Lawmakers hit DHS on cyber plans

The Homeland Security Department is caught in a predicament. It cannot order the private sector, which owns most of the country’s critical infrastructure assets, to safeguard the networks and computer systems that support those assets. However, lawmakers still expect DHS to play a major role in safeguarding power plants, nuclear reactors and other similar critical facilities. The Government Accountabilty Office concluded that DHS has done a mediocre job of getting the country’s 17 critical infrastructure sectors to safeguard their plants against cyberattacks or other disasters, despite efforts it announced last year in the National Infrastructure Protection Plan. Sector planning has been minimal, Congress’ watchdog agency found in a recent review. None of the sectors met all 30 of GAO’s recommended cybersecurity criteria, such as prioritizing key vulnerabilities and measures to reduce those weaknesses. “Until the plans fully address key cyber elements, certain sectors may not be prepared to respond to a cyberattack against our nation’s critical infrastructure,” said David Powner, director of information technology management issues at GAO. Powner testified Oct. 31 during a joint hearing of the House Homeland Security Committee’s Emerging Threats, Cybersecurity, and Science and Technology Subcommittee and the Transportation Security and Critical Infrastructure Protection Subcommittee. The plans lawmakers criticized represent early efforts toward creating an infrastructure security road map, said Greg Garcia, DHS’ assistant secretary for cybersecurity and communications. Federal agencies lead specific sectors and coordinate critical infrastructure protection efforts with the private sector, he said. DHS is the sector-specific agency for coordinating the communications and IT sectors, but it also has overall responsibility for the plan. The Cross-Sector Cyber Security Working Group was organized in May as a forum for exchanging information about common cybersecurity issues. Garcia said he expects that group will encourage sectors to identify systemic risks and mitigation strategies and share best practices. But participation is voluntary, he said. “DHS is not empowered to compel the private sector to report back the extent to which they implement best practices,” Garcia said. Neither, he added, are the sector- coordinating councils authorized to order member companies to report back to them. DHS plans to offer workshops next year with its sector partners to discuss creating incentives for voluntary risk assessments, developing cross-sector cybermetrics and identifying existing research and development projects, Garcia said. Powner urged DHS officials to fully address GAO’s recommendations by September 2008. The private sector needs to improve its cybersecurity plans and start implementing them, he said. After those plans are set, DHS must track how well they are implemented, he added. Powner said he was surprised that some sector plans GAO reviewed did not appear to be useful, although he acknowledged that individual companies are engaged in cybersecurity-focused activities. The plans “were just a paper exercise,” Powner said. “They do not identify actual asset vulnerabilities. We need a national cybersecurity risk assessment.” Rep. Jim Langevin (D-R.I.), chairman of the Emerging Threats, Cybersecurity, and Science and Technology Subcommittee, said he was not confident that the government can safeguard the country’s critical infrastructure under DHS’ public/private partnership approach. “Laissez- faire is arguably not the appropriate model,” Langevin said, adding that many would consider protecting the critical infrastructure an issue of national security.