DHS Inspector General Richard Skinner spoke before the House Committee on Homeland Security yesterday and detailed his office’s latest report on the progress US-CERT has made in securing cyberspace. Both the report and Skinner’s testimony show that while US-CERT has made strides to beef up cybersecurity in recent years, there are still several items that need to be addressed going forward.
Skinner did acknowledge that US-CERT – which is responsible for defending federal government networks against cyber attacks – has made great strides in promoting information sharing between the private and public sector, using various notices, bulletins, and reports.
Nonetheless, the IG identified three key areas where US-CERT falls short in living up to its mission. First is its lack of enforcement authority in responding to security threats. “Without this authority, Skinner said, “US-CERT is limited in its ability to mitigate effectively ever-evolving security threats and vulnerabilities”.
Skinner added that because US-CERT cannot compel federal agencies to enact its recommendations, these cyber threats and vulnerabilities are often not addressed in a timely fashion. He highlighted the fact the US-CERT would have been given such increased enforcement capabilities under the revised FISMA legislation put forth in 2008, however, “since the proposed legislation was not approved, US-CERT remains without enforcement authority”, he continued.
The testimony also reviewed the staffing problems that the computer response team faces. The number of positions allotted for US-CERT was increased from 38 in 2008 to 98 in 2010, but Skinner lamented that only 45 of those positions had been filled. Several reasons were cited for the shortfall in staffing, including turnover, lack of qualified applicants, and the rigorous approval process that takes anywhere from nine to 12 months, even if the applicant has already received top secret clearance.
“As a result, staffing shortages force current analysts to perform additional duties, instead of fulfilling the technical analyst role for which they were hired”, noted the IG’s audit report.
“Without sufficient staffing, US-CERT cannot completely fulfill its responsibilities to analyze data and reports to reduce cyber threats and vulnerabilities as well as support the public and private sectors”, Skinner told the House committee.
The third point the IG covered was US-CERT’s lack of a strategic plan and performance measures, without which the organization is hampered in its mission to defend the federal government against cyber attacks Skinner said.
He would go on to provide several key action points to the committee derived from the audit. The first recommendation includes establishing specific performance measures and developing a strategic plan for US-CERT. Citing the increased sophistication and effectiveness of cyber attacks, the IG said that such a strategic plan is key to helping the organization measure progress and articulate clear goals.
“While progress has been made”, said Skinner, “US-CERT still faces numerous challenges in effectively reducing the cyber security risks and protecting the nation’s critical infrastructure”.