is conducting the TIA
                      program’s four assessments and has conducted research related to
                      transportation infrastructure since 1996. (See app. I for a summary of the
                      Volpe Center’s Workshops and Studies related to transportation
                      infrastructure assurance from fiscal years 1996 to 2000.)

                      Figure 1 shows the TIA program’s beginning and completion dates by
                      specific vulnerability assessment. RSPA officials told us that it has no
                      plans to include any additional or future assessments under the TIA
                      program.




                      2
                      Homeland Security Act of 2002, Public Law 107-296, 116 Stat. 2135, Nov. 25, 2002.




                      Page 5                                     GAO-03-502 Transportation Security Research
Figure 1: Beginning and Completion Dates of Vulnerability Assessments




                                        The TIA program is assessing four vulnerabilities:

                                    •   Interdependency of the transportation system with other critical
                                        infrastructures: According to TIA program documentation, the
                                        development of alternative fuels, changes in telecommunication
                                        technologies, and the evolving financial role of the federal government in
                                        the security of privately operated transportation systems are affecting the
                                        relationship between the nation’s transportation infrastructure and some
                                        of the nation’s other critical infrastructures. The purpose of this
                                        assessment is to describe the current and evolving dependence between
                                        the nation’s transportation infrastructure and some of the nation’s other
                                        critical infrastructures including energy, electronic-commerce, banking
                                        and finance, and telecommunications. For example, the nation’s air traffic
                                        control system relies on telecommunications to manage the safety and
                                        efficiency of air transportation, as shown in figure 2. Researchers plan to
                                        determine the costs, in terms of economic disruption and loss of lives,
                                        associated with terrorists exploiting transportation infrastructure
                                        vulnerabilities.




                                        Page 6                              GAO-03-502 Transportation Security Research
    Figure 2: An Air Traffic Controller Uses a Digital Radar Display and Workstation
    Computers Interconnected through Telecommunications Systems for Air Traffic
    Management




•   Transportation and logistical requirements for emergency response
    teams in dealing with weapons of mass destruction: The purpose of this
    assessment is to evaluate the transportation and logistics assets required
    in responding to terrorist activities. The assessment will include an
    analysis of transportation operations and procedures, personnel, supplies,
    and transportation assets such as vehicles, containers, and pallets.
    Specifically, researchers plan to analyze the institutional and economic
    implications of terrorist activities involving weapons of mass destruction
    in order to develop emergency transportation action plans and compile
    emergency transportation procedure best practices. Emergency teams
    were transported to respond to the terrorist attack on the World Trade
    Center on September 11, 2001, as shown in figure 3.




    Page 7                                  GAO-03-502 Transportation Security Research
Figure 3: Emergency Response Teams Transported to the Site of the World Trade Center in New York City Work to Clear
Debris After the Terrorist Attack on September 11, 2001




                                    •   Feasibility of alternative backup systems for the global positioning
                                        system: The purpose of this assessment is to provide a continuation of the
                                        August 2001 report by the Volpe National Transportation Systems Center,
                                        Vulnerability of the Transportation Infrastructure Relying On The Global
                                        Positioning System. The report concluded that the global positioning
                                        system is vulnerable to both intentional and nonintentional disruption, and
                                        identified a need for a backup for the global positioning system. To follow-
                                        up on the August 2001 report, researchers plan to analyze and describe the
                                        performance, cost, and practicality of backup systems and procedures.
                                        Figure 4 shows a picture of a global positioning satellite.




                                        Page 8                                GAO-03-502 Transportation Security Research
    Figure 4: A Global Positioning Satellite




•   Options to transition hazardous materials transportation security
    guidelines to security requirements: The purpose of this assessment is to
    evaluate the tradeoffs in the transportation of hazardous materials that
    exist between security, economic, proprietary, and delivery factors. RSPA
    plans to provide an analysis and description of these tradeoffs in different
    threat scenarios for different modes of transportation. Figure 5 provides
    an overview of the types of transportation being assessed.




    Page 9                                     GAO-03-502 Transportation Security Research
Figure 5: Air, Marine, and Surface Modes of Transportation of Hazardous Materials
Being Assessed by RSPA




Source: Nova Development Corporation.



RSPA plans to work with OIS to disseminate the results of the program to
private transportation system operators and to stakeholders in DOT and
other federal agencies through 11 formal reports, presentations,
workshops, and the Internet. Table 1 provides an overview of the
program’s planned products and progress to date.




Page 10                                 GAO-03-502 Transportation Security Research
Table 1: TIA Program Planned Products and Progress to Date

Vulnerability assessments                    Planned products and progress to date
Interdependency of the transportation        Energy:
system with other critical infrastructures   • TIA program researchers have drafted a report, “Security Risks Associated with
                                               Transportation-Energy Interdependencies,” which will be reviewed by OIS. This draft
                                               report is intended to illustrate the complexities in defining interdependency
                                               vulnerabilities. As of February 2003, this report had not yet been issued.
                                             • A second report studying the relationship between electrical distribution infrastructure
                                               and transportation is scheduled for completion in May 2003.
                                             E-Commerce:
                                             • TIA program managers are contracting with the Transportation Research Board to
                                               develop a report describing information technology in the freight industry, reviewing
                                               current freight security practices, and identifying potential vulnerabilities in the freight
                                               industry. The report is scheduled for completion in May 2003.
                                             • TIA program researchers have completed a background paper, “E-Commerce
                                               Vulnerabilities: Impacts on the Transportation System,” (March 2002), which presents
                                               information on identifying and protecting critical information technology infrastructure,
                                               ranking vulnerabilities, and estimating potential impacts (costs) if the vulnerabilities are
                                               exploited. TIA researchers have also conducted a briefing on the impact of electronic
                                               systems in shaping the future transportation system. An accompanying slide
                                               presentation, “Transportation in 2050,” has been drafted and is under review.
                                             Banking & Finance:
                                             • TIA program researchers are working on a report, “Economic Effects of the September
                                               11 Terrorist Attacks: A Survey of Current Studies and an Overview of the Implications
                                               for Transportation,” examining the impact of the events of September 11 on the
                                               banking and finance systems and their associated effects on the nation’s
                                               transportation system. While originally scheduled for release in September 2002,
                                               RSPA officials told us that this report is not yet complete and may be discontinued due
                                               to its limited value in light of numerous studies conducted on this issue.
                                             • A report reviewing the results of other research involving the interdependency of the
                                               nation’s transportation infrastructure with the nation’s banking and finance system is
                                               scheduled for completion in spring 2003.
                                             Telecommunication:
                                             • TIA program researchers are finalizing a report on the interdependency between the
                                               nation’s aviation industry and telecommunications industry.
                                             • Additional research is intended to address the interdependence of the nation’s
                                               telecommunications industry with other nonaviation sectors of the nation’s
                                               transportation system. According to Volpe Center researchers, this final report is likely
                                               to consist of several volumes, each with a specific modal focus. This report is
                                               scheduled for completion in May 2003.
Transportation and logistical                • TIA program researchers presented a set of data tables describing the various
requirements for emergency response            emergency response teams transportation requirements, including personnel and
teams in dealing with weapons of mass          equipment. According to program researchers, these tables were delivered to RSPA’s
destruction                                    Office of Emergency Transportation in July 2002.
                                             • TIA program researchers have conducted a bio-terrorism conference to aid in
                                               identifying gaps in the emergency response system. The conference was held in
                                               Washington D.C., on November 19-20, 2002.
Feasibility of alternative backup systems    • TIA program researchers are working on a report designed to identify and provide cost
for the global positioning system              benefit assessments of alternatives to use in backing up the global positioning system
                                               should it be disrupted by sabotage or terrorist attack. The report intends to assist DOT
                                               in determining the most appropriate alternative radio-navigation system to use in the
                                               nation’s transportation system. This report is scheduled for completion in December
                                               2003.




                                             Page 11                                      GAO-03-502 Transportation Security Research
 Vulnerability assessments                   Planned products and progress to date
 Options to transition hazardous materials   • TIA program researchers reviewed recent literature, workshops, and conferences on
 transportation security guidelines to         security options and implications related to the transportation of hazardous materials.
 security requirements                         The final report was released in December 2002.
                                             • According to program managers, potential areas of work for the second phase of this
                                               project include an assessment of the implementation of security plans, and the
                                               development of better data on hazardous material shipments with high security
                                               concerns. This work is scheduled for completion in December 2003.
Source: RSPA and Volpe Center data.

                                             Congress appropriated $1 million each year to RSPA for the TIA program
                                             in fiscal years 2001, 2002, and 2003. Figure 6 provides an overview of the
                                             TIA program funding for fiscal years 2001 through 2003 for each of the
                                             four vulnerability assessments.

                                             Figure 6: TIA Program Funding by Vulnerability Assessment (Fiscal Years 2001 –
                                             2003)




                                             Page 12                                     GAO-03-502 Transportation Security Research
                              RSPA has not fully coordinated their activities with OIS—DOT’s key
RSPA Has Not Fully            transportation security stakeholder—in selecting the vulnerabilities to be
Coordinated Their             assessed or in implementing the assessments for the TIA program. RSPA
                              coordinated with OIS in selecting two vulnerability assessments in fiscal
Activities with OIS in        year 2001. Specifically, in fiscal year 2001, RSPA worked with OIS to select
Selecting the                 one vulnerability for assessment and notified OIS of its selection of a
                              second vulnerability for assessment. RSPA, however, did not coordinate
Vulnerabilities to Be         with OIS officials in the selection of two additional vulnerability
Assessed and in               assessments in fiscal year 2002. RSPA’s coordination with OIS during the
Implementing the              program’s implementation has been limited to only one of the four
                              vulnerability assessments under review.
Assessments for the
TIA Program

RSPA’s Coordination with      RSPA coordinated with OIS and used various criteria, such as PDD 62 and
OIS in the Selection of the   63, in selecting only two of the four vulnerabilities to be assessed in the
Vulnerabilities to Be         TIA program. For example, RSPA consulted with OIS to select one of the
                              two vulnerabilities for assessment in fiscal year 2001 and notified OIS of
Assessed in the TIA           its selection of a second vulnerability. Specifically, in a memorandum
Program                       dated March 6, 2001, OIS identified and proposed a list of critical
                              infrastructure protection research requirements for assessment and
                              requested that RSPA address them as a high priority.3 In this initial
                              proposal, the Director of OIS said that significant OIS involvement would
                              be required to effectively implement the program given its responsibilities
                              for defining transportation security vulnerabilities, ensuring that
                              vulnerability assessments are conducted, and implementing actions to
                              mitigate those vulnerabilities. On April 9, 2001, RSPA issued a
                              memorandum to OIS outlining its research agenda for fiscal year 2001 and
                              stating that OIS’s involvement in assuring the program’s quality,
                              credibility, and review was critical. This memorandum confirmed RSPA’s
                              plans to assess the interdependency of the transportation system with
                              other critical infrastructures, as suggested by OIS’s proposed list, and
                              notified OIS of RSPA’s intention to conduct a second assessment—the
                              transportation and logistical requirements for emergency response teams
                              in dealing with weapons of mass destruction—that was not included on
                              OIS’s list.




                              3
                               In fiscal year 2000, OIS received funding for transportation infrastructure protection
                              activities. In fiscal year 2001, funding in this area of research shifted from OIS to RSPA.




                              Page 13                                      GAO-03-502 Transportation Security Research
                            In the aftermath of the terrorist attacks of September 11, 2001, RPSA
                            issued a solicitation on behalf of all DOT modes for additional
                            transportation security technology research and concepts to be included
                            in the TIA program or related transportation security programs. OIS
                            officials participated with RSPA in reviewing the proposals received in
                            response to the solicitation. However, according to the Associate
                            Administrator of RSPA’s Office of Innovation, Research, and Education
                            (hereafter referred to as the Associate Administrator), DOT did not receive
                            the funds to pursue any of these proposals.

                            During fiscal year 2002, RSPA did not coordinate with OIS to determine
                            what additional assessments to select for inclusion in the program.
                            Instead, RSPA selected two transportation vulnerabilities for assessment
                            under the program after holding discussions with Volpe Center
                            researchers and officials from RSPA’s Office of Hazardous Materials
                            Safety. While the Associate Director of OIS said he was unaware that
                            additional vulnerabilities had been selected for assessment in fiscal year
                            2002 prior to our discussions with him regarding the status of the program,
                            he noted that both of these assessments—on the feasibility of alternative
                            backup systems for the global positioning system, and an assessment on
                            options to transition hazardous materials transportation security
                            guidelines to security requirements—were valid and of high priority.
                            According to OIS and RSPA officials, this lack of coordination resulted, in
                            part, from disagreements and misunderstandings about the other’s
                            respective role in the program. As indicated by a series of e-mail
                            communications between OIS and RSPA officials during the period
                            between October 2001 and January 2002, questions about the respective
                            roles of OIS and RSPA in the program’s management, specific research
                            areas, and the logistics of this research were raised on numerous
                            occasions with no apparent resolution. Neither RSPA nor OIS were able to
                            provide us with documentation to show that these issues were resolved.
                            (See app. II for specific stakeholders involved and criteria used to select
                            the vulnerabilities chosen for assessment under the TIA program in fiscal
                            years 2001 and 2002.)


RSPA’s Coordination with    RSPA’s coordination with OIS, DOT’s security stakeholder, during the
OIS in the Implementation   implementation of the TIA program has been limited to one of the four
of the Assessments in the   vulnerability assessments. While OIS has participated in meetings
                            regarding the assessment of the options to transition hazardous materials
TIA Program                 transportation security guidelines to security requirements, RSPA did not
                            similarly involve OIS in the program’s three other vulnerability
                            assessments. OIS and RSPA officials said that this lack of coordination


                            Page 14                             GAO-03-502 Transportation Security Research
during the implementation of the program resulted, in part, from
continued disagreements and misunderstandings about the other’s
respective role in the program. Further, OIS’s Associate Director said that
because of OIS’s lack of involvement in the TIA program, he was not
aware of the program’s progress to date and therefore expressed
uncertainty about whether the program’s research is meeting the
requirements of PDD 62 and 63.

OIS’s Associate Director also said that OIS’s working relationships with
private industry stakeholders might have helped RSPA obtain industry-
sensitive information for the program’s assessments. RSPA officials
acknowledged that a primary challenge of the TIA program involves
obtaining information on industry-specific, competition-sensitive issues.
For example, RSPA officials said that private sector owners and operators,
such as those from the oil industry, are cautious about releasing
proprietary information because of the possibility that this information
could be used by (1) business rivals to gain a competitive advantage, (2)
terrorists to harm and destroy critical infrastructure, and (3) the federal
government to pursue further regulations of the industry. As a result, TIA
program researchers told us that they are limited in their ability to identify
specific threats and weaknesses relating to some of the specific
vulnerabilities under assessment. According to RSPA’s Associate
Administrator, because of these limitations, the TIA program is, in some
instances, examining vulnerability issues on a conceptual level rather than
through specific case studies of industry infrastructure. For example,
instead of assessing the vulnerabilities of specific privately owned
infrastructures, such as oil refineries, RSPA is addressing some critical
details of crude oil transport using ports in Louisiana and Texas to
illustrate the complexities in defining the interdependency vulnerabilities
between the nation’s transportation and energy infrastructures. (See app.
III for a summary of OIS involvement in the implementation of the TIA
program, as well as a listing of all of the significant stakeholders reported
by RSPA who were consulted during the implementation of the TIA
program.)

We discussed our findings about the lack of coordination with RSPA’s
Associate Administrator and OIS’s Associate Director and suggested they
take steps to increase their coordination efforts. They agreed that
increased coordination would be beneficial. Specifically, they agreed to
hold bi-monthly updates on the progress of each of the vulnerability
assessments, discuss program task methodologies and approaches, and
identify options for addressing the challenges facing program researchers
in conducting the program’s vulnerability assessments. The first update


Page 15                              GAO-03-502 Transportation Security Research
                     was held in March 2003. Furthermore, RSPA’s Associate Administrator
                     agreed to provide TSA’s Director for Threat Assessment and Risk
                     Management4 with information on the TIA program’s findings, challenges,
                     and lessons learned. In our discussions with TSA’s Director for Threat and
                     Risk Assessment, she said that such information regarding the TIA
                     program would be helpful in guiding TSA’s future efforts in planning and
                     conducting transportation security research. Because of actions taken by
                     RSPA and OIS to improve coordination we are making no
                     recommendations at this time.


                     We provided a copy of the draft report to DOT and RSPA officials who
Agency Comments      agreed with the contents of the report and provided technical
and Our Evaluation   clarifications that we incorporated into the report. They did not provide
                     written comments on the report.


                     We will send copies of this report to the Secretary of Transportation,
                     appropriate congressional committees, and other interested parties. We
                     will also make copies available to others upon request. In addition, the
                     report will be available at no charge on the GAO Web site at
                     http://www.gao.gov.




                     4
                      TSA’s Threat Assessment and Risk Management Program was established in October 2002
                     to provide oversight and assistance regarding threat and vulnerability assessments
                     conducted by TSA. The program also serves to coordinate with other federal agencies to
                     ensure that complete assessments of the vulnerabilities facing the nation’s transportation
                     system are conducted.




                     Page 16                                    GAO-03-502 Transportation Security Research
If you have questions about this report, please call me on (202) 512-2834 or
Chris Keisling on (404) 679-1917. Other key contributors included Colin
Fallon, Bert Japikse, Steve Morris, and Jason Schwartz.




Katherine Siggerud
Acting Director, Physical Infrastructure Issues




Page 17                             GAO-03-502 Transportation Security Research
                                                           Appendix I: Volpe National Transportation
Appendix I: Volpe National Transportation                  System Center Studies Related to
                                                           Transportation Infrastructure Assurance


System Center Studies Related to
Transportation Infrastructure Assurance

                                                                      Funding
 Funding source                                    Fiscal year         amount      Products
 Presidential Commission on                              1996         $380,000     Reports:
 Critical Infrastructure                                                           • Supervisory Control and Data Acquisition Vulnerabilities (1997)
 Protection                                                                        • National Air Space Vulnerabilities (1997)
                                                                                   • Traffic (Surface) Central Systems Vulnerabilities (1997)


                                                                                   White Papers:
                                                                                   • Electromagnetic Threats to Rail/Transit Operations (1997)
 Department of Defense 1996                               1997       $2,400,000    White Papers:
 Supplemental Appropriation                                                        • Criminal Use of Transportation Infrastructure (1997)
 for a Surface Transportation                                                      • Railroad Bridges and Tunnels Vulnerability (1998)
 Vulnerability Assessment                                                          • Railroad Signaling and Control Vulnerability (1998)


                                                                                   Reports:
                                                                                   • Intermodal Cargo Security Best Practices (1999)
                                                                                   • Transportation Infrastructure Assurance Research and
                                                                                     Development Plan (1999 and 2000)
 RSPA Research and                                        1996         $15,000     Workshops:
 Technology and Strategic                                                          • Emerging Issues in Transportation Information Infrastructure
 Planning (Total Terminal                                 1997         $15,000       Security (1996)
 Security/TIA Task)                                                                • Global Positioning Study Interference and Mitigation (1998)
                                                                                   • Chemical/Biological Incidents (1998)
                                                          1998         $50,000
                                                                                   • Marine Safety and Port Security (2000)

                                                          1999         $35,000
                                                                                   Reports:
                                                                                   • Intermodal Cargo Security Best Practices (1999)
                                                          2000         $85,000     • Transportation Infrastructure Assurance Research and
                                                                                     Development Plan (1999 and 2000)
                                                          2001         $50,000

 DOT Office of Intelligence                               2000        $700,000     Reports:
 and Security                                                                      • DOT Communications (Security) Reports (2001)
                                                                                   • Updated Supervisory Control and Data Acquisition (SCADA)
                                                                                     Study (2002)
                                                                                   • Global Positioning System Vulnerability Study (2001)
Source: GAO presentation of RSPA and Volpe Center data.




                                                           Page 18                                     GAO-03-502 Transportation Security Research
                                                                 Appendix II: Stakeholders Involved and
Appendix II: Stakeholders Involved and                           Criteria Used in Selecting the Vulnerabilities
                                                                 Assessed Under the TIA Program


Criteria Used in Selecting the Vulnerabilities
Assessed Under the TIA Program

                                                                    Selected in FY 2001                                    Selected in FY 2002
                                                                                 Transportation and
                                                                                           logistical                                              Options to
                                                                                    requirements for                                                transition
                                                         Interdependency of               emergency                     Feasibility of   hazardous materials
                                                           the transportation     response teams in               alternative backup          transportation
                                                           system with other            dealing with                 systems for the      security guidelines
 Stakeholders involved                                                 critical    weapons of mass                global positioning               to security
 and criteria used                                            infrastructures            destruction                          system           requirements
 Stakeholders involved:
 DOT’s Office of Intelligence and
                                                                                    3                       3
 Security
 RSPA’s Office of Emergency
                                                                                                            3
 Transportation
 RSPA’s Office of Hazardous
                                                                                                                                                            3
 Materials Safety
 Volpe National Transportation
                                                                                                                                    3                       3
 Systems Center
 Criteria used:
 Presidential Decision Directive 62                                                                         3
 Presidential Decision Directive 63                                                 3
 Critical Foundations, Presidential
 Commission on Critical
                                                                                    3
 Infrastructure Protection (Oct.
 1997)
 Critical Infrastructure Research
                                                                                    3
 Plan, DOT
 Interim Report on Computer
 Security, DOT Office of the                                                        3
 Inspector General, (July 2000)
 Surface Transportation
 Vulnerability Assessment, DOT                                                      3
 (1999)
 Combating Terrorism: Federal
 Response Teams Provide Varied
 Capabilities: Opportunities                                                                                3
 Remain to Improve Coordination,
 GAO Report (GAO/NSIAD-01-13)
 Ability to leverage ongoing
 research and development                                                           3                       3                       3                        3
 projects
Source: GAO presentation of RSPA information on TIA program stakeholders involved and selection criteria.




                                                                 Page 19                                        GAO-03-502 Transportation Security Research
                                            Appendix III: Entities Reported by RSPA Who
Appendix III: Entities Reported by RSPA Who Were Involved during the Implementation of
                                            the TIA Program


Were Involved during the Implementation of
the TIA Program

                                                                                        Type of involvement
                                                                               To obtain For discussion of   For discussion
Assessment                       Entity involved                             information     task approach of interim results
Interdependency of the           Office of Intelligence and Security
transportation system with       Federal Aviation Administration                                                              3
other critical infrastructures
                                 Louisiana Offshore Oil Port                              3
                                 National Research Council
                                 Transportation Research Board                                             3
                                 Transportation Security
                                 Administration                                                                               3
Transportation and logistical    Office of Intelligence and Security
requirements for emergency       American Association of Railroads                        3
response teams in dealing
                                 American Association of State
with weapons of mass
                                 Highway and Transportation Officials                     3
destruction
                                 American Public Transportation
                                 Association                                              3
                                 American Red Cross                                       3
                                 Army Corps of Engineers                                  3
                                 Association of State and Territorial
                                 Health Officials                                         3
                                 Battelle Memorial Institute                              3                3                  3
                                 Centers for Disease Control and
                                 Prevention                                               3
                                 Department of Agriculture                                3
                                 Department of Agriculture/Food and
                                 Nutrition Service                                        3
                                 Department of Agriculture/Animal
                                 Plant Health Inspection Service                          3                3                  3
                                 Department of Defense                                    3
                                 Department of Energy                                     3
                                 Department of Health and Human
                                 Services                                                 3
                                 Defense Intelligence Agency                              3                3                  3
                                 Department of Justice                                    3                3                  3
                                 Department of State                                      3
                                 DOT Maritime Academy                                     3
                                 DOT Office of the General Counsel                        3
                                 DOT Regional Emergency
                                 Transportation Representative                            3
                                 Environmental Protection Agency                          3
                                 Federal Aviation Administration                          3
                                 Federal Emergency Management
                                 Agency                                                   3
                                 Federal Highway Administration                           3
                                 Federal Motor Carrier Safety
                                 Administration                                           3
                                 Federal Railroad Administration                          3



                                            Page 20                                  GAO-03-502 Transportation Security Research
                        Appendix III: Entities Reported by RSPA Who
                        Were Involved during the Implementation of
                        the TIA Program




                                                                    Type of involvement
                                                           To obtain For discussion of   For discussion
Assessment   Entity involved                             information     task approach of interim results
             Federal Transit Administration                        3
             General Services Administration                       3
             Georgetown University Medical
             Center                                                   3                3                  3
             International Association of
             Emergency Managers                                       3
             International Association of Fire
             Chiefs                                                   3
             International City/County
             Management Association                                   3
             Maritime Administration                                  3
             National Association of Counties                         3
             National Association of State
             Emergency Medical Service
             Directors                                                3
             National Defense Transportation
             Association                                              3
             National Emergency Managers
             Association                                              3
             National Highway Traffic Safety
             Administration                                           3
             National Public Transit Association                      3
             National Research Council
             Transportation Research Board                            3
             Office of US Surgeon General                             3
             RSPA’s Office of Emergency
             Transportation                                           3                3                  3
             Transportation Security
             Administration                                           3
             University of California, School of
             Veterinary Medicine                                      3                3                  3
             University of Delaware, Disaster
             Research Center                                          3
             Urban Search and Rescue Teams                            3
             US Coast Guard & National
             Command Center                                           3
             US Forest Service                                        3
             Veterans Administration                                  3
             Volpe National Transportation
             Systems Center                                           3                3                  3
             Washington DC Department of
             Health                                                   3
             White House Office of Homeland
             Security                                                 3
             White House Special Assistant to the
             Vice President                                           3




                        Page 21                                  GAO-03-502 Transportation Security Research
                                          Appendix III: Entities Reported by RSPA Who
                                          Were Involved during the Implementation of
                                          the TIA Program




                                                                                             Type of involvement
                                                                                    To obtain For discussion of   For discussion
 Assessment                    Entity involved                                    information     task approach of interim results
 Feasibility of alternative    Office of Intelligence and Security
 backup systems for the global Booz-Allen Hamilton                                             3
 positioning system
                               DOT Office of the Secretary                                                              3                      3
                               Federal Aviation Administration                                                          3                      3
                               Federal Railroad Administration                                                          3                      3
                               Northrop-Grumman                                                3
                               United States Coast Guard                                                                3                      3
 Options to transition         Office of Intelligence and Security                                                      3
 hazardous materials           American Association of Railroads                               3
 transportation security
 guidelines to security
                               American Chemistry Council                                      3
 requirements                  American Institute of Chemical
                               Engineers                                                       3
                               Bureau of the Census                                            3
                               Bureau of Transportation Statistics                             3
                               DOT Office of the Secretary                                     3
                               Federal Motor Carrier Safety
                               Administration                                                  3
                               Federal Railroad Administration                                 3
                               General Accounting Office                                       3
                               Inland Rivers, Ports and Waterways
                               Association                                                     3
                               National Transportation Safety
                               Board                                                           3
                               RSPA’s Office of Hazardous
                               Materials Safety                                                                         3                      3
                               RSPA’s Office of Pipeline Safety                                3
                               Transportation Security
                               Administration                                                  3
                               US Army Corps of Engineers                                      3
                               United States Coast Guard                                       3
                               Vanderbilt University                                           3
Source: RSPA.

                                          Note: According to RSPA officials, this list includes significant stakeholders who had input in the TIA
                                          program as of March 12, 2003.




(542016)
                                          Page 22                                           GAO-03-502 Transportation Security Research
                         The General Accounting Office, the audit, evaluation and investigative arm of
GAO’s Mission            Congress, exists to support Congress in meeting its constitutional responsibilities
                         and to help improve the performance and accountability of the federal
                         government for the American people. GAO examines the use of public funds;
                         evaluates federal programs and policies; and provides analyses,
                         recommendations, and other assistance to help Congress make informed
                         oversight, policy, and funding decisions. GAO’s commitment to good government
                         is reflected in its core values of accountability, integrity, and reliability.


                         The fastest and easiest way to obtain copies of GAO documents at no cost is
Obtaining Copies of      through the Internet. GAO’s Web site (www.gao.gov) contains abstracts and full-
GAO Reports and          text files of current reports and testimony and an expanding archive of older
                         products. The Web site features a search engine to help you locate documents
Testimony                using key words and phrases. You can print these documents in their entirety,
                         including charts and other graphics.
                         Each day, GAO issues a list of newly released reports, testimony, and
                         correspondence. GAO posts this list, known as “Today’s Reports,” on its Web site
                         daily. The list contains links to the full-text document files. To have GAO e-mail
                         this list to you every afternoon, go to www.gao.gov and select “Subscribe to daily
                         E-mail alert for newly released products” under the GAO Reports heading.


Order by Mail or Phone   The first copy of each printed report is free. Additional copies are $2 each. A
                         check or money order should be made out to the Superintendent of Documents.
                         GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a
                         single address are discounted 25 percent. Orders should be sent to:
                         U.S. General Accounting Office
                         441 G Street NW, Room LM
                         Washington, D.C. 20548
                         To order by Phone:     Voice:    (202) 512-6000
                                                TDD:      (202) 512-2537
                                                Fax:      (202) 512-6061


                         Contact:
To Report Fraud,
                         Web site: www.gao.gov/fraudnet/fraudnet.htm
Waste, and Abuse in      E-mail: fraudnet@gao.gov
Federal Programs         Automated answering system: (800) 424-5454 or (202) 512-7470


                         Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800
Public Affairs           U.S. General Accounting Office, 441 G Street NW, Room 7149
                         Washington, D.C. 20548