By Michael Arnone
July 19, 2005
The Homeland Security Department is failing to adequately protect the
nation's critical infrastructure and the information technology that
supports it, the Government Accountability Office told the Senate
DHS has made strides in improving cybersecurity but has not yet
addressed long-standing cybersecurity deficiencies, said David Powner,
GAO's director for IT management issues. He addressed the Senate
Homeland Security and Government Affairs Subcommittee on Federal
Financial Management, Government Information and International
"Until it effectively confronts and resolves these underlying
challenges, DHS will have difficulty achieving significant results in
strengthening the cybersecurity of our nation's critical
infrastructures, and our nation will lack the strong cybersecurity
focal point envisioned in federal law and policy," Powner said.
Critical infrastructure includes systems necessary for the nation to
function smoothly, including transportation, health care, the power
supply and communications.
DHS should act on GAO suggestions, some dating back to 2001, to
enhance cybersecurity for critical infrastructure, Powner said in his
written testimony submitted to the Senate subcommittee. These include:
* Develop a generally accepted methodology to strategically analyze
cyberthreats and warn against them.
* Create a more detailed strategy to better protect the IT-dependent
control systems for critical infrastructure with the private sector.
* Establish metrics, policies and procedures to improve information
sharing with the private sector.
* Finish threat and vulnerability assessments for each sector of
DHS still has not accomplished several key duties laid out for it in
President Bush's 2002 National Strategy to Secure Cyberspace, Powner
wrote. It still has not developed a national cyberthreat assessment,
nor has it assessed each sector's vulnerabilities or identified
cross-sector interdependencies as the strategy calls for, he wrote.
The high turnover of personnel in key cybersecurity positions weakens
the National Cybersecurity Division's power to plan and fulfill
activities, Powner wrote. In the past year, the NCSD director, the
undersecretary for the Information Analysis and Infrastructure
Protection directorate and three other senior staff members have left
the department, he wrote.
Powner advocated increasing the power of the NCSD's director to
improve the agency's ability to form partnerships and share
He also noted that DHS' hiring and contracting practices have led some
candidates not to apply for NCSD vacancies, because they have to wait
unreasonably long to be considered. Slow payments to contractors have
caused NCSD to lose some contracted services, he added. In addition,
DHS has done a poor job of making critical infrastructure stakeholders
aware of the department's cybersecurity activities and the value of
the information it provides, he testified.
DHS has failed at cultivating private sector relationship, he said.
Agency personnel have been too reluctant to share important
information, Powner said in his written testimony.
"An official from the water sector noted that when representatives
called DHS to inquire about a potential terrorist threat, they were
told that DHS could not share any information and that they should
"watch the news," he wrote.
Infrastructure stakeholders in turn don't openly share their
cybersecurity information with DHS, he wrote. Infrastructure
representatives are unclear on how DHS will use information, share it
and protect it, he wrote.
Attend the Black Hat Briefings and
Training, Las Vegas July 23-28 -
2,000+ international security experts,
10 tracks, no vendor pitches.