DHS Cyber Division Shows ‘Limited’ Progress Since White House Push

Setting up the U.S. Computer Emergency Readiness Team (US-CERT), the operational arm of NCSD, is its greatest accomplishment since the lackluster 2004 report, the IG said. NCSD has also set up programs to maintain relationships with cyber professionals in and out of government, reduce software vulnerabilities, develop standards and best practices, improve international ties, train cyber professionals and conduct cyber exercises with other entities.

The programs often lack timetables or will be implemented far in the future, though, the report said. Although NCSD personnel told the IG that the programs in its May 2006 draft strategic plan were priorities, NCSD management goals and available resources suggest that they are not, the IG said. The Control Systems Security Program, intended to reduce the risk to critical infrastructure, will not be fully rolled out until fiscal year 2009. The same goes for the unit’s computer forensics laboratory, though it will start training this fall, the report said.

NCSD has no way to effectively monitor its milestones, the report said. The unit uses the quarterly Program Assessment Rating Tool (PART), developed by the Office of Management and Budget (OMB), but that tracks only milestones met and does not identify delays. Resource requirements are not matched to milestones, and four of the ten reviewed programs gave broad ranges for milestones, omitting mention of any interim milestones, the IG said. The unit needs to set short- and long-term milestones, using the Strategy Summary report by the assistant secretary for cyber security and telecommunications (since retitled “cyber security and communications"), the IT-Sector Specific Plan, and the 2003 White House report, and consolidate the tracking of initiatives and milestones, with quarterly reviews, the report said. The assistant secretary’s office said it will develop short- and long-term priorities through 2009 and has scheduled its first quarterly review for fiscal year 2008. But the office disputed the IG’s finding that the NCSD is not effectively monitoring its milestones. The NCSD will devise a “comprehensive implementation plan” for tracking milestones, however, which the IG said would “satisfy” its recommendation.

Performance measures are lacking at NCSD, which seems to emphasize quantity over quality, the IG said. Its measures track the number of newsletters issued and conference or workshop attendance, for example, but not their effect on the cyber community, reductions in vulnerabilities or usefulness to the public. The assistant secretary’s office again disagreed with the finding, saying NCSD started collecting program-level measures in the third quarter of fiscal 2006, and recently revised its PART measures to cover all programs. The IG again said this effort will satisfy its recommendation to develop new measures.

The US-CERT is not effectively tracking security incidents at the federal agencies, which have been OMB concerns going back three years, the IG said. The team also has not figured out how to combine reports from the automated network monitoring Einstein tool with other analyses to find incident under-reporting. The numbers are way off for agencies of comparable size: An agency with 56,000 employees had 726 reported incidents the two years through fall 2006, while a 67,000-person agency had 17. Part of this comes from low agency participation in the Einstein program; not even DHS uses Einstein for its own networks. US-CERT complained previously that it does not have authority to enforce incident reporting by agencies and has resorted to stressing the need to report to the interagency Chief Information Officers Council, the IG said. The assistant secretary’s office said it could not analyze incident submissions to identify under- reporting, as the IG recommended, because it cannot enforce compliance with the Federal Information Security Management Act. NCSD is working to expand Einstein participation, though, which included eight agencies as of December, when the draft IG report was completed. The unit also is working to implement Einstein at DHS.

Business grumbles that NCSD does not meet regularly with senior executives of major IT sector companies, the report said. But companies are also wary of sharing information with NCSD because the unit did not specify what information it wanted, why it was needed and what would be done with it. They also complained that NCSD overclassified information that companies need to protect their assets, or else NCSD did not tell them clearly whether such information can be shared with others inside the companies, the IG said. This is a result of sharing blocks imposed by “originating organizations,” such as the Defense Department and intelligence community, but NCSD is working more closely with these agencies to limit the blocks, the report said. The IG’s recommendations to improve communications and formalize procedures for distributing classified information were among the few in the report with which the NCSD fully concurred. The unit’s Internet Disruption Working Group, for example, completed an information-sharing guidelines draft that will be shared at the next group forum.

The Einstein program and Cybercop Portal, a Web-based law enforcement sharing platform, are up for recertification by OMB this year but fall short in some ways, the IG said. Einstein lacks information on connected devices and the program does not touch backup and recovery in its contingency plan, which NCSD has not tested, the report said. NCSD also has not annually tested systems controls in Cybercop or trained contractors in security awareness for the portal. On the plus side, security tests by the IG found no high-risk vulnerabilities on Cybercop and only two medium-risk vulnerabilities on Einstein. NCSD agreed with IG recommendations to update certification documents, test contingency plans and security each year and train contractors in security. Einstein’s backup system was tested in March and more tests are planned for this year, but the assistant secretary’s office did not say whether it will test Cybercop’s offsite backup.