At loggerheads over cybersecurity

As DHS, GAO disagree, one expert says a pox on both their houses

The Homeland Security Department is not doing enough to protect the nation's critical infrastructure from cyberattacks, according to a report last month by the Government Accountability Office.

DHS officials disagreed with the audit report issued last week, saying it implies that challenges have prevented them from making significant progress in achieving the agency's mission.

But one telecommunications analyst said neither GAO nor DHS is doing enough to protect the nation from cyberattacks. Warren Suss, president of Suss Consulting, described the GAO review as a mostly superficial study that understates the challenges of protecting computer systems that control critical infrastructures, such as telecom networks, electrical power grids, oil pipelines and water treatment plants.

Even if DHS fulfills all 13 of the broad responsibilities GAO auditors outlined in the report, "it doesn't answer whether the mandates are adequate to address the threat," Suss said.

GAO said that until agency officials complete critical work, "DHS cannot effectively function as the cybersecurity focal point intended by law and national policy."

Steven Pecinovsky, director of DHS' GAO/Office of Inspector General Liaison, said in written comments that he disagreed with the report's implication that the department has not improved the nation's cybersecurity readiness. He disputed its conclusion that DHS has not sufficiently implemented all of GAO prior recommendations, and he argued that GAO auditors are unclear about what DHS needs to do and why DHS' performance measures are inadequate.

The auditors acknowledged that DHS has made strides to improve cybersecurity since 2003. DHS officials have developed an Interim National Infrastructure Protection Plan that addresses cybersecurity, for example.

But the auditors said DHS must still overcome other challenges, such as exerting appropriate authority and fixing hiring and contracting problems.

They also said DHS needs to create effective two-way information sharing with other federal, state and local government agencies and the private sector. The private sector owns and operates as much as 90 percent of the nation's critical infrastructure, according to government experts.

Although information sharing is necessary for critical infrastructure protection, it also leaves participants more vulnerable to cyberattacks, according to the report.

The report reiterates three suggestions for improving cybersecurity that GAO has made in previous reports. Its authors said they declined to make new recommendations until DHS enacts the previous ones.

Rep. Christopher Cox (R-Calif.), chairman of the House Homeland Security Committee, said in a statement after the report's release that GAO's analysis affirms what the committee has been saying for the past two-and-a-half years, which is that "the status quo does not serve our cybersecurity needs."

The matter of DHS' performance is a critical one, Suss said, adding that the race between cyberattackers and defenders is as important and heated as the nuclear arms race. He said the government and the private sector need to assess vulnerabilities and create cutting-edge solutions more quickly than they have so far to stave off an unimaginable disaster.

DHS' mission impossible?

Now in its third year, the Homeland Security Department is not fulfilling its significant responsibilities for protecting the nation's critical infrastructure from cyberattacks and cyberterrorism, a Government Accountability Office review has found.

DHS' responsibilities are:

  • Enhancing cybersecurity at the federal, state and local government levels.
  • Strengthening international cybersecurity.
  • Integrating cybersecurity into national security.
  • Developing a national plan to protect critical infrastructure.
  • Identifying and assessing cyberthreats and vulnerabilities.
  • Supporting efforts to reduce cyberthreats and vulnerabilities.
  • Creating and coordinating partnerships with federal, state and local governments and the private sector.
  • Improving public/private information sharing about cyberattacks, threats and weaknesses.
  • Developing and improving the nation's cyberthreat analysis and response system.
  • Creating and coordinating incident response and recovery planning efforts.
  • Promoting research and development that strengthens cybersecurity.
  • Promoting cybersecurity awareness and outreach.
  • Promoting training and certification in cybersecurity competencies.

— Michael Arnone

2014 Rising Star Awards

Help us find the next generation of leaders in federal IT.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above