Homeland Security flunks cybersecurity prep test
by Declan McCullagh , Staff Writer, CNET News.com | Published: 5/26/05
Agency's lackluster efforts to guard against Internet attacks may leave the U.S. "unprepared" for emergencies, federal auditors say.
News provided by:
The U.S. Department of Homeland Security has failed to live up to its cybersecurity responsibilities and may be "unprepared" for emergencies, federal auditors said in a scathing report released Thursday.
More than two years after its creation, Homeland Security has never developed a contingency plan to restore Internet functions in an emergency and has yet to create a vulnerability assessment of what could happen in an worst-case scenario, the Government Accountability Office concluded.
"DHS cannot effectively function as the cybersecurity focal point intended by law and national policy" at the moment, the report (Click for PDF) said. "There is increased risk that large portions of our national infrastructure are either unaware of key areas of cybersecurity risks or unprepared to effectively address cyber emergencies."
The dismal grade for Homeland Security comes as the federal government is conducting a war game called "Silent Harbor" that's designed to model what might happen during an electronic attack on the United States. It was convened by the CIA's secretive Information Operations Center and was set to conclude Thursday.
Thursday's report represents the most critical take yet on the cybersecurity efforts of the still-young agency, which was intended to become a central point for online warnings and responses inside the federal government but instead has come under fire for being too sluggish. The November 2002 law creating the Department of Homeland Security melded together computer security centers from the FBI, the Defense Department, the Commerce Department and the Energy Department.
In a letter signed by Steven Pecinovsky, a Homeland Security inter-governmental liaison, the department took issue with the report's conclusions. Homeland Security does not "agree with the report's implication that the challenges experienced to date have prevented us from achieving significant results in improving the nation's cybersecurity posture," Pecinovsky wrote. Because Homeland Security is a new agency, it is using less formal, non-quantitative ways to measure progress, he added.
The GAO warned that bot networks, criminal gangs, foreign intelligence services, spammers, spyware authors and terrorists were all "emerging" threats that "have been identified by the U.S. intelligence community and others." Even though Homeland Security has 13 responsibilities in this area, it "has not fully addressed any," the GAO said.
Homeland Security has been suffering from an ongoing exodus of top-level staff. The director and deputy director of Homeland Security's National Cyber Security Division, a top Computer Emergency Response Team official, the undersecretary for infrastructure protection, and the assistant secretary responsible for information protection have all left in the past year. (The House of Representatives this month approved a reorganization of those departments.)
Democrats on Capitol Hill were quick to take up the report's findings to suggest that the Bush administration's cybersecurity efforts have been a flop.
The "report only confirms what we have known all along; the DHS has failed to meet the responsibility for critical infrastructure protection," said Rep. Zoe Lofgren, who represents the San Jose, Calif., area.
Rep. Bennie Thompson of Mississippi, the top Democrat on a congressional homeland security panel, charged that "our critical infrastructures remain largely unprepared or unaware of cybersecurity risks and how to respond to cyber emergencies. This is unacceptable."
This isn't the first time the Homeland Security has been rapped by auditors. Last year, one report said the agency was plagued by computer systems that were incompatible, and another found that Homeland Security was woefully behind in terms of sharing computer security information with private companies.