Fed Cyberdefenses Full of Holes, Say Government Reports
The federal government remains threatened by cyber-based threats because the Department of Homeland Security’s office in charge of cybersecurity needs more resources, several federal officials told the House Committee on Homeland Security Wednesday. Committee Chairman Bernie Thompson (D-Miss.) agreed but said major legislation will be difficult to pass in the short time that Congress remains in session this year.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
"DHS must be a major actor in this nation’s efforts to secure federal computer networks,” said Thompson at the hearing. “But none of this can occur without adequate staffing, planning and funding. Today, we must pledge to become as committed to secure our networks as our enemies are committed to breaching them."
At the hearing Thompson cited a report released Wednesday by the DHS Office of Inspector General finding major flaws in the agency’s U.S. Computer Emergency Readiness Team. US-CERT is the Homeland Security office analyzing and combating cybersecurity threats. But it doesn’t have sufficient staff to carry out cyberdefense efforts and can’t develop an internal capacity to deal with them because contractors outnumber staff by a 3-1 margin, he said. The office also has had four directors in five years, he added. “Given these administrative failings, it should come as no surprise that day-to-day operations may suffer.” But despite the problems facing DHS, cybersecurity legislation will be difficult to pass this year, Thompson told us after the hearing. There are many competing bills already in play and it’s late in the congressional session, he said.
The federal government needs to do much more to strengthen US-CERT, said Homeland Security Inspector General Richard Skinner at the hearing. Reviewing the report, Skinner said there are several issues hindering US-CERT. It doesn’t have the authority to compel agencies to implement its recommendations, he said. It also lacks the staff to perform its mission, he said. Authorized staff for the office improved from 38 in 2008 to 98 in 2010. But as of January 2010 only 45 positions were filled, he said, and the office must use federal contractors to close staffing shortages. US-CERT also hasn’t developed a strategic plan or policies for goals, objectives and milestones, he said. While it’s formulating a plan, it will have a hard time meeting its mission until one is finalized, he said. US-CERT would benefit from improved information sharing with other federal agencies, said Skinner. It also needs to analyze federal cyberspace in real time, he said, instead of near real-time.
The focus on cybersecurity comes at a critical time where the federal government faces a record number of cyberattacks, said GAO Director of Information Security Issues Greg Wilshusen at the Wednesday hearing. Wilshusen reviewed a GAO report finding “significant deficiencies” in the security controls of federal information systems which result in “pervasive vulnerabilities.” For example, 21 of 24 major federal agencies noted that inadequate information system controls over their financial systems and information could be called a material weakness or a significant deficiency, he said. They plague critical federal systems like the Los Alamos National Laboratory and NASA, GAO said. “These deficiencies continue to place federal assets at risk of inadvertent or deliberate misuse, financial information at risk of unauthorized modification or destruction, and critical operations at risk of disruption,” he said.
Making matters urgent is a more-than-400% rise in reports of security incidents from FY 2006 to FY 2010, he said. There were 5,503 incidents in FY 2006 but more than 30,000 in FY 2009, Wilshusen said. The four most common incidents are software infecting an operating system or application; violating acceptable computer use policies; unauthorized access by individuals and incidents that are unconfirmed but warrant further review because they could be potentially malicious, said Wilshusen.
Federal agencies failed to implement hundreds of suggested improvements in federal cybersecurity during the last several years, said Wilshusen. The Comprehensive National Cybersecurity Initiative launched by President George W. Bush in January 2008 is having a hard time in securing federal computer systems because it doesn’t have established measures of effectiveness, hasn’t defined what agencies are supposed to do and hasn’t fully established transparency, he said. The Federal Desktop Core Configuration program requiring security configurations on federal agencies using Windows XP or Vista hasn’t met expectations because not one federal agency implemented every configuration setting on its workstations. The Trusted Internet Connections initiative providing secure Internet connections to federal agencies languishes after none of the 23 agencies reviewed met all requirements of the initiative. Progress also lags on implementing Einstein, the federal government’s intrusion detection system, with less than half of the 23 federal agencies reviewed completing all the agreements with Homeland Security to implement the system.
Wilshusen agreed that DHS isn’t fulfilling its mission to protect the federal government’s domestic agencies, said Wilshusen. It hasn’t developed the capability of protecting critical government functions from cyberattack, he said. Nor has it implemented every GAO recommendation following a September 2008 cyberattack exercise, it said. Homeland Security’s role as the lead agency protecting federal networks against cyberattacks needs to be clarified, he told the committee: “We are not quite sure who is in charge.”