What a week for DHS cyber security efforts. Congressional hearings, think tank studies, and GAO reports all arguing that the Department is underpowered and disorganized in its effort to carry out its role as a lead in the National Cyber Security Initiative, a multi-billion dollar program to protect federal and private sector internet assets against attack and exploitation.
Not to leave anything ambiguous, GAO released three new studies this week:
• DHS Faces Challenges in Establishing a Comprehensive National Capability
• DHS Needs to Better Address Its Cybersecurity Responsibilities
• DHS Needs to Fully Address Lessons Learned from Its First Cyber Storm Exercise
The pointy end of the spear is US-CERT. The US-CERT’s mission is to:
• analyze and reduce cyber threats and vulnerabilities
• disseminate cyber threat warning information
• coordinate incident response activities
They have a way to go. A new GAO report finds that US-CERT “lacks a comprehensive baseline understanding of the nation’s critical information infrastructure operations, does not monitor all critical infrastructure information systems, does not consistently provide actionable and timely warnings, and lacks the capacity to assist in mitigation and recovery in the event of multiple, simultaneous incidents of national significance.”
DHS spokesperson Laura Keehner explained that “We are undertaking something not unlike the Manhattan Project.” “Billions of dollars are going into this effort. We’re the first to admit there is more work to be done….” Of course, US-CERT was founded five years ago. In the last year, more cooks have been added to the kitchen, too. The DHS CIO has a leadership role, the Under Secretary for National Protection and Programs has a leadership role, the director of the National Cyber Security Center has a leadership role, the Assistant Secretary of Cyber Security and Communications has a leadership role.
This may be what drove James Lewis of the Center for Strategic & International Studies to tell Congress in testimony yesterday during a hearing on cyber issues that the core problems “are the lack of a strategic focus, overlapping missions, poor coordination and collaboration, and diffuse responsibility.”
Lewis serves on the Commission on Cybersecurity for the 44th Presidency along with 30+ other leading lights in this area, including Pete Allor of IBM and Paul Kurtz of Good Harbor. They make a pretty straight forward recommendation: If this is to be a truly national cyber initiative, move it to the White House. Getting this effort bogged down in DHS, the intelligence community, and DOD risks hobbling the whole endeavor, which is far too important.