Security News > 2005 > May > GAO: DHS cybersecurity plans need more work

GAO: DHS cybersecurity plans need more work
2005-05-27 07:27

http://www.computerworld.com/securitytopics/security/story/0,10801,102049,00.html By Linda Rosencrance MAY 26, 2005 COMPUTERWORLD The U.S. Department of Homeland Security must do more to protect the nation's critical information infrastructure, according to a report released today by the Government Accountability Office [1]. While the agency has begun efforts to fulfill its cybersecurity duties, "it has not fully addressed any of the 13 [primary] responsibilities, and much needs to be done," the GAO said. Those responsibilities include developing a national plan for critical infrastructure protection that includes cybersecurity; developing partnerships and coordinating efforts with other federal agencies, state and local governments and the private sector; improving public/private sharing of information on cyberattacks, threats and vulnerabilities; and developing and improving national cyberanalysis and warning capabilities. The DHS has already established the U.S. Computer Emergency Readiness Team (U.S. CERT) as a public/private partnership to make cybersecurity a coordinated national effort, the GAO said. And it has established forums designed to build trust and information sharing among federal officials with information security responsibilities and law enforcement entities. But it has not yet developed national cyberthreat and vulnerability assessments or contingency plans for cybersecurity -- including a plan for recovering key Internet functions, the GAO said. The report prompted members of Congress to call on the DHS to get moving. "I am troubled that more progress has not been made," Sen. Joseph I. Lieberman (D-Conn.) said in a statement [2]. "We have a long road ahead before the cyberstructure that underpins our nation's critical infrastructure is secured from pranksters and saboteurs." Rep. Bennie G. Thompson (D-Miss.), ranking member of the House Committee on Homeland Security, said in a statement he is concerned that "the DHS is bogged down by the wrong priorities and is unable to carry out its responsibility to improve the nation's cybersecurity infrastructure protections." Thompson noted that the DHS needs to do more to develop its ability to analyze computer-based threats, something the GAO urged the department to complete in 2001. "As long as the department is not our nation's focal point for cybersecurity, our critical infrastructures remain largely unprepared or unaware of cybersecurity risks and how to respond to cyberemergencies," he said. "This is unacceptable, as so much of our daily lives -- from our banking to our water and electricity supplies -- rely on a strong cyberinfrastructure." Rep. Zoe Lofgren (D-Calif.) said that the GAO report only confirms what Congress has known all along -- that the homeland security agency has failed to meet its responsibility for critical infrastructure protection. Lofgren, the ranking member on the House Homeland Security Subcommittee on Intelligence, Information Sharing, and Terrorism Risk Assessment, is one of the representatives who requested the report. "And even worse, this report proves that a national plan to secure our cybernetworks is virtually nonexistent," said Lofgren in a statement. "There is no doubt that these vulnerabilities will continue to hamper our homeland security efforts if we do not make cybersecurity a major priority." According to the GAO, the department faces a number of challenges that have hindered its efforts to protect the nation's critical information infrastructure. Those challenges include achieving organizational stability; gaining organizational authority; overcoming hiring and contracting issues; increasing awareness about cybersecurity roles and capabilities; establishing effective partnerships with stakeholders; achieving two-way information sharing with those stakeholders; and demonstrating the value it can provide. Although the DHS has identified beginning steps to address cybersecurity challenges, "until it confronts and resolves these underlying challenges and implements its plans, DHS will have difficulty achieving significant results," according to the report. In written comments based on a draft of the GAO report, DHS officials agreed with the need to prioritize its cybersecurity responsibilities, but disagreed with the recommendations on how best to solve its problems. It asked the GAO for more information on the recommendations and said its strategic plan includes a prioritized list of key activities that are reviewed and updated on a quarterly basis. DHS officials could not be reached for comment today. [1] http://www.gao.gov/new.items/d05434.pdf [2] http://www.house.gov/apps/list/press/ca16_lofgren/pr_052605_GAO_Critical_Infrastructures.html _________________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org


News URL

http://www.computerworld.com/securitytopics/security/story/0,10801,102049,00.html