By Calvin Biesecker
The Department of Homeland Security (DHS), which is the lead federal agency for overseeing the cyber defense of the nation’s critical infrastructure, continues to fall short in meeting its roles and responsibilities here, a Government Accountability Official (GAO) said yesterday.
Since 2005 the GAO has made 30 recommendations in various reports on actions DHS needs to take to fully satisfy its obligations in cyber security but the department hasn’t taken enough action on these recommendations, David Powner, director of Information Technology Management Issues at GAO, testified before the House Homeland Security Subcommittee on Emerging Threats and Cybersecurity.
For example, Powner said that GAO reported in fall 2007 that DHS had yet to establish a strategy for coordination across the federal government and with the private sector on various efforts ongoing for improving control systems security. Moreover, he said, at the time DHS had also not been effective in sharing information on control system vulnerabilities with the public and private sector. As a result GAO had recommended that DHS develop the coordination strategy and create a process for quickly disseminating information on control system vulnerabilities.
Only recently has DHS begun work on those recommendations, Powner said.
Powner also disclosed a list of 12 recommendations to improve the nation’s cyber security posture distilled from panels of recognized cyber security experts that GAO brought together. The recommendations are:
- Develop a national strategy that clearly articulates strategic objectives, goals, and priorities;
- Establish White House responsibility and accountability for leading and overseeing national cybersecurity policy;
- Establish a governance structure for strategy implementation;
- Publicize and raise awareness about the seriousness of the cybersecurity problem;
- Create an accountable, operational cybersecurity organization;
- Focus more actions on prioritizing assets and functions, assessing vulnerabilities, and reducing vulnerabilities than on developing additional plans;
- Bolster public/private partnerships through an improved value proposition and use of incentives;
- Focus greater attention on addressing the global aspects of cyberspace;
- Improve law enforcement efforts to address malicious activities in cyberspace;
- Place greater emphasis on cybersecurity research and development, including consideration of how to better coordinate government and private sector efforts;
- Increase the cadre of cybersecurity professionals; and
- Make the federal government a model for cybersecurity, including using its acquisition function to enhance cybersecurity aspects of products and services.
“In summary, our nation is under cyber attack, and the present strategy and its implementation have not been fully effective in mitigating the threat,” Powner said in his prepared remarks. “This is due in part to the fact that there are further actions needed by DHS to address key cybersecurity areas, including fully addressing our recommendations.”