DHS Cybersecurity Efforts Need Clarity, Larger Business Role
Homeland Security Dept. cybersecurity got a harsh review in the Senate Tues. at a Homeland Security subcommittee hearing. The agency recently drew Govt. Accountability Office (GAO) fire for lagging on cybersecurity. GAO cited flaws included a failure to develop national cyberthreat and vulnerability assessments or contingency plans, especially against a successful Internet attack. DHS’s National Cyber Security Div. (NCSD) is making slow progress on those, NCSD Acting Dir. Andy Purdy told the subcommittee.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Purdy called the GAO report a “fair assessment of the progress to date,” saying he’s “confident that we will accelerate our cybersecurity efforts” once the new assistant secretary for cybersecurity and telecom is chosen. The unit, formed in 2003, is making progress toward providing guidance to other sectors via its Internet disruption working group and software assurance program among others, Purdy said.
“Much work remains ahead” at DHS on cybersecurity, said David Powner, GAO dir.-information technology management. “Several recommendations remain outstanding” from a DHS list of 13 cybersecurity responsibilities, such as effectively providing cyberanalysis and warning capabilities, he said. “Leveraging this new authority” and filling posts with talented people are sizable challenges for DHS, Powner added: DHS “cannot function as the cybersecurity focal point” without major changes.
Business trust in DHS cybersecurity competence continues to wane, Powner said. Representatives of banking and finance who met with Powner told him their trust in DHS wasn’t as high as it should be. Purdy emphasized increasing cooperation and contributions from industry. DHS’s Computer Emergency Readiness Team (US- CERT) has 200,000 govt. and private sector members sharing and using cybersecurity data. Meetings set for this fall with business representatives will boost candor and trust, he said. Asked by Coburn if the US-CERT portal is “100% secure,” with Purdy said that’s technically impossible.
Why has it taken DHS so long to build a comprehensive cybersecurity plan? Sen. Coburn (R-Okla.) asked. “It kind of scares you when ‘24’ is doing this ahead of the cybercrooks,” he said, citing scenarios for penetrating power company infrastructures. Purdy said NCSD has “accelerated” the setting of priorities by an Internet disruption working group, identifying assets and dependencies. He called the strengthening of control systems “robust.” Cooperation with the Treasury and Energy Departments. is also high, he said. Coburn pressed Purdy for a date when the full cybersecurity plan would be ready. The plan will be in “pretty good shape” but not final by summer’s end, Purdy said: “I certainly expect the cyber piece will be ready before the first of the year.”
Common security threats like Trojans and keystroke loggers may be used for larger infrastructure attacks down the road, which most worries NCSD, Purdy said. But cybersecurity successes also will be quiet, he added. Purdy cited an attack on a company with a govt. account that NCSD quickly isolated. They had a conference call with 15 other agencies likely to be vulnerable, and sent notice of the attack and recommendations for security to another 1,400 agencies. “We don’t publicize that information” so hackers aren’t aware of evolving internal defenses, Purdy said: “That kind of synergy will help us all.”
Who takes the lead in a cyberattack was unclear to GAO, Powner said: Some DHS responsibilities lack measurable milestones and key activities. If the whole Internet architecture were brought down, affecting multiple sectors, “the question is who’s in charge of leading that effort to reconstitute the Internet,” Powner said. Sen. Carper (D-Del.) asked which agency would take the biggest role; Purdy said NCSD would coordinate the effort across agencies.
The issue is not so much funding, slated to rise from $11 million to $15-16 million for control system protection in President Bush’s 2006 budget, Powner said. DHS should release regular updated cyberthreat assessments, which “would go a long ways toward adding credibility” in the private sector. When Coburn asked if DHS had “backup hardware infrastructure in place now” in the event of a major cyberattack, Purdy said “We're in pretty good shape on that,” but still need more private sector cooperation.
Citing the aphorism that “the best defense is a good offense,” Carper said ruefully, “it seems to me like we're playing a lot of defense.” Powner told Carper he couldn’t discuss offensive measures in public. Purdy emphasized that limiting vulnerabilities and prepping for inevitable attacks with full private sector cooperation is more important.
Deterring would-be cybercriminals was a sticking point for Carper and Coburn. Powner didn’t have numbers on frequency of catching attackers and severity of punishment, but noted a lot of cyberattacks never are detected, so “the chances are high they will not get caught.” Improving detection is a more pressing matter, he said. Purdy said limiting vulnerabilities and furthering R&D were more pressing: “If you don’t think you're going to get caught, it doesn’t matter what the punishment is.”