The GAO, in its criticisms, starts with the basics. The DHS has no plan. It has an interim plan, the Interim National Infrastructure Protection Plan, but that “does not yet comprise a comprehensive and complete plan.” It is missing, for one thing, details on “addressing cybersecurity in the infrastructure sectors.” This means there is no plan to defend the financial industry and water and electric utilities from attacks. That’ a serious lack of plan.
The network police also seem to have their own trouble networking. One of the DHS cyber division’s main responsibilities is “information sharing,” among agencies and with state and local government and businesses. Relations with some of these are “disintegrating.” The cyber division has had limited authority to move classified information around, and the private sector, unsure who’s at the bridge, has been slow to share secrets of its own.
Nor is DHS developing the analytic tools needed for an effective defense system. Like the rest of us, the agency can tell when an attack is well under way – hey, my computer keeps shutting down! – but it has failed to produce a reliable early-warning system. The report notes that the GAO made this same complaint four years ago but that “officials have taken little action.”
The GAO also notes a real lack of recovery planning, including a shortage of preparatory exercises. Nor has the DHS done enough to assess the problems it faces, as is called for in policy documents. Failing to assess vulnerabilities will lead to difficulties in deciding which resources to allot to which sector. DHS, in short, isn’t even sure what threats we face. The report also notes a lack of guidance from the cybersecurity department in setting goals for long-term research and the “unclear” effectiveness of awareness efforts – both those directed toward the public and those directed toward other agencies and government entities.
Not surprisingly, the GAO places the blame for all of this inactivity on the deleterious effects of the revolving door in the head office and the consequent lack of stability and authority within the division. With such volatility, the report states, it’s been almost impossible to hire the best people, “key contractors” have had to work without pay, and vendors have even gone unpaid.
The second report, “Cyber Security: A Crisis of Prioritization,” was prepared by the President’s Information Technology Advisory Committee (PITAC) and delivered to the executive branch in February 2005. It’s equally pessimistic but, on the bright side, does in its way offer a solution to the long-term problem of cybersecurity. Whether it will be heeded is another matter. Where the GAO limited itself to assessing how the DHS was doing by the relatively narrow standards of the DHS’s own mission statements and policy, PITAC provides more thoughtful criticism of and advice about the approach of the entire government, focusing on the kinds of research that will ultimately solve our network security problems.