Critical Infrastructure Protection:

Department of Homeland Security Faces Challenges in Fulfilling Cybersecurity Responsibilities

GAO-05-434: Published: May 26, 2005. Publicly Released: May 26, 2005.

Additional Materials:

Contact:

David A. Powner
(202) 512-3000
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Increasing computer interconnectivity has revolutionized the way that our government, our nation, and much of the world communicate and conduct business. While the benefits have been enormous, this widespread interconnectivity also poses significant risks to our nation's computer systems and, more importantly, to the critical operations and infrastructures they support. The Homeland Security Act of 2002 and federal policy established DHS as the focal point for coordinating activities to protect the computer systems that support our nation's critical infrastructures. GAO was asked to determine (1) DHS's roles and responsibilities for cyber critical infrastructure protection, (2) the status and adequacy of DHS's efforts to fulfill these responsibilities, and (3) the challenges DHS faces in fulfilling its cybersecurity responsibilities.

As the focal point for critical infrastructure protection (CIP), the Department of Homeland Security (DHS) has many cybersecurity-related roles and responsibilities that we identified in law and policy. DHS established the National Cyber Security Division to take the lead in addressing the cybersecurity of critical infrastructures. While DHS has initiated multiple efforts to fulfill its responsibilities, it has not fully addressed any of the 13 responsibilities, and much work remains ahead. For example, the department established the United States Computer Emergency Readiness Team as a public/private partnership to make cybersecurity a coordinated national effort, and it established forums to build greater trust and information sharing among federal officials with information security responsibilities and law enforcement entities. However, DHS has not yet developed national cyber threat and vulnerability assessments or government/industry contingency recovery plans for cybersecurity, including a plan for recovering key Internet functions. DHS faces a number of challenges that have impeded its ability to fulfill its cyber CIP responsibilities. These key challenges include achieving organizational stability, gaining organizational authority, overcoming hiring and contracting issues, increasing awareness about cybersecurity roles and capabilities, establishing effective partnerships with stakeholders, achieving two-way information sharing with these stakeholders, and demonstrating the value DHS can provide. In its strategic plan for cybersecurity, DHS identifies steps that can begin to address the challenges. However, until it confronts and resolves these underlying challenges and implements its plans, DHS will have difficulty achieving significant results in strengthening the cybersecurity of our critical infrastructures.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: Following the report, GAO highlighted in the January 2007 High Risk Report that DHS had not fully implemented any of its key cybersecurity responsibilities. In response to its inclusion in the High Risk Report, the Department of Homeland Security (DHS) developed a plan and has focused attention on initiatives to address some of its GAO-identified responsibilities. For example, to develop partnerships and coordinate with other federal agencies, state and local governments, and the private sector entities, DHS issued the National Infrastructure Protection Plan in 2009 and the Information Technology Sector-Specific Plan in 2007. In addition to facilitate cyber vulnerability assessments, including identification of cross-sector interdependencies, in collaboration with the sector and government coordinating councils (made up of varying stakeholders), DHS issued the Information Technology Baseline Risk Assessment in August 2009 that considers vulnerabilities, threats, and cross-sector issues related to the information technology sector. Also, DHS officials stated that DHS will be leading efforts to develop a national cyber incident response plan by the end of 2009 to provide public-private sector understanding regarding how the nation would respond to major cyber incidents. While these steps prioritize DHS's efforts on fulfilling certain key cybersecurity responsibilities, the department will need to continue to prioritize its efforts to ensure it fulfills its all of its key cybersecurity responsibilities.

    Recommendation: In order to improve DHS's ability to fulfill its mission as an effective focal point for cybersecurity, the Secretary of Homeland Security should engage appropriate stakeholders to prioritize key cybersecurity responsibilities so that the most important activities are addressed first, including responsibilities that are not detailed in the cybersecurity strategic plan: (1) perform a national cyber threat assessment; (2) facilitate sector cyber vulnerability assessments--to include identification of cross-sector interdependencies; and (3) establish contingency plans for cybersecurity, including recovery plans for key Internet functions.

    Agency Affected: Department of Homeland Security

  2. Status: Closed - Implemented

    Comments: Following the report, GAO highlighted in the January 2007 High Risk Report that DHS had not fully implemented any of its key cybersecurity responsibilities because its progress had been impeded by a several challenges including the reluctance of many in the private sector to share information with DHS and a lack of departmental organizational stability and leadership needed to gain the trust of other stakeholders in the cybersecurity world. In response to the inclusion in the High Risk Report, the Department of Homeland Security (DHS) developed a plan and focused attention on initiatives to fulfill its responsibilities that also address its challenges. For example, the National Infrastructure Protection Plan and the Information Technology Sector Specific Plan help to increase awareness about cybersecurity roles and capabilities, facilitate more effective partnerships with stakeholders, and improve two-way information sharing with these stakeholders. In addition, to better demonstrate the value DHS provides to its stakeholders, such as providing analysis of the federal government?s network traffic, DHS has improved the United States-Computer Emergency Readiness Team's analysis and warning capabilities. Also, under the new administration, the Secretary of Homeland Security has consolidated DHS's cyber critical infrastructure protection efforts under a Deputy Undersecretary of the Department's National Protection and Programs Directorate, to address the challenges associated with organizational stability and authority. In addition, the Deputy Undersecretary has publicly announced that the department is working to quickly increase its cadre of cybersecurity professionals to help address challenges associated with hiring and retaining qualified people. While DHS has initiatives in place to address some challenges, fully implementing its cybersecurity responsibilities/issues, such as building effective partnerships, having organizational stability, and hiring and retaining adequate cybersecurity experts are issues that require further attention.

    Recommendation: In order to improve DHS's ability to fulfill its mission as an effective focal point for cybersecurity, the Secretary of Homeland Security should require the National Cyber Security Division to develop a prioritized list of key activities for addressing the underlying challenges that are impeding execution of its responsibilities.

    Agency Affected: Department of Homeland Security

  3. Status: Closed - Implemented

    Comments: Following the report, GAO highlighted in the January 2007 High Risk Report that DHS had not fully implemented any of its key cybersecurity responsibilities. In response to the inclusion in the High Risk Report, the Department of Homeland Security (DHS) developed a plan with related performance measures and milestones for each initiative to address its cybersecurity responsibilities and the identified challenges. The initiatives that, according to the plan, provide the means for DHS to fulfill these responsibilities are the (1) National Infrastructure Protection Plan, (2) Information Technology Sector-Specific Plan, (3) Cross-Sector Cyber Security, (4) Control Systems Security, (5) Cyber Exercises, and (6) United States-Computer Emergency Readiness Team. For each initiative, the plan identifies tasks, expected outcomes, and milestones. The initiative for the National Infrastructure Protection Plan has defined metrics and, according to the plan, the National Cyber Security Division is revising program-level metrics for the remaining initiatives. While DHS has worked to measure the effectiveness of its efforts, more work remains to improve upon these metrics.

    Recommendation: In order to improve DHS's ability to fulfill its mission as an effective focal point for cybersecurity, the Secretary of Homeland Security should identify performance measures and milestones for fulfilling its prioritized responsibilities and for performing activities to address its challenges, and track organizational progress against these measures and milestones.

    Agency Affected: Department of Homeland Security

 

Explore the full database of GAO's Open Recommendations »

Sep 24, 2014

Sep 18, 2014

Sep 17, 2014

Sep 10, 2014

Sep 9, 2014

Sep 8, 2014

Jul 31, 2014

Jul 29, 2014

Looking for more? Browse all our products here