Lawmakers hit DHS on cyber plans

Langevin questions viability of a voluntary approach to critical infrastructure security

Survey of IT concerns

Most federal information technology managers and executives want security integrated into their networks, according to a survey of 200 agency officials conducted by Cisco Systems.

Other findings in the survey include:

* More than half said they expect IPv6 will improve their agency’s security architecture.

* Agencies spend most of their time trying to meet mandatory security requirements, but officials worry the most about one-time security incidents, such as interrupted service delivery or a loss of data privacy.

* Agencies are less worried about ongoing threats from unauthorized remote access or unknown flaws in application or operating system software.

— Mary Mosquera

The Homeland Security Department is caught in a predicament. It cannot order the private sector, which owns most of the country’s critical infrastructure assets, to safeguard the networks and computer systems that support those assets. However, lawmakers still expect DHS to play a major role in safeguarding power plants, nuclear reactors and other similar critical facilities.

The Government Accountabilty Office concluded that DHS has done a mediocre job of getting the country’s 17 critical infrastructure sectors to safeguard their plants against cyberattacks or other disasters, despite efforts it announced last year in the National Infrastructure Protection Plan. Sector planning has been minimal, Congress’ watchdog agency found in a recent review. None of the sectors met all 30 of GAO’s recommended cybersecurity criteria, such as prioritizing key vulnerabilities and measures to reduce those weaknesses.

“Until the plans fully address key cyber elements, certain sectors may not be prepared to respond to a cyberattack against our nation’s critical infrastructure,” said David Powner, director of information technology management issues at GAO. Powner testified Oct. 31 during a joint hearing of the House Homeland Security Committee’s Emerging Threats, Cybersecurity, and Science and Technology Subcommittee and the Transportation Security and Critical Infrastructure Protection Subcommittee.

The plans lawmakers criticized represent early efforts toward creating an infrastructure security road map, said Greg Garcia, DHS’ assistant secretary for cybersecurity and communications. Federal agencies lead specific sectors and coordinate critical infrastructure protection efforts with the private sector, he said. DHS is the sector-specific agency for coordinating the communications and IT sectors, but it also has overall responsibility for the plan.

The Cross-Sector Cyber Security Working Group was organized in May as a forum for exchanging information about common cybersecurity issues. Garcia said he expects that group will encourage sectors to identify systemic risks and mitigation strategies and share best practices. But participation is voluntary, he said.

“DHS is not empowered to compel the private sector to report back the extent to which they implement best practices,” Garcia said. Neither, he added, are the sector- coordinating councils authorized to order member companies to report back to them.

DHS plans to offer workshops next year with its sector partners to discuss creating incentives for voluntary risk assessments, developing cross-sector cybermetrics and identifying existing research and development projects, Garcia said.

Powner urged DHS officials to fully address GAO’s recommendations by September 2008. The private sector needs to improve its cybersecurity plans and start implementing them, he said. After those plans are set, DHS must track how well they are implemented, he added.

Powner said he was surprised that some sector plans GAO reviewed did not appear to be useful, although he acknowledged that individual companies are engaged in cybersecurity-focused activities. The plans “were just a paper exercise,” Powner said. “They do not identify actual asset vulnerabilities. We need a national cybersecurity risk assessment.”

Rep. Jim Langevin (D-R.I.), chairman of the Emerging Threats, Cybersecurity, and Science and Technology Subcommittee, said he was not confident that the government can safeguard the country’s critical infrastructure under DHS’ public/private partnership approach. “Laissez- faire is arguably not the appropriate model,” Langevin said, adding that many would consider protecting the critical infrastructure an issue of national security.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

The Fed 100

Read the profiles of all this year's winners.

Featured

  • Then-presidential candidate Donald Trump at a 2016 campaign event. Image: Shutterstock

    'Buy American' order puts procurement in the spotlight

    Some IT contractors are worried that the "buy American" executive order from President Trump could squeeze key innovators out of the market.

  • OMB chief Mick Mulvaney, shown here in as a member of Congress in 2013. (Photo credit Gage Skidmore/Flickr)

    White House taps old policies for new government makeover

    New guidance from OMB advises agencies to use shared services, GWACs and federal schedules for acquisition, and to leverage IT wherever possible in restructuring plans.

  • Shutterstock image (by Everett Historical): aerial of the Pentagon.

    What DOD's next CIO will have to deal with

    It could be months before the Defense Department has a new CIO, and he or she will face a host of organizational and operational challenges from Day One

  • USAF Gen. John Hyten

    General: Cyber Command needs new platform before NSA split

    U.S. Cyber Command should be elevated to a full combatant command as soon as possible, the head of Strategic Command told Congress, but it cannot be separated from the NSA until it has its own cyber platform.

  • Image from Shutterstock.

    DLA goes virtual

    The Defense Logistics Agency is in the midst of an ambitious campaign to eliminate its IT infrastructure and transition to using exclusively shared, hosted and virtual services.

  • Fed 100 logo

    The 2017 Federal 100

    The women and men who make up this year's Fed 100 are proof positive of what one person can make possibile in federal IT. Read on to learn more about each and every winner's accomplishments.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group