DHS limps on cybersecurity, fails on IT security

'We're not currently considering any mandatory regulations in cybersecurity. ... if we need regulations, we will consult with our security partners.' 'NCSD Acting Director Andy Purdy

Cybersecurity is one area where the Bush administration has tacitly admitted the need for stronger use of IT.

After years of prodding by Congress to elevate the position of National Cybersecurity Division director to the assistant secretary level, the administration mandated the change as part of its second stage review of the Homeland Security Department.

A drumbeat of warnings from the Government Accountability Office and the department's own Inspector General's Office preceded the move.

The department's failings in IT security threaten the success of its counterterrorism mission and its goal of providing efficient services.

Process hampered

Former Rep. Christopher Cox (R-Calif.) said, after a critical cybersecurity report this spring, 'GAO's analysis affirms what this committee has been saying for the past 2 1/2 years: The status quo does not serve our cybersecurity needs. Responsibility for cybersecurity needs to be elevated and better coordinated within the department.'

DHS has drafted plans for applying additional technology to cybersecurity defenses, but the process has been hampered by the lack of a comprehensive evaluation of the nation's vulnerabilities.

NCSD acting director Andy Purdy testified in July before the Senate Homeland Security and Governmental Affairs Committee's Subcommittee on Federal Financial Management, Government Information and International Security that a full threat analysis would not be ready until 2006 [GCN, July 25, page 9].

The federal government's existing cybersecurity threat evaluation is contained in a National Intelligence Estimate, which is classified.

NCSD has provided an unclassified briefing about the intelligence estimate to private companies in the telecommunications field. But when asked during a recent interview when the division would release a redacted version of the intelligence document to the public, Purdy hedged.

'We will ramp up our efforts to share information in a timely and actionable way,' he said, after referring to obscure efforts by the division and the Federal Trade Commission to publicize cybersecurity threats.

The weakness of the department's cybersecurity programs was reflected in Purdy's testimony that DHS' Government Forum of Incident Response and Security Teams had not held its first classified threat briefing with intelligence community agencies until this June.

In addition, formal resource sharing agreements among DHS and other agencies to fend off and recover from cyberattacks haven't been adopted because planning is incomplete.

Another weakness is that DHS officials haven't yet integrated their collaboration platform with the department's Homeland Security Information Network backbone.

DHS employees and the cybersecurity community as a whole now must wait for the assistant secretary position get into place this fall, along with the rest of the reorganization plan, and for an assistant secretary to be nominated and confirmed.
In the meantime, the NCSD is moving gingerly in its efforts to secure cyberspace.

The approach of mandating cybersecurity measures through regulation is off the table so far. 'We're not currently considering any mandatory regulations in cybersecurity,' Purdy said. 'The secretary has talked about where regulations fit into the mix and, if we need regulations, we will consult with our security partners.'

No role model

DHS itself isn't a glowing role model for IT security. The department has earned two failing grades in a row under OMB's Federal Information Security Management Act ratings and the House Government Reform Committee's report card.

Former DHS CIO Steve Cooper said in congressional testimony just before he left the department last spring that DHS would achieve a passing grade or better in IT security by 2006.

But a recent evaluation of the department's IT security by GAO lambasted DHS for incomplete risk assessments, a lack of security plans, and incomplete or absent testing and evaluation of existing policies and procedures.

'Although the [chief information security officer] has made significant progress in developing and documenting a departmentwide information security program, certain DHS components have not yet fully implemented key information security practices and controls as required by the program,' the report said.

DHS also fell short in its continuity-of-operations plans to restore critical systems following an unexpected failure or disaster. 'For all five of the continuity-of-operations plans reviewed, program officials either did not include all information necessary to restore operations ... or have a documented plan,' the report said.

To correct the problems, GAO urged DHS to perform the risk assessments, document security plans, test and evaluate security controls, report remedial action plans and test continuity of operations.

DHS' IT security failings have become a source of concern to major U.S. companies responsible for the safety of IT infrastructure.

A senior executive with responsibility for the homeland security policy of a multibillion-dollar telecommunications company said, 'We are on the receiving end of the requests [for infrastructure information from DHS], but we don't want to hand over info that could be a road map for terrorists.'

Alice M. Lipowicz contributed to this story.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above