GAO Says DHS Should Conduct New Cyber Security Assessment

Department of Homeland Security officials should craft a new national cybersecurity threat assessment and draft plans to guide the government's response to an attack on U.S. computer systems, congressional auditors say in a new report.

As the agency "strives to fulfill its mission, it faces key challenges in building its credibility as a stable, authoritative, and capable organization and in leveraging private/public assets and information in order to clearly demonstrate the value it can provide," the Government Accountability Office states in a May 26 report. "There is increased risk that large portions of our national infrastructure are either unaware of key areas of cybersecurity risks or unprepared to effectively address cyber emergencies."

While ceding that DHS officials have taken a number of steps to bolster the nation's cybersecurity measures, GAO is critical of the department for failing to craft an assessment detailing the coast-to-coast threat to the nation's computer systems and networks.

In the report, GAO also urges homeland security officials to "engage appropriate stakeholders to prioritize key cybersecurity responsibilities so that the most important activities are addressed first."

However, the auditors state that starting partnerships with other entities has proved difficult for the still-young department. DHS has had some problems forging effective partnerships in the cybersecurity realm -- within the federal government and the private sector.

GAO calls on the department to craft "recovery plans" that could be used in the wake of an attack on U.S. networks. Such documents should discuss how the government and private sectors would go about restoring or doing without "key Internet functions," states the report.

In addition, the study urges DHS to "identify performance measures and milestones for fulfilling its prioritized responsibilities and for performing activities to address its challenges, and track organizational progress against these measures and milestones."

The report was requested by House Homeland Security Committee Chairman Christopher Cox (R-CA).

"GAO's analysis affirms what this committee has been saying for the past two and a half-years -- the status quo does not serve our cybersecurity needs," Cox said in a May 26 statement. "Responsibility for cybersecurity needs to be elevated and better coordinated within the department. The nation needs a principal federal authority on cybersecurity to secure this vital component of our national infrastructure."

On May 18, the House passed a $34.2 billion fiscal year 2006 homeland security authorization bill that would create a new assistant secretary for cybersecurity at DHS.

In a response to the auditors, DHS said it does not support several GAO recommendations, including one to establish "a prioritized list of key activities for addressing the underlying challenges" in the cybersecurity realm. Department officials told GAO they already use such a list, according to the report.

The GAO study comes after a presidential advisory panel delivered its own report on cybersecurity to the White House earlier this year (Inside the Pentagon, March 24, p1). In that Feb. 28 report, the President's Information Technology Advisory Committee said the federal government should overhaul its cybersecurity efforts by boosting financial support for civilian-conducted research and speeding the transfer of government-produced technologies to the private sector.

"The growing dependence"of the nation's critical infrastructure on key information technology systems means "the former cannot be secure if the latter is not," the PITAC report states. While "current technical approaches address some of our immediate needs, they do not provide adequate computer and network security," it adds.

In the 58-page study, the advisory panel group concluded that without a series of significant changes, critical infrastructures such as the nation's military and intelligence systems, power grids, air traffic control systems and financial networks could be at risk.

To remedy the perceived shortcoming, the committee called for an additional $90 million each year for civilian cybersecurity efforts. In addition to those extra dollars, DHS and the Pentagon's Defense Advanced Research Projects Agency should seek more funding to support private-sector research efforts, the PITAC report states.