US-CERT needs stronger regulatory teeth, larger staff, IG says

The Homeland Security Department organization that monitors federal and civilian computer networks for intrusions lacks sufficient statutory authority to enforce its computer security recommendations and doesn’t have enough staff to do its job, according to the department’s inspector general.

DHS Inspector General Richard Skinner told a congressional panel today that the U.S. Computer Emergency Readiness Team (US-CERT) needs new statutory authority to require agencies to implement the recommendations it makes for protecting their computer systems and networks.

“Until they have that authority or until there are mechanisms in place to ensure that compliance is in fact taking place, we’re going to continue to experience problems,” Skinner told members of the House Homeland Security Committee.

Skinner also told the committee that US-CERT doesn’t currently have in place an automated correlation tool in place to identify trends and anomalies, and is currently experiencing problems with reconfiguring a tool the recently purchased to do so.

Skinner’s testimony was based on findings of a recent audit his office did on US-CERT. Those findings come as senators begin to consider a bill introduced last week by Sens. Joe Lieberman (I-Conn.), Susan Collins (R-Maine), and Thomas Carper (D-Del.) that would significantly expand DHS’ cybersecurity-related authorities. Some House lawmakers have expressed support for the proposal’s provisions.

Related Stories:

DHS would be cyber power center under Lieberman/Collins proposal

Cyber policy snared in legislative tangle

DHS names directors for US-CERT, National Cyber Security Division

• A lack of sustained leadership, such as high turnover in the leadership of US-CERT.
• Until recently, an insufficient investment in resources for cybersecurity at DHS.
• A lack of authority for US-CERT to enforce guidelines and recommendations for cybersecurity.
• Slow movement by other agencies to put DHS’ cybersecurity tools in place.

The IG also said DHS needed to do a better job of reaching out to people outside of the department that it collaborates with on cybersecurity. For example, Skinner said many of the interested parties that his office spoke with for the audit said they didn’t understand or hadn’t been trained on Einstein, the program DHS uses to detect cyber intrusions into civilian agencies’ systems.

Meanwhile, US-CERT can’t capture all network traffic because Einstein hasn’t been deployed to all federal agencies, the IG said. US-CERT officials told the IG, according to Skinner, that many agencies haven’t installed Einstein because they have not consolidated their gateways to the Internet and some agencies must update their networks’ architectures before Einstein can be deployed. Skinner said 21 agencies had Einstein deployed.

DHS is in the process of testing a third version of the Einstein program that would give the department the ability to prevent intrusions. The second version of Einstein which is still being deployed is focused on intrusion detection, while the first, less-advanced version analyzes network traffic flows. 

Greg Schaffer, DHS’ assistant secretary for cybersecurity and communications, told the committee that he thought the government was making progress in deterring cyberattacks on a regular basis through Einstein and reducing agencies connections to the open Internet.

However, Schaffer couldn’t provide a governmentwide number for how much malicious activity is happening on networks governmentwide, in part, because a second version of Einstein that does intrusion detection has only been deployed to 11 of 19 planned agencies. Schaffer said the information from the Einstein 2 intrusion detection system where it's been deployed so far shows 278,000 indications of potential malicious activity at the perimeter of networks each month, although not all attacks are necessarily successful.

Meanwhile, Schaffer said that DHS is moving quickly to hire more cybersecurity staff. He said that at the start of fiscal 2009, US-CERT only had 16 DHS staff members compared to today’s 55 with plans to hire 25 more staff by the end of September. US-CERT is supported by many more contractors.

“The type of people that we need to hire…are not easily found. The skill sets that we are looking for are very specific and are very high-level,” Schaffer said. “They are sought after by every department and agency that is trying to implement their program, by the private sector players who are anxious to ensure that their systems are defended.”

Schaffer didn’t say what if any additional authorities US-CERT and DHS need for cybersecurity. He said the administration is still reviewing the senate proposal to expand DHS’ power over computer security.