GAO Report on Cyber-Security

The Government Accountability Office has prepared a report to Congress on progress and limitations of the Department of Homeland Security's efforts in cyber critical infrastructure protection and national information security.

Results in brief [emphasis mine]:

As the focal point for critical infrastructure protection, DHS has many cybersecurity-related roles and responsibilities that are called for in law and policy. These responsibilities include developing plans, building partnerships, and improving information sharing, as well as implementing activities related to the five priorities in the national cyberspace strategy:
(1) developing and enhancing national cyber analysis and warning,
(2) reducing cyberspace threats and vulnerabilities,
(3) promoting awareness of and training in security issues,
(4) securing governments’ cyberspace, and
(5) strengthening national security and international cyberspace security cooperation.
To fulfill its cybersecurity role, in June 2003, DHS established the National Cyber Security Division to serve as a national focal point for addressing cybersecurity and coordinating the implementation of cybersecurity efforts.

While DHS has initiated multiple efforts, it has not fully addressed any of the 13 key cybersecurity-related responsibilities that we identified in federal law and policy, and it has much work ahead in order to be able to fully address them. For example, DHS
(1) has recently issued the Interim National Infrastructure Protection Plan, which includes cybersecurity elements;
(2) operates the United States Computer Emergency Readiness Team to address the need for a national analysis and warning capability; and
(3) has established forums to foster information sharing among federal officials with information security responsibilities and among various law enforcement entities.
However, DHS has not yet developed national threat and vulnerability assessments or developed and exercised government and government/industry contingency recovery plans for cybersecurity, including a plan for recovering key Internet functions. Further, DHS continues to have difficulties in developing partnerships—as called for in federal policy—with other federal agencies, state and local governments, and the private sector.

DHS faces a number of challenges that have impeded its ability to fulfill its cyber CIP responsibilities. Key challenges include achieving organizational stability; gaining organizational authority; overcoming hiring and contracting issues; increasing awareness about cybersecurity roles and capabilities; establishing effective partnerships with stakeholders (other federal agencies, state and local governments, and the private sector); achieving two-way information sharing with these stakeholders; and demonstrating the value DHS can provide. In its strategic plan for cybersecurity, DHS has identified steps that can begin to address these challenges.

However, until it effectively confronts and resolves these underlying challenges, DHS will have difficulty achieving significant results in strengthening the cybersecurity of our nation’s critical infrastructures, and our nation will lack the strong cybersecurity focal point envisioned in federal law and policy.

We are making recommendations to the Secretary of Homeland Security to strengthen the department’s ability to implement key cybersecurity responsibilities by completing critical activities and resolving underlying challenges...

DHS agreed that strengthening cybersecurity is central to protecting the nation’s critical infrastructures and that much remains to be done. In addition, DHS concurred with our recommendation to engage stakeholders in prioritizing its key cybersecurity responsibilities. However, DHS did not concur with our recommendations to identify and prioritize initiatives to address the challenges it faces, or to establish performance metrics and milestones for these initiatives...

For example, the strategic plan for cybersecurity does not include initiatives to help stabilize and build authority for the organization. Further, the strategic plan does not identify the relative priority of its initiatives and does not consistently identify performance measures for completing its initiatives.

As DHS moves forward in identifying initiatives to address the underlying challenges it faces, it will be important to establish performance measures and milestones for fulfilling these initiatives.

See also Brian Krebs' report in the Washington Post.