Terror cybersecurity efforts need improving

The US Department of Homeland Security (DHS) has made some progress in hardening the country's networks against cyberattacks, but many issues still remain, according to an internal DHS report.

The report - created by the Office of Inspector General - found that the National Cyber Security Division, part of the DHS's Information Analysis and Infrastructure Protection Directorate, has failed in several areas, including creating an overall strategy with goals for the division, providing effective guidelines for the private sector, and creating formal communications channels to warn government, intelligence or international communities of threats.

The National Cyber Security Division "must address these issues to reduce the risk that the critical infrastructure may fail due to cyberattack," the report concluded.

The Office of Inspector General stressed in the report that, rather than serving as a testament to any failure, the report's conclusions outline a work in progress - progress, however, that could proceed faster.

"The DHS has experienced delays in establishing its structure, which includes defining its budget and staffing requirements, and faces a number of additional challenges in instituting the enhanced cyberthreat analysis organisation that is needed to address long-term threats and vulnerabilities to the nation's critical infrastructure," the OIG said in the report.

The report acknowledges that the National Cyber Security Division and its chief, Amit Yoran, has embarked on many initiatives. In the past year, the agency has formed the national clearinghouse for threat information; the US Computer Emergency Response Team, or US-CERT; and a cyberalert system. It has also met repeatedly with luminaries in private industry to form recommendations.

However, the report found that the NCSD still needs almost 50 per cent more staff and better articulated strategies, with formally expressed milestones, in order to more effectively achieve its goal of protecting the nation's networks and computers. To date, the NCSD's Vulnerability Analysis branch is the only group to have drafted a document that expresses performance objectives, the report noted.

The DHS' Information Analysis and Infrastructure Protection Directorate said the report did not fully outline all the accomplishments of the NCSD.

"As with any newly formed organisation, the rate of change...is significant and presents unique challenges not facing other government organizations," Frank Libutti, undersecretary for the Information Analysis and Infrastructure Protection Directorate, said in a letter accompanying the report. "As a result, some programs within DHS, including several of the cybersecurity programs discussed in the OIG report, are executed quickly to show immediate value and tactical progress and are later modified over time to address more strategic issues."

The report is available from the DHS' web site.