US flunks cyber security prep test

The US Department of Homeland Security (DHS) has failed to live up to its cyber security responsibilities and may be "unprepared" for emergencies, federal auditors said in a scathing report released on Thursday.

More than two years after its creation, Homeland Security has never developed a contingency plan to restore internet functions in an emergency and has yet to create a vulnerability assessment of what could happen in an worst-case scenario, the Government Accountability Office (GAO) concluded.

"DHS cannot effectively function as the cyber security focal point intended by law and national policy" at the moment, the report said. "There is increased risk that large portions of our national infrastructure are either unaware of key areas of cyber security risks or unprepared to effectively address cyber emergencies."

The dismal grade for Homeland Security comes as the federal government is conducting a war game called "Silent Harbor" that's designed to model what might happen during an electronic attack on the United States. It was convened by the CIA's secretive Information Operations Center and was set to conclude on Thursday.

Thursday's report represents the most critical take yet on the cyber security efforts of the still-young agency, which was intended to become a central point for online warnings and responses inside the federal government but instead has come under fire for being too sluggish. The November 2002 law creating the Department of Homeland Security melded together computer security centres from the Commerce Department, the Defense Department, the Energy Department and the FBI.

In a letter signed by Steven Pecinovsky, a Homeland Security inter-governmental liaison, the department took issue with the report's conclusions. Homeland Security does not "agree with the report's implication that the challenges experienced to date have prevented us from achieving significant results in improving the nation's cyber security posture", Pecinovsky wrote. Because Homeland Security is a new agency, it is using less formal, non-quantitative ways to measure progress, he added.

The GAO warned that bot networks, criminal gangs, foreign intelligence services, spammers, spyware authors and terrorists were all "emerging" threats that "have been identified by the US intelligence community and others". Even though Homeland Security has 13 responsibilities in this area, it "has not fully addressed any", the GAO said.

Homeland Security has been suffering from an ongoing exodus of top-level staff. The director and deputy director of Homeland Security's National Cyber Security Division, a top Computer Emergency Response Team official, the undersecretary for infrastructure protection, and the assistant secretary responsible for information protection have all left in the past year. (The House of Representatives this month approved a reorganisation of those departments.)

Democrats on Capitol Hill were quick to take up the report's findings to suggest that the Bush administration's cyber security efforts have been a flop.

The "report only confirms what we have known all along; the DHS has failed to meet the responsibility for critical infrastructure protection", said Rep Zoe Lofgren, who represents the San Jose, California, area.

Rep Bennie Thompson of Mississippi, the top Democrat on a congressional homeland security panel, charged that "our critical infrastructures remain largely unprepared or unaware of cyber security risks and how to respond to cyber emergencies. This is unacceptable".

This isn't the first time the Homeland Security has been rapped by auditors. Last year, one report said the agency was plagued by computer systems that were incompatible, and another found that Homeland Security was woefully behind in terms of sharing computer security information with private companies.

Declan McCullagh writes for CNET News.com