Lawmakers hit DHS on cyber plans

Langevin questions viability of a voluntary approach to critical infrastructure security

Survey of IT concerns

Most federal information technology managers and executives want security integrated into their networks, according to a survey of 200 agency officials conducted by Cisco Systems.

Other findings in the survey include:

* More than half said they expect IPv6 will improve their agency’s security architecture.

* Agencies spend most of their time trying to meet mandatory security requirements, but officials worry the most about one-time security incidents, such as interrupted service delivery or a loss of data privacy.

* Agencies are less worried about ongoing threats from unauthorized remote access or unknown flaws in application or operating system software.

— Mary Mosquera

The Homeland Security Department is caught in a predicament. It cannot order the private sector, which owns most of the country’s critical infrastructure assets, to safeguard the networks and computer systems that support those assets. However, lawmakers still expect DHS to play a major role in safeguarding power plants, nuclear reactors and other similar critical facilities.

The Government Accountabilty Office concluded that DHS has done a mediocre job of getting the country’s 17 critical infrastructure sectors to safeguard their plants against cyberattacks or other disasters, despite efforts it announced last year in the National Infrastructure Protection Plan. Sector planning has been minimal, Congress’ watchdog agency found in a recent review. None of the sectors met all 30 of GAO’s recommended cybersecurity criteria, such as prioritizing key vulnerabilities and measures to reduce those weaknesses.

“Until the plans fully address key cyber elements, certain sectors may not be prepared to respond to a cyberattack against our nation’s critical infrastructure,” said David Powner, director of information technology management issues at GAO. Powner testified Oct. 31 during a joint hearing of the House Homeland Security Committee’s Emerging Threats, Cybersecurity, and Science and Technology Subcommittee and the Transportation Security and Critical Infrastructure Protection Subcommittee.

The plans lawmakers criticized represent early efforts toward creating an infrastructure security road map, said Greg Garcia, DHS’ assistant secretary for cybersecurity and communications. Federal agencies lead specific sectors and coordinate critical infrastructure protection efforts with the private sector, he said. DHS is the sector-specific agency for coordinating the communications and IT sectors, but it also has overall responsibility for the plan.

The Cross-Sector Cyber Security Working Group was organized in May as a forum for exchanging information about common cybersecurity issues. Garcia said he expects that group will encourage sectors to identify systemic risks and mitigation strategies and share best practices. But participation is voluntary, he said.

“DHS is not empowered to compel the private sector to report back the extent to which they implement best practices,” Garcia said. Neither, he added, are the sector- coordinating councils authorized to order member companies to report back to them.

DHS plans to offer workshops next year with its sector partners to discuss creating incentives for voluntary risk assessments, developing cross-sector cybermetrics and identifying existing research and development projects, Garcia said.

Powner urged DHS officials to fully address GAO’s recommendations by September 2008. The private sector needs to improve its cybersecurity plans and start implementing them, he said. After those plans are set, DHS must track how well they are implemented, he added.

Powner said he was surprised that some sector plans GAO reviewed did not appear to be useful, although he acknowledged that individual companies are engaged in cybersecurity-focused activities. The plans “were just a paper exercise,” Powner said. “They do not identify actual asset vulnerabilities. We need a national cybersecurity risk assessment.”

Rep. Jim Langevin (D-R.I.), chairman of the Emerging Threats, Cybersecurity, and Science and Technology Subcommittee, said he was not confident that the government can safeguard the country’s critical infrastructure under DHS’ public/private partnership approach. “Laissez- faire is arguably not the appropriate model,” Langevin said, adding that many would consider protecting the critical infrastructure an issue of national security.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.