[Infowarrior] - Critics: DHS unprepared for cyberthreats

Richard Forno rforno at infowarrior.org
Wed Sep 17 13:27:27 UTC 2008 

Critics: Homeland Security unprepared for cyberthreats
Posted by Stephanie Condon

http://news.cnet.com/8301-13578_3-10043665-38.html?part=rss&subj=news&tag=2547-1_3-0-20

WASHINGTON--When politicians got together six years ago and decided to  
glue together a medley of federal agencies to create the U.S.  
Department of Homeland Security, one of the justifications was a  
better focus on cybersecurity.

"The department will gather and focus all our efforts to face the  
challenge of cyberterrorism," President Bush said when signing the 500- 
or-so-page bill into law in November 2002. "This department will be  
charged with encouraging research on new technologies that can detect  
these threats in time to prevent an attack."

That was then. Now, Homeland Security is weathering a deluge of  
criticism of its lackluster cybersecurity efforts on grounds that they  
have proven to be inefficient, bureaucratic, and not even able to do a  
decent job of monitoring federal computer networks.

This week, it even led to what would have been unthinkable a year or  
two ago--a suggestion that Homeland Security can no longer be trusted  
with its cybersecurity mission and it should be handed to another  
federal agency.

"While DHS has improved, oversight for cybersecurity must move  
elsewhere," James Lewis, a director and senior fellow at the hawkish  
Center for Strategic and International Studies, said Tuesday. "The  
conclusion we reached is only the White House has the authority and  
oversight for cybersecurity. This is now a serious national security  
problem and should be treated as such."

Lewis was testifying at at a hearing of the House Homeland Security's  
subcommittee on emerging threats, cybersecurity, and science and  
technology. Lewis appeared on behalf of CSIS's Commission on  
Cybersecurity for the 44th Presidency, a group made up of 40  
cybersecurity and government experts. They're expected to release a  
final report in November with recommendations for the next  
administration.

Adding to the public criticism of Homeland Security were two new  
reports published by the Government Accountability Office (No. 1 and  
No. 2) detailing the department's shortcomings.

Since 2005, the GAO has been reporting on DHS' cybersecurity efforts  
and has made 30 recommendations to the department, yet the department  
"still has not fully satisfied any of them," said David Powner, the  
GAO's director of information management issues.

The GAO's new reports include descriptions of the department's failure  
to fully address 15 key cyberanalysis and warning attributes related  
to activities such as monitoring government networks for unusual  
activity. For instance, warnings sent to federal offices regarding  
threats were neither consistently actionable nor timely, the GAO  
reported.

"We're not prepared" to handle cyberthreats, Powner said.

Lewis pleaded with politicians to remain focused on the topic.  
"Congress has to be involved with this," Lewis said, "to support  
building the infrastructure that will keep us secure."

Subcommittee Chairman Rep. James Langevin, D-R.I., announced at the  
hearing the creation of a House Cybersecurity Caucus, a forum for  
House members from various committees to discuss cybersecurity. The  
new caucus will begin work in January 2009.

Naming names
The GAO reports were released just one day after DHS Deputy Secretary  
Paul Schneider and a group of other federal officials who work on  
cybersecurity sought to address the many unanswered questions about  
the governemnt's secretive National Cyber Security Initiative.

Schneider made it clear at a forum on Monday that Robert Jamison, the  
DHS undersecretary for national protection and programs, is leading  
the department's cybersecurity efforts. However, witnesses and  
congressmen at Tuesday's hearing said there was a lack of leadership  
in the DHS.

"There really is no one in charge right now at DHS, and that's why  
they have struggled," said Paul Kurtz, a partner and COO for Good  
Harbor Consulting, who testified Tuesday. "You have several people  
with their hands on the steering wheel."

Rep. Bill Pascrell of New Jersey, D-N.J., said it was time to "name  
names" of who was responsible for the department's problems.

"Robert Jamison, the undersecretary, gave himself a solid C in  
cybersecurity the last time he came before the full committee,"  
Pascrell said. "When was getting a C a good mark?"

Pascrell complained that the administration has been too secretive  
about the National Cyber Security Initiative.

"The Senate tried for months to get the information public, and the  
White House refused," he said.

Pascrell pointed out that Marie O'Neill Sciarrone, a special assistant  
to the president, spoke at Monday's forum regarding federal  
cybersecurity efforts--but the event, hosted by the Information  
Technology Association of America, cost $50 for government employees  
to attend.

The witnesses at the hearing concurred the DHS has been too secretive.

"There's no reason to classify (the cyber initiative)," Lewis said.

However, he also said the initiative has produced some useful results.

"We've made a little progress," he said.

While it may be the norm for a new administration to completely revamp  
such a program, "we can't afford" to have that progress set back,  
Lewis said. "It'd be a lot easier to avoid that fumble if it wasn't  
top secret."

A new administration, a new start
Lewis said that a cybersecurity strategy "should be one of the first  
documents the new administration issues."

People representing both the Obama and McCain campaigns are on the  
CSIS commission, Lewis said, and both campaigns have recognized the  
need for greater cybersecurity.

"We've asked to brief them on our recommendations, and we believe in  
the next month or so we'll have that opportunity," he said.

The federal government is already working to establish working  
relationships with the private sector to improve cybersecurity, but  
the next administration will have to consider whether to consider all  
sectors of equal importance, Powner said. The three most critical  
sectors to work with, Lewis said, are the finance, electricity, and  
telecom industries.

"Existing partnerships are not meeting the needs of public or private  
sector," Lewis said. "The first need is to rebuild trust."

Harry Raduege, chairman of the Deloitte Center for Network Innovation,  
said another reason to make cybersecurity a priority for the White  
House is to better coordinate international efforts.

Officials from other countries often ask, "'Who should we come to talk  
to in the United States about your overarching strategy?'" Raduege  
said. "There was never one place I could recommend they go, no one  
individual with an entire national strategy perspective."

More information about the Infowarrior mailing list