DHS, GAO spar over security

The Homeland Security Department disagrees with a new Government Accountability Office report that argues that DHS is not doing enough to protect the nation's critical infrastructure from cyberattacks.

"Until it overcomes the many challenges it faces and completes critical activities, DHS cannot effectively function as the cybersecurity focal point intended by law and national policy," states the report, issued last week. "As such, there is an increased risk that large portions of our national infrastructure are either unaware of key areas of cybersecurity risks or unprepared to effectively address cyber emergencies."

Steven Pecinovsky, director of DHS' liaison office between DHS' inspector general and GAO, said in written comments that he disagrees with the report's "implication that that the challenges experienced to date have prevented [DHS] from achieving significant results in improving the nation’s cybersecurity posture."

Pecinovsky also disputed that DHS had not sufficiently implemented all of GAO's prior recommendations. GAO auditors were unclear about what DHS needs to do and why DHS' performance measures are inadequate, he said.

DHS has made strides to improve cybersecurity since 2003, GAO said. The Interim National Infrastructure Protection Plan addresses cybersecurity. DHS created the U.S. Computer Emergency Response Team (CERT) to analyze and warn against cyberthreats. And the department has sponsored forums to increase information sharing among federal, state and local agencies responsible for cybersecurity.

But auditors said DHS must still overcome numerous challenges, such as acquiring sufficient stability and appropriate authority and fixing hiring and contracting problems.

GAO said the department also needs to create effective two-way information-sharing partnerships with other stakeholders, including federal, state and local government agencies and the private sector, which the government estimates owns and operates as much as 90 percent of the nation’s critical infrastructure.

Although information sharing makes it possible for DHS to protect the country, it also leaves all participants more vulnerable to cyberattacks, GAO warned.

DHS has made important improvements but has still failed to satisfactorily fulfill any of its 13 main duties for protecting the country from cyberthreats, GAO found. Those duties include enhancing national and international cybersecurity by improving the nation's ability to detect, prevent and respond to cyberattacks.

To get DHS where it needs to be, GAO recommended that the department reach out and work with important stakeholders to prioritize the most important cybersecurity responsibilities. Those duties are outlined in the department’s strategic plan for cybersecurity but also include others the GAO suggested.

The report’s authors reiterated three suggestions that GAO had made in prior reports for improving cybersecurity. The authors wrote that they declined to make new recommendations until DHS enacts the previous ones.

DHS should develop national cyberthreat and vulnerability assessments. It should create contingency recovery plans for infrastructure sectors and determine where different sectors are interdependent. It should also create cybersecurity contingency recovery plans, especially for restoring primary Internet functions.

The department should require the national cybersecurity director to create a prioritized list of activities that would most effectively address the challenges keeping DHS from success, the authors recommended.

Finally, DHS should create performance measures and milestones for accomplishing those activities and meeting its responsibilities and tracking its progress, the authors wrote.

DHS has already done much of what GAO wants, Pecinovsky wrote. The national cybersecurity director already has a prioritized list of activities that is updated every quarter, he wrote.

The strategic plan for cybersecurity already includes performance measures and milestones, Pecinovsky said. Because the National Cyber Security Division is so new, many of its milestones have to do with establishing programs and procedures and are not quantifiable, he said.

"The initial measure of success is whether or not the programs got off the ground in a timely manner and are moving ahead on schedule," Pecinovsky wrote. "As the programs become more established, performance measures will increasingly shift toward quantitative measures to evaluate the relative success of the program."

The department did agree with GAO's recommendation to engage stakeholders more in prioritizing major cybersecurity responsibilities. It also concurred that it needed to put more energy toward assessing cybersecurity threats for all critical infrastructure sectors.

Responding to Pecinovsky, the report’s authors wrote that DHS' strategic plan for cybersecurity does not include "specific initiatives that would ensure that the challenges are addressed in a prioritized and comprehensive manner," the report states. Neither has DHS shown any evidence that it has fulfilled GAO's recommendations, the authors state.

What's more, DHS has not made any significant progress since 2001 in creating a method to analyze and warn against cyberthreats, the report stated. The department has yet to collect industry-specific data and identify interdependencies among sectors, it noted.

The department must increase overall awareness of cybersecurity roles and abilities and show the value that DHS provides for cybersecurity, GAO concluded.