From the U.S. Government Accountability Office, www.gao.gov Transcript for: DHS Information Security Description: Audio interview by GAO staff with Greg Wilshusen, Director, Information Technology Related GAO Work: GAO-16-294: Information Security: DHS Needs to Enhance Capabilities, Improve Planning, and Support Greater Adoption of Its National Cybersecurity Protection System Released: January 2016 [ Background Music ] [ Narrator: ] Welcome to GAO's Watchdog Report, your source for news and information from the U.S. Government Accountability Office. It's January 2016. With cyber attacks on the rise, protecting federal government computer systems, the infrastructure they control, and the private data stored within them is of the utmost importance. The National Cyber Security Protection System is intended to help, but how well is it working? A team led by Greg Wilshusen, a director in GAO's Information Technology team, recently looked into that question. Melanie Fallow sat down with Greg to talk about what they found. [ Melanie Fallow: ] Can you give me a sense of the landscape of federal information technology and cyber security? [ Greg Wilshusen: ] Sure. Every single federal agency relies on information technologies, the computers, systems, and networks in order to carry out their mission. And these technologies can be quite sophisticated, and they often are interconnected with other networks, both inside and outside of the agency. And, indeed, many agencies connect their networks to the internet in order to communicate with their constituents and deliver services. And it's through the internet that many intrusions and malicious software threatens federal systems. [ Melanie Fallow: ] So what is the National Cyber Security Protection System supposed to do? [ Greg Wilshusen: ] Well this system is intended to help agencies detect malicious traffic that may be entering or exiting their networks. It's also intended to prevent cyber security intrusions into those networks, as well as provide some data, analytics, and information sharing support to those agencies. It's all intended to help those agencies defeat and least prevent malicious traffic on those networks. [ Melanie Fallow: ] And how well is that system meeting its goals? [ Greg Wilshusen: ] Well, it's partially, but not fully meeting its objectives. In our review, we noted they had a number of limitations. For example, I had a limited ability to detect unauthorized or malicious traffic, entering an agency's network, and, in part, that's by design. It's designed to only identify known patterns of malicious activity, and does not address or identify other types of malicious activity. And so that makes it useful to one extent, but it doesn't do a very good job of identifying any deviations from normal network traffic. As far as intrusion prevention, that, too, is limited, in that it only monitors certain types of network traffic, but does not monitor other types of traffic, such as the content on web pages and web traffic. And we also found that customer agencies who use this system, which is operated and designed by the Department of Homeland Security, noted that they did not always view the incident notifications as either being timely or useful. [ Melanie Fallow: ] I see that the system has some limitations, but are agencies actually using it? [ Greg Wilshusen: ] Well, there are, but the extent to which this system is being implemented varies. For example, all 23 federal agencies that were required to implement the intrusion detection capability of this system have implemented that; however, we did a review at 5 of those agencies, and we found that 4 of them did not direct all of their network traffic through those sensors, thereby negating the benefit of having their network traffic go through those sensors and having malicious traffic detected. And we also found that only 5 of the 23 agencies had implemented the intrusion prevention capability of the system. That was due, in part, because of the internet service providers that were serving those particular agencies, but DHS has plans to expand that to many more agencies going forward. [ Melanie Fallow: ] So while the protection system is trying to meet its goals and agencies are trying to implement it, cyber threats are still out there, and they're evolving rapidly. Can you talk a little about what you found out about planning for this system's future? [ Greg Wilshusen: ] Well, DHS is, indeed, planning several enhancements to this system. It has identified needs for future capabilities to expand the type of network traffic that it monitors, as well as expanding to the number of agencies that will have intrusion prevention capabilities. In fact, it developed a roadmap to identify the techniques and technologies that are needed to increase that capability. However, DHS has not yet defined the specific requirements for those enhancements, and those are needed in order to effect them in an effective manner. [ Melanie Fallow: ] So are those the recommendations that GAO is making? [ Greg Wilshusen: ] Well, yes, that is among the recommendations we make. We made 9 recommendations as part of this report. One is to enhance the capabilities of this particular system, and to better define the requirements for future capabilities and functionality. We also recommended that DHS develop network routing guidance that it can provide to the agencies to assure that the agency's network traffic is, in fact, being filtered by the sensors, and DHS concurred with each of our recommendations and indicated that it's taking actions to implement them. [ Melanie Fallow: ] Finally, for those interested in the security of federal systems and data, what would you say is the bottom line of this report? [ Greg Wilshusen: ] Well, that the National Cyber Security Protection System is a useful tool in the federal agency's cyber security toolkit; however, for it to be used to maximum effect, DHA has to expand the capabilities of the system to cover all types of network traffic and to assure that agencies route all their network traffic through the sensors in order to receive the maximum benefit of this capability. [ Background Music ] [ Narrator: ] To learn more, visit GAO.gov and be sure to tune in to the next episode of GAO's Watchdog Report for more from the congressional watchdog, the U.S. Government Accountability Office.