Congress slams Homeland Security's tech efforts

Politicians claim the department suffers from lack of leadership and a flawed information-sharing system.

Anne Broache
Anne Broache Staff Writer, CNET News.com
Anne Broache
covers Capitol Hill goings-on and technology policy from Washington, D.C.
4 min read
WASHINGTON--The U.S. Department of Homeland Security on Wednesday sustained more bashing of its cybersecurity efforts from politicians and government auditors.

In what has become a familiar refrain, a chorus of Republicans and Democrats--all from the U.S. House of Representatives panel on telecommunications and the Internet--urged the agency to get its act together and appoint a long-awaited cybersecurity czar.

Then, at a sparsely attended afternoon hearing here, members of the House of Representatives' Homeland Security panel grilled department officials about shortcomings in the Homeland Security Information Network, which was intended to ease sharing of counterterrorism information among federal, state and local investigators.

During the morning hearing, politicians voiced dismay at the unsurprising findings of a Government Accountability Office report (click for PDF) that was released Wednesday and that had been prepared at the committee's request.

"Both government and the private sector are poorly prepared to effectively respond to cyberevents," David Powner, the GAO's director of information technology management issues, told the politicians. "Although DHS has various initiatives under way, these need to be better coordinated and driven to closure."

The Department of Homeland Security, which is chiefly responsible for coordinating responses to cyberattacks, also has no concrete plan for responding to cyberdisasters in partnership with the private sector, Powner said.

A long job search
The department's Under Secretary for Preparedness George Foresman adopted a defensive posture throughout the two-hour hearing, which also included testimony from the Federal Communications Commission and private sector representatives. A similar slate of witnesses, including Foresman, was scheduled to testify on the subject before a House Homeland Security panel on Wednesday afternoon.

Foresman emphasized that finding someone to fill the post of assistant secretary for cybersecurity and telecommunications remains a "top priority" for the department. The post has been vacant since its creation in July 2005, a situation that has drawn a rash of criticism inside and outside the government.

"We are in the final stages of a security process review for a candidate we feel is very well-qualified," he said. "We look forward to announcing this candidate with Congress very soon."

For a number of politicians, that assurance wasn't good enough. "To have gone this long without any attention to this or without having someone direct this part of the orchestra is dangerous for this country, I think, in plain English," said Rep. Anna Eshoo, a California Democrat. "I'm not one to try to hype up fear and all that, but we've placed outselves in a real ditch here by not having the administration name someone."

Foresman said he would "strenuously object" to the insinuation that department has been sitting idle while the post has remained vacant. "Had we been in neutral the entire time, I think there would be a grave concern, but I think we have been in overdrive all the time," he said.

One example of an action the department has taken was a weeklong mock attack called Cyber Storm, he said. The agency on Wednesday released a 17-page "after-action report" assessing the results of the February exercise, which involved more than 100 public and private agencies, associations, and corporations from more than 60 locations across five countries.

Among the challenges experienced during the exercise, according to the report, are an insufficient number of "technical experts" on board to "fully leverage the large volume of incident information that was being provided;" difficulty figuring who to call within organizations to seek help during crises; and lack of a rapid means to assess and prioritize--or "triage"--cyber incidents.

Terrorist cyber-attacks?
Fresh off commemorations of the fifth anniversary of the Sept. 11 attacks earlier this week, some members at the morning hearing seemed particularly alarmed by the specter of terrorist-driven cyberincidents.

"Certainly cyberterrorism is something that is likely to be in al-Qaida's playbook, and we should be vigilant against such threats," said Rep. Edward Markey, a Massachusetts Democrat who serves as co-chairman of the panel.

"Some people probably think they're exempt from the impact of the Internet, but you'd almost have to live in a cave to be truly unaffected," added Texas Republican Joe Barton, who serves as chairman of the influential House Energy and Commerce Committee. A widespread disruption on that front, he quipped, "is exactly the outcome envisioned by a man who does live in a cave: Osama bin Laden."

That theme continued in the afternoon hearing, convened by a House panel on intelligence, information-sharing and terrorism risk assessment.

"If we are not successful in our information-sharing efforts, then we are not going to be successful in connecting the dots to protect our people and our nation from the possibility of additional attacks," said Connecticut Republican Rob Simmons, the panel's chairman.

The focus of concern was a June 2006 report (click for PDF) from the department's Inspector General's Office that found the agency's information-sharing network was not performing as intended.

The Department of Homeland Security's Assistant Inspector General Frank Deffer outlined a number of those flaws. They included an overly rushed schedule for rolling out and expanding the system after DHS inherited control of it in 2003; inadequate training and guidance for users on how to use it; general mistrust for the secrecy of information shared through the portals; and lack of availability of real-time information about situations.

During the 2005 London Underground bombings, for instance, "users were able to get better information faster by calling personal contacts at law enforcement agencies with connections to the London police than by using the system," Deffer said. As a result, the system has very few active users, he said.

"Taxpayers really should be outraged by what's happened here," Rep. Zoe Lofgren, a California Democrat, said of the $50 million undertaking. "The program is not only a model of haste and waste, but it's a missed opportunity to do things right."