You are here: silicon.com > Management > Law & Policy

Law & Policy

US flunks cyber security prep test

Scathing report hits out at Homeland Security 'unpreparedness'...

Tags: cyber security, homeland security, us

By Declan McCullagh

Published: 27 May 2005 09:10 BST

The US Department of Homeland Security (DHS) has failed to live up to its cyber security responsibilities and may be "unprepared" for emergencies, federal auditors said in a scathing report released on Thursday.

More than two years after its creation, Homeland Security has never developed a contingency plan to restore internet functions in an emergency and has yet to create a vulnerability assessment of what could happen in an worst-case scenario, the Government Accountability Office (GAO) concluded.

"DHS cannot effectively function as the cyber security focal point intended by law and national policy" at the moment, the report said. "There is increased risk that large portions of our national infrastructure are either unaware of key areas of cyber security risks or unprepared to effectively address cyber emergencies."

The dismal grade for Homeland Security comes as the federal government is conducting a war game called "Silent Harbor" that's designed to model what might happen during an electronic attack on the United States. It was convened by the CIA's secretive Information Operations Center and was set to conclude on Thursday.

Thursday's report represents the most critical take yet on the cyber security efforts of the still-young agency, which was intended to become a central point for online warnings and responses inside the federal government but instead has come under fire for being too sluggish. The November 2002 law creating the Department of Homeland Security melded together computer security centres from the Commerce Department, the Defense Department, the Energy Department and the FBI.

In a letter signed by Steven Pecinovsky, a Homeland Security inter-governmental liaison, the department took issue with the report's conclusions. Homeland Security does not "agree with the report's implication that the challenges experienced to date have prevented us from achieving significant results in improving the nation's cyber security posture", Pecinovsky wrote. Because Homeland Security is a new agency, it is using less formal, non-quantitative ways to measure progress, he added.

The GAO warned that bot networks, criminal gangs, foreign intelligence services, spammers, spyware authors and terrorists were all "emerging" threats that "have been identified by the US intelligence community and others". Even though Homeland Security has 13 responsibilities in this area, it "has not fully addressed any", the GAO said.

Homeland Security has been suffering from an ongoing exodus of top-level staff. The director and deputy director of Homeland Security's National Cyber Security Division, a top Computer Emergency Response Team official, the undersecretary for infrastructure protection, and the assistant secretary responsible for information protection have all left in the past year. (The House of Representatives this month approved a reorganisation of those departments.)

Democrats on Capitol Hill were quick to take up the report's findings to suggest that the Bush administration's cyber security efforts have been a flop.

The "report only confirms what we have known all along; the DHS has failed to meet the responsibility for critical infrastructure protection", said Rep Zoe Lofgren, who represents the San Jose, California, area.

Rep Bennie Thompson of Mississippi, the top Democrat on a congressional homeland security panel, charged that "our critical infrastructures remain largely unprepared or unaware of cyber security risks and how to respond to cyber emergencies. This is unacceptable".

This isn't the first time the Homeland Security has been rapped by auditors. Last year, one report said the agency was plagued by computer systems that were incompatible, and another found that Homeland Security was woefully behind in terms of sharing computer security information with private companies.

Declan McCullagh writes for CNET News.com

  1. Zones
  2. Management
  3. Networks
  4. Software
  5. IT Services
  6. Hardware
  1. Verticals
  2. Public Sector
  3. Financial Services
  4. Retail & Leisure

  • Jobs
Security/Quality Analyst-00055189

Meet the application maintenance security lead on the fortnightly basis to coordinate efforts to reduce application security risks and close any open ...

Security Consultant Ethical Hacking / Penetration Testing - London

Ltd Security Services team you will assess security risks related to our clients information technology systems, particularly with their web ...

Senior Auditor, 30,000-38,000+ benefits, Peterborough

In addition as a senior auditor you will be required to supervise the development of junior auditors. The role will involve assessment of risk and ...

CIO50 2008
The silicon.com CIO50 2008 profiles the most influential and innovative tech chiefs in the UK across all industries and organisation size, from the biggest FTSE100 companies to high growth dot-com start ups and the public sector. The list was voted on by the UK CIO community and a panel of experts. Find out more in our latest special report.





Quick Sitemap Links: