At loggerheads over cybersecurity

The Homeland Security Department is not doing enough to protect the nation's critical infrastructure from cyberattacks, according to a report last month by the Government Accountability Office.

DHS officials disagreed with the audit report issued last week, saying it implies that challenges have prevented them from making significant progress in achieving the agency's mission.

But one telecommunications analyst said neither GAO nor DHS is doing enough to protect the nation from cyberattacks. Warren Suss, president of Suss Consulting, described the GAO review as a mostly superficial study that understates the challenges of protecting computer systems that control critical infrastructures, such as telecom networks, electrical power grids, oil pipelines and water treatment plants.

Even if DHS fulfills all 13 of the broad responsibilities GAO auditors outlined in the report, "it doesn't answer whether the mandates are adequate to address the threat," Suss said.

GAO said that until agency officials complete critical work, "DHS cannot effectively function as the cybersecurity focal point intended by law and national policy."

Steven Pecinovsky, director of DHS' GAO/Office of Inspector General Liaison, said in written comments that he disagreed with the report's implication that the department has not improved the nation's cybersecurity readiness. He disputed its conclusion that DHS has not sufficiently implemented all of GAO prior recommendations, and he argued that GAO auditors are unclear about what DHS needs to do and why DHS' performance measures are inadequate.

The auditors acknowledged that DHS has made strides to improve cybersecurity since 2003. DHS officials have developed an Interim National Infrastructure Protection Plan that addresses cybersecurity, for example.

But the auditors said DHS must still overcome other challenges, such as exerting appropriate authority and fixing hiring and contracting problems.

They also said DHS needs to create effective two-way information sharing with other federal, state and local government agencies and the private sector. The private sector owns and operates as much as 90 percent of the nation's critical infrastructure, according to government experts.

Although information sharing is necessary for critical infrastructure protection, it also leaves participants more vulnerable to cyberattacks, according to the report.

The report reiterates three suggestions for improving cybersecurity that GAO has made in previous reports. Its authors said they declined to make new recommendations until DHS enacts the previous ones.

Rep. Christopher Cox (R-Calif.), chairman of the House Homeland Security Committee, said in a statement after the report's release that GAO's analysis affirms what the committee has been saying for the past two-and-a-half years, which is that "the status quo does not serve our cybersecurity needs."

The matter of DHS' performance is a critical one, Suss said, adding that the race between cyberattackers and defenders is as important and heated as the nuclear arms race. He said the government and the private sector need to assess vulnerabilities and create cutting-edge solutions more quickly than they have so far to stave off an unimaginable disaster.