Critics: Homeland Security unprepared for cyberthreats

WASHINGTON--When politicians got together six years ago and decided to glue together a medley of federal agencies to create the U.S. Department of Homeland Security, one of the justifications was a better focus on cybersecurity.

"The department will gather and focus all our efforts to face the challenge of cyberterrorism," President Bush said when signing the 500-or-so-page bill into law in November 2002. "This department will be charged with encouraging research on new technologies that can detect these threats in time to prevent an attack."

That was then. Now, Homeland Security is weathering a deluge of criticism of its lackluster cybersecurity efforts on grounds that they have proven to be inefficient, bureaucratic, and not even able to do a decent job of monitoring federal computer networks.

This week, it even led to what would have been unthinkable a year or two ago--a suggestion that Homeland Security can no longer be trusted with its cybersecurity mission and it should be handed to another federal agency.

"While DHS has improved, oversight for cybersecurity must move elsewhere," James Lewis, a director and senior fellow at the hawkish Center for Strategic and International Studies, said Tuesday. "The conclusion we reached is only the White House has the authority and oversight for cybersecurity. This is now a serious national security problem and should be treated as such."

Lewis was testifying at a hearing of the House Homeland Security's subcommittee on emerging threats, cybersecurity, and science and technology. Lewis appeared on behalf of CSIS's Commission on Cybersecurity for the 44th Presidency, a group made up of 40 cybersecurity and government experts. They're expected to release a final report in November with recommendations for the next administration.

Adding to the public criticism of Homeland Security were two new reports published by the Government Accountability Office (No. 1 and No. 2) detailing the department's shortcomings.

Since 2005, the GAO has been reporting on DHS' cybersecurity efforts and has made 30 recommendations to the department, yet the department "still has not fully satisfied any of them," said David Powner, the GAO's director of information management issues.

The GAO's new reports include descriptions of the department's failure to fully address 15 key cyberanalysis and warning attributes related to activities such as monitoring government networks for unusual activity. For instance, warnings sent to federal offices regarding threats were neither consistently actionable nor timely, the GAO reported.

"We're not prepared" to handle cyberthreats, Powner said.

Lewis pleaded with politicians to remain focused on the topic. "Congress has to be involved with this," Lewis said, "to support building the infrastructure that will keep us secure."

Subcommittee Chairman Rep. James Langevin, D-R.I., announced at the hearing the creation of a House Cybersecurity Caucus, a forum for House members from various committees to discuss cybersecurity. The new caucus will begin work in January 2009.

Naming names
The GAO reports were released just one day after DHS Deputy Secretary Paul Schneider and a group of other federal officials who work on cybersecurity sought to address the many unanswered questions about the governemnt's secretive National Cyber Security Initiative.

Schneider made it clear at a forum on Monday that Robert Jamison, the DHS undersecretary for national protection and programs, is leading the department's cybersecurity efforts. However, witnesses and congressmen at Tuesday's hearing said there was a lack of leadership in the DHS.

"There really is no one in charge right now at DHS, and that's why they have struggled," said Paul Kurtz, a partner and COO for Good Harbor Consulting, who testified Tuesday. "You have several people with their hands on the steering wheel."

Rep. Bill Pascrell of New Jersey, D-N.J., said it was time to "name names" of who was responsible for the department's problems.

"Robert Jamison, the undersecretary, gave himself a solid C in cybersecurity the last time he came before the full committee," Pascrell said. "When was getting a C a good mark?"

Pascrell complained that the administration has been too secretive about the National Cyber Security Initiative.

"The Senate tried for months to get the information public, and the White House refused," he said.

Pascrell pointed out that Marie O'Neill Sciarrone, a special assistant to the president, spoke at Monday's forum regarding federal cybersecurity efforts--but the event, hosted by the Information Technology Association of America, cost $50 for government employees to attend.

The witnesses at the hearing concurred the DHS has been too secretive.

"There's no reason to classify (the cyber initiative)," Lewis said.

However, he also said the initiative has produced some useful results.

"We've made a little progress," he said.

While it may be the norm for a new administration to completely revamp such a program, "we can't afford" to have that progress set back, Lewis said. "It'd be a lot easier to avoid that fumble if it wasn't top secret."

A new administration, a new start
Lewis said that a cybersecurity strategy "should be one of the first documents the new administration issues."

People representing both the Obama and McCain campaigns are on the CSIS commission, Lewis said, and both campaigns have recognized the need for greater cybersecurity.

"We've asked to brief them on our recommendations, and we believe in the next month or so we'll have that opportunity," he said.

The federal government is already working to establish working relationships with the private sector to improve cybersecurity, but the next administration will have to consider whether to consider all sectors of equal importance, Powner said. The three most critical sectors to work with, Lewis said, are the finance, electricity, and telecom industries.

"Existing partnerships are not meeting the needs of public or private sector," Lewis said. "The first need is to rebuild trust."

Harry Raduege, chairman of the Deloitte Center for Network Innovation, said another reason to make cybersecurity a priority for the White House is to better coordinate international efforts.

Officials from other countries often ask, "'Who should we come to talk to in the United States about your overarching strategy?'" Raduege said. "There was never one place I could recommend they go, no one individual with an entire national strategy perspective."

CNET's Declan McCullagh contributed to this report

[n3td3v]

Over hyped threat is over hyped.

[haceriii]

Go away, you Gobbles Security people. Don't the three of you have anything better to do than troll?

And considering that critical infrastructure things like SCADA systems are often reachable through the Internet (they shouldn't be, but that's another topic altogether) I would say that it's not overhyping the threat. If power grids get taken down, people do die. Just take one example: folks on oxygen pumps in their homes. Being without power for a few days means death for these folks.

[n3td3v]

I'm nothing to do with Gobbles. Three of me? There is only one. n3td3v.

[n3td3v]

n3td3v is one person.

n3td3v is not a troll.

n3td3v talks the truth.

[The_Decider]

Either you are part of Gobbles, or they just use the same name. Either way there is not one of you.

Talking in first person is creepy. Bob Dole agrees.

[n3td3v]

The_Decider,

GOBBLES IS A COMPLETELY DIFFERENT PERSON WITH NO CONNECTIONS TO ME.

THERE IS ONLY ONE PERSON WHO POSTS AS N3TD3V. THATS ME.

CUT OUT THE CONSPIRACY THEORIES.

ALL THE BEST,

N3TD3V

[n3td3v]

Cyber security is not a threat to national security. Gary Mckinnon was your only real threat and he got in by scanning for blank passwords. Estonia and Georgia were false flags by the U.S, so they don't count.

[n3td3v]

Free Gary Mckinnon from extradition to U.S. for 60 years. Which was originally ment to be 6 months community service in the U.K.

http://www.h2kradio.com/Method%20-%20Gary%20Mckinnon%20Hacker%20Tribute.mp3

http://freegary.org.uk/

**** U.S!!!

[masonx]

Is there anything that this administration has touched that works?

[The_Decider]

They seem competent with torture.

Every

[joetesta70]

The DHS is even more evil than $teve Job$

[Dalkorian]

Worse, the DHS is even more evil than M$.

See how silly and ridiculous you sound? No, I guess not, that would take brains and trolls don't have an abundance of that.

[aSiriusTHoTH]

You have got to be kidding me. Some of you people actually think cyberterriorism isn't a threat? What happens if a hacker group pull off the hack of the century and cripple the main DNS servers and down goes the internet for 2-3 days. How much money do you think will be lost?

Cyberterriorism is a huge national security threat. Pull your head out of the sand!

[fdunn3]

Sure but the Feds would be the last to know about it and the least capable of mitigating it.

Don't fool yourself into thinking that the Fed will be ready when they can't even mitigate their own security problems.

[dj_erik]

In my opinion, the DHS was given a job to ensure security from foreign and domestic threats. Instead of performing this task, they are focusing efforts on child pornography, hurricane relief, etc. I'm not saying that these aren't important tasks, but when you are given a job shouldn't you do that job? We instead are relying on MIT students to find flaws in the Massachusetts Bay Transportation Authority. In my opinion, this is just another abuse of power by the Bush administration, which could cost us greatly. Those MIT students could have easily planted a bomb in the subway and have it traced back to a grandmother's transit pass, but I guess cyber-threats aren't real anyways...

[fdunn3]

The Feds get hit more than we do and for some pretty dumb reasons.

They don't have a clue as to what is going on on a daily basis. Their "Alerts" are so late and not always accurate.

Why would anybody depend on the "expertise" of someone that can't even take care of their own systems?

[jtmajorx]

Router(config)# access-list 25 deny host TERRORISTS
Router(config)# access-list 26 deny host OSAMA
Router(config)# access-list 27 permit host... Freedom??
Router(config)# access-list 28 deny host Bush.

See guys, the US government is COMPLETELY ready for cyberthreats. And worst case, if we're not, at least Bush will get a kick out of his mouse moving independently.

[tremorfireheart]

cyber warfare is a real threat and a very real part of modern combat. In the case of an attack it could take out our capability to colloborate our forces and accurately deploy them. While nerc sip compliance has certainly shored up the defenses of the electrical grid from cyber attack, the standard styles of social network password acquiring can be applied. Not that you can really help those human tendencies from behind a desk in dc anyways. We have proved time and time again that if you cut our power for an extended duration we will begin to turn on each other. People panic enough when they know the lights are going to be out for a week because of a forseen event, how do you think they are going to manage if they don't know?

The formation of the department of homeland security was a knee jerk reaction out of fear. We have the fbi and the cia and the military. The FBI handled internal affairs related to federal laws and dangers at home. The Cia handles particular threats abroad. The Military Handles broad threats both here and abroad. The police force handles local matters and out breaks. Why do we need to Insert a middle man between the cia and the fbi so we can play a multibillion dollar game of telephone? In the computer world the more domains (or different type of security groups) you have the harder it is to get everything to work smoothly and increases the difficulty of passing information from one computer to another many fold.

[aintnorainbowdorothy]

Securing cybersecurity? That in and of itself is a joke. Remember that in World War II we broke the German and Japanese crypto programs by simply gaining access to their machines. The only way we were able to stay fairly secure was using the Commanches in Europe and Navajo in the Pacific area to speak in their native tounges. Of course, the native tounges were still around only because those and many other tribes refused, even with beatings, privation and so on, to give them up. Using a new language, not the new one that Microsoft is developing since that will be open to the world, but one built by people with expertise in that field, and then shooting them so a single person can't upset the apple cart, ala Egyptians during the tomb building periods and the Roman Praetorian Guard knocking off, or creating situations where a person calling himself Cesear committed suicide. That won't work of course since the Homeland Department will shoot everyone first and ask questions later. The shotgun marriage has very seldom worked. And the Homeland Security Department is a simple shotgun marriage cobbled together by this particular administration with the approval of Congress. That means the six years of Republican rule and the last two of Democrat. Everyone's complicit in the problem and no one, certainly not the office of the President and no one in Congress, is willing to take the fall. The answert\ is to break Homeland Security up, back into the individual departments it once was, give them the original mandates they had, and create a Deparftment of National Security all the while staffing that new department with people expert in the field. Of course that would mean having to pay the people for their expertise, something the United States seems to be loathe to do. Mediocraty leads to mediocare results, thereby allowing someone to give himself/herself a C, certainly passing, but not very well. And that person has true reason to be proud of that C, since the cobble is unweildy and the best the person can hope for is mediocraty.

[panthecat]

I?ve felt considerably more insecure ever since this country got stuck with the Department of Homeland Stupidity. I?m all for having it disestablished. they?ve had all this time to get their act together and all they do is flounder. FEMA used to be a functional agency before they got stuck inside of this dysfunctional cluster of a department and now they are an abysmal failure. Do you have the nerve to sign a petition?
http://www.petitiononline.com/zy98xw76/petition.html

[Michael Grogan]

All the DHS is good for is spying on honest citizens. Like everything Bush has created it never had anything to do with terrorism.

agreed!