Critical Infrastructure Protection: Department of Homeland Security Faces Challenges in Fulfilling Cybersecurity Responsibilities
Highlights
Increasing computer interconnectivity has revolutionized the way that our government, our nation, and much of the world communicate and conduct business. While the benefits have been enormous, this widespread interconnectivity also poses significant risks to our nation's computer systems and, more importantly, to the critical operations and infrastructures they support. The Homeland Security Act of 2002 and federal policy established DHS as the focal point for coordinating activities to protect the computer systems that support our nation's critical infrastructures. GAO was asked to determine (1) DHS's roles and responsibilities for cyber critical infrastructure protection, (2) the status and adequacy of DHS's efforts to fulfill these responsibilities, and (3) the challenges DHS faces in fulfilling its cybersecurity responsibilities.
Recommendations
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Department of Homeland Security | In order to improve DHS's ability to fulfill its mission as an effective focal point for cybersecurity, the Secretary of Homeland Security should engage appropriate stakeholders to prioritize key cybersecurity responsibilities so that the most important activities are addressed first, including responsibilities that are not detailed in the cybersecurity strategic plan: (1) perform a national cyber threat assessment; (2) facilitate sector cyber vulnerability assessments--to include identification of cross-sector interdependencies; and (3) establish contingency plans for cybersecurity, including recovery plans for key Internet functions. |
Following the report, GAO highlighted in the January 2007 High Risk Report that DHS had not fully implemented any of its key cybersecurity responsibilities. In response to its inclusion in the High Risk Report, the Department of Homeland Security (DHS) developed a plan and has focused attention on initiatives to address some of its GAO-identified responsibilities. For example, to develop partnerships and coordinate with other federal agencies, state and local governments, and the private sector entities, DHS issued the National Infrastructure Protection Plan in 2009 and the Information Technology Sector-Specific Plan in 2007. In addition to facilitate cyber vulnerability assessments, including identification of cross-sector interdependencies, in collaboration with the sector and government coordinating councils (made up of varying stakeholders), DHS issued the Information Technology Baseline Risk Assessment in August 2009 that considers vulnerabilities, threats, and cross-sector issues related to the information technology sector. Also, DHS officials stated that DHS will be leading efforts to develop a national cyber incident response plan by the end of 2009 to provide public-private sector understanding regarding how the nation would respond to major cyber incidents. While these steps prioritize DHS's efforts on fulfilling certain key cybersecurity responsibilities, the department will need to continue to prioritize its efforts to ensure it fulfills its all of its key cybersecurity responsibilities.
|
Department of Homeland Security | In order to improve DHS's ability to fulfill its mission as an effective focal point for cybersecurity, the Secretary of Homeland Security should require the National Cyber Security Division to develop a prioritized list of key activities for addressing the underlying challenges that are impeding execution of its responsibilities. |
Following the report, GAO highlighted in the January 2007 High Risk Report that DHS had not fully implemented any of its key cybersecurity responsibilities because its progress had been impeded by a several challenges including the reluctance of many in the private sector to share information with DHS and a lack of departmental organizational stability and leadership needed to gain the trust of other stakeholders in the cybersecurity world. In response to the inclusion in the High Risk Report, the Department of Homeland Security (DHS) developed a plan and focused attention on initiatives to fulfill its responsibilities that also address its challenges. For example, the National Infrastructure Protection Plan and the Information Technology Sector Specific Plan help to increase awareness about cybersecurity roles and capabilities, facilitate more effective partnerships with stakeholders, and improve two-way information sharing with these stakeholders. In addition, to better demonstrate the value DHS provides to its stakeholders, such as providing analysis of the federal government?s network traffic, DHS has improved the United States-Computer Emergency Readiness Team's analysis and warning capabilities. Also, under the new administration, the Secretary of Homeland Security has consolidated DHS's cyber critical infrastructure protection efforts under a Deputy Undersecretary of the Department's National Protection and Programs Directorate, to address the challenges associated with organizational stability and authority. In addition, the Deputy Undersecretary has publicly announced that the department is working to quickly increase its cadre of cybersecurity professionals to help address challenges associated with hiring and retaining qualified people. While DHS has initiatives in place to address some challenges, fully implementing its cybersecurity responsibilities/issues, such as building effective partnerships, having organizational stability, and hiring and retaining adequate cybersecurity experts are issues that require further attention.
|
Department of Homeland Security | In order to improve DHS's ability to fulfill its mission as an effective focal point for cybersecurity, the Secretary of Homeland Security should identify performance measures and milestones for fulfilling its prioritized responsibilities and for performing activities to address its challenges, and track organizational progress against these measures and milestones. |
Following the report, GAO highlighted in the January 2007 High Risk Report that DHS had not fully implemented any of its key cybersecurity responsibilities. In response to the inclusion in the High Risk Report, the Department of Homeland Security (DHS) developed a plan with related performance measures and milestones for each initiative to address its cybersecurity responsibilities and the identified challenges. The initiatives that, according to the plan, provide the means for DHS to fulfill these responsibilities are the (1) National Infrastructure Protection Plan, (2) Information Technology Sector-Specific Plan, (3) Cross-Sector Cyber Security, (4) Control Systems Security, (5) Cyber Exercises, and (6) United States-Computer Emergency Readiness Team. For each initiative, the plan identifies tasks, expected outcomes, and milestones. The initiative for the National Infrastructure Protection Plan has defined metrics and, according to the plan, the National Cyber Security Division is revising program-level metrics for the remaining initiatives. While DHS has worked to measure the effectiveness of its efforts, more work remains to improve upon these metrics.
|