X

Report: Federal cybersecurity effort needs improvement

An internal Department of Homeland Security report cites progress, before digging into the many problems still present.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
2 min read
The Department of Homeland Security has made some progress in hardening the nation's networks against cyberattacks, but many issues still remain, said an internal DHS report published Thursday.

The report--created by the Office of Inspector General--found that the National Cyber Security Division, part of the DHS's Information Analysis and Infrastructure Protection Directorate, has failed to create an overall strategy with goals for the division, to provide effective guidelines for the private sector, and to create formal communications channels to warn government, intelligence or international communities of threats.

The National Cyber Security Division "must address these issues to reduce the risk that the critical infrastructure may fail due to cyberattack," the report concluded.

The Office of Inspector General stressed in the report that, rather than serving as a testament to any failure, the report's conclusions outline a work in progress--progress, however, that could proceed faster.

"The DHS has experienced delays in establishing its structure, which includes defining its budget and staffing requirements, and faces a number of additional challenges in instituting the enhanced cyberthreat analysis organization that is needed to address long-term threats and vulnerabilities to the nation's critical infrastructure," the OIG said in the report.

The report acknowledges that the National Cyber Security Division and its chief, Amit Yoran, has embarked on many initiatives. In the past year, the agency has formed the national clearinghouse for threat information; the U.S. Computer Emergency Response Team, or US-CERT; and a cyberalert system. It has also met repeatedly with luminaries in private industry to form recommendations.

However, the report found that the NCSD still needs almost 50 percent more staff and better articulated strategies, with formally expressed milestones, in order to more effectively achieve its goal of protecting the nation's networks and computers. To date, the NCSD's Vulnerability Analysis branch is the only group to have drafted a document that expresses performance objectives, the report noted.

The DHS' Information Analysis and Infrastructure Protection Directorate said the report did not fully outline all the accomplishments of the NCSD.

"As with any newly formed organization, the rate of change...is significant and presents unique challenges not facing other government organizations," Frank Libutti, undersecretary for the Information Analysis and Infrastructure Protection Directorate, said in a letter accompanying the report. "As a result, some programs within DHS, including several of the cybersecurity programs discussed in the OIG report, are executed quickly to show immediate value and tactical progress and are later modified over time to address more strategic issues."

The report is available from the Department of Homeland Security's Web site.