Cyber Analysis and Warning: DHS Faces Challenges in Establishing a Comprehensive National Capability
Cyber analysis and warning capabilities are critical to thwarting computer-based (cyber) threats and attacks. The Department of Homeland Security (DHS) established the United States Computer Emergency Readiness Team (US-CERT) to, among other things, coordinate the nation's efforts to prepare for, prevent, and respond to cyber threats to systems and communications networks. GAO's objectives were to (1) identify key attributes of cyber analysis and warning capabilities, (2) compare these attributes with US-CERT's current capabilities to identify whether there are gaps, and (3) identify US-CERT's challenges to developing and implementing key attributes and a successful national cyber analysis and warning capability. To address these objectives, GAO identified and analyzed related documents, observed operations at numerous entities, and interviewed responsible officials and experts.
Recommendations for Executive Action
|Department of Homeland Security||To fully establish a national cyber analysis and warning capability, the Secretary of Homeland Security should address deficiencies in each of the attributes identified for monitoring, including establish a comprehensive baseline understanding of the nation's critical information infrastructure and engage appropriate nonfederal stakeholders to support a national-level cyber monitoring capability.||
DHS agreed with our recommendation and has made significant improvements to its monitoring capabilities. Although DHS does not yet have all critical infrastructure/key resource sectors represented at the National Cybersecurity and Communications Integration Center (NCCIC) and has not encouraged all of them to complete national level risk assessments of their sectors, DHS has increased its near real-time situational awareness about the operation and cybersecurity condition of more entities within the sectors and taken action to further engage their federal and nonfederal stakeholders. For example, it has established the NCCIC to serve as a 24 hour cyber and communications watch and warning center. Currently, defense, law enforcement, and intelligence organizations, computer emergency response teams (CERTs), and private sector information sharing and analysis centers (ISACs) are represented at the center. In addition, a number of ISACs participate in a program to receive situational awareness information concerning network status. Also, DHS expanded monitoring of the states through its support of the Multi-State ISAC that has 25 U.S. state members. DHS has also expanded its passive monitoring tool to include network intrusion detection technology. This expanded capability has been deployed to 53 federal agencies.
|Department of Homeland Security||To fully establish a national cyber analysis and warning capability, the Secretary of Homeland Security should address deficiencies in each of the attributes identified for analysis, including expanding its capabilities to investigate incidents.||
DHS agreed with our recommendation and has made significant progress to improve its ability to analyze and investigate multiple incidents simultaneously. Although DHS must continue to engage more of its private sector partners in the analysis process, DHS has expanded its Advanced Malware Analysis Center (AMAC) and introduced advanced analytical tools to make noteworthy improvements in its analysis capabilities. For example, the expanded AMAC gives DHS the ability to process up to 100 non-concurrent cases and provides the capability to (1) perform analysis of submitted malicious software, resulting in a streamlined workflow, (2) automatically create malware related reports, and 3) allow for more timely and robust incident response. DHS also introduced an analysis tool to enhance its ability to track malicious activity. In addition, DHS developed a database to organize, access, and centralize data specifically related to cyber threats against critical infrastructure networks.
|Department of Homeland Security||To fully establish a national cyber analysis and warning capability, the Secretary of Homeland Security should address deficiencies in each of the attributes identified for warning, including ensuring consistent notifications that are targeted, actionable, and timely.||
DHS agreed with our recommendation and has improved its warning capability. While DHS does not track if entities within all critical infrastructure/key resource (CI/KR) sectors receive warnings, DHS has issued cybersecurity reports and warnings that were considered by DHS to be actionable, timely, and contain information useful in mitigating malicious activity. For example, during FY2011, DHS components released more than 5,200 cybersecurity alerts and information products based on the receipt and prioritization of approximately 7,780 files of analyzed malware. In addition, DHS has collaborated with both federal and nonfederal partners to improve its notification process. For example, DHS, DoD, and the Financial Services Information Sharing and Analysis Center launched a pilot designed to help protect key critical networks and infrastructure within the financial services sector by sharing actionable, sensitive information. Officials determined that this pilot was successful and transitioned it into a permanent program that involved cyber information sharing and cooperation with additional private sector owners and operators. DHS has also taken action to improve access to information for its private sector partners by establishing a capability for security-cleared owners and operators of CIKR and other officials to access secret-level cybersecurity information, such as warning information and technical data, and participate in video teleconference calls via the state and major urban area fusion centers.
|Department of Homeland Security||To fully establish a national cyber analysis and warning capability, the Secretary of Homeland Security should address deficiencies in each of the attributes identified for response, including ensuring that US-CERT provides assistance in the mitigation of and recovery from simultaneous severe incidents, including incidents of national significance.||
DHS agreed with our recommendation and has significantly improved its ability to provide assistance in the mitigation and recovery from incidents. While DHS has made progress acquiring technological tools to strengthen its response capability, it will have to continually (1) find ways to improve its tools to enhance capabilities because of the growing sophistication of threat actors and the methods they use and (2)demonstrate the need for entities to take action and its ability to respond because US-CERT does not have the authority to compel agencies or organizations to take action in response to an incident. To accomplish this, DHS continued to enhance its network security program, referred to as "Einstein", but has not completed efforts to create and implement the third iteration, which involves intrusion prevention. Also, DHS expanded the Advanced Malware Analysis Center (AMAC) to provide the capability to respond and provide assistance in the mitigation and recovery from incidents. For example, AMAC teams composed of malware analysts and forensic analysts can respond and deploy to 3 or more locations impacted by significant cybersecurity incidents and are complemented by US-CERT's incident management and detection and analysis capabilities. In addition, US-CERT created a quick response incident kit that that has all of the required technical tools needed to assist them in the response, collection, analysis and mitigation of incidents and recommendations for their client.
|Department of Homeland Security||The Secretary of Homeland Security should address the challenges that impede DHS from fully implementing the key attributes, including engaging appropriate stakeholders in federal and nonfederal entities to determine ways to develop closer working and more trusted relationships.||
DHS agreed with our recommendation and has taken a number of steps to improve their partnerships and enhance the level of trust with their federal and nonfederal stakeholders. Although one clearance program for private sector partners had been allowed to lapse and has been unable to accept new clearance nomination since November 2011, DHS has taken several other actions to develop closer working and more trusted relationships with both their public and private sector partners. For example, to develop closer relationships with its private sector partners, DHS allowed security-cleared owners and operators of critical infrastructure/key resources to access secret-level cybersecurity information and video teleconference calls via state and major urban area fusion centers. In addition, DHS embedded a full-time analyst and liaison from one information sharing and analysis center at the National Cybersecurity and Communications Integration Center as part of the ongoing effort to collocate private sector representatives alongside federal and state government counterparts and has participated in public and private sector working groups to promote information sharing and collaboration. To develop closer relationships within the federal sector, DHS has entered into a number of agreements. For example, DHS and DoD agreed to establish a DHS unit led by a DHS senior official to be imbedded at DoD's National Security Agency to leverage mutual capabilities and more readily share cybersecurity information on significant cyber incidents. In addition, US-CERT continues to maintain a partnership with the Government Forum of Incident Response and Security Teams (GFIRST), a community of more than 50 incident response teams from various federal agencies.
|Department of Homeland Security||The Secretary of Homeland Security should address the challenges that impede DHS from fully implementing the key attributes, including expeditiously hiring sufficiently trained cyber analysts and developing strategies for hiring and retaining highly qualified cyber analysts.||
DHS agreed with our recommendation and has implemented strategies to meet the continuing challenge of hiring sufficiently trained cyber analysts. For example, in late 2009, the Office of Personnel Management granted to DHS the authority to use direct hiring 1,000 times to meet their authorized full time positions/full time equivalents for cybersecurity professionals as appropriated by Congress. As a result of their workforce initiative, DHS hired cybersecurity professionals throughout the department that included computer engineers, scientists, analysts, and IT specialist. For example, the National Cyber Security Division (NCSD) has grown from 35 full time positions in FY2008 to over 314 in June 2012. DHS also reported that they have substantially reduced the cycle time to hire and grant security clearances and improved training opportunities to retain its top talent.
|Department of Homeland Security||The Secretary of Homeland Security should address the challenges that impede DHS from fully implementing the key attributes, including identifying and acquiring technological tools to strengthen cyber analytical capabilities and handling the steadily increasing workload.||
DHS agreed with our recommendation and has made significant progress to acquire technological tools. Although DHS will have to continually find ways to improve these tools to enhance their analytical capabilities because of the growing sophistication of threat actors and the methods they are using, DHS has identified and acquired diverse tools to defend, protect and reduce vulnerabilities on federal executive branch networks and systems. For example, to enhance their analytical capability, DHS has used the technological tools to passively observe network traffic to and from federal networks, alert when specific malicious network activity is detected, and provide increased insight into the nature of that activity. In addition, the Advanced Malware Analysis Center provides the technological ability to process 100 non-concurrent cases and to perform dynamic analysis of malicious software, resulting in a streamlined workflow and automatically created malware reports. Moreover, DHS is using an analysis tool to enhance its ability to track malicious activity and a database to address the organization's need to have an organized, accessible, and centralized repository for data specifically related to cyber threats against critical infrastructure networks.
|Department of Homeland Security||The Secretary of Homeland Security should address the challenges that impede DHS from fully implementing the key attributes, including developing predictive analysis capabilities by defining terminology, methodologies, and indicators, and engaging appropriate stakeholders in other federal and nonfederal entities.||
Although DHS agreed with our recommendation and took steps to enhance analytical capabilities, US-CERT officials stated that predictive analysis is still in the developmental stages.
|Department of Homeland Security||The Secretary of Homeland Security should address the challenges that impede DHS from fully implementing the key attributes, including filling key management positions and developing strategies for hiring and retaining those officials.||
DHS agreed with our recommendation and has taken steps to fill key management positions. To attract top professionals in the scientific and cyber fields, DHS created the Loaned Executive Program. This program provides a mechanism by which DHS can obtain ad hoc, unpaid, short-term expertise through appointment of appropriate individuals from the private sector to provide critical skills. Further, while it continues to face challenges in hiring and retaining key staff, as of August 2012, NCSD had 6 of 8 SES/ Directors now in place, 1 candidate completing the security clearance processing, and only 1 position remaining vacant.
|Department of Homeland Security||The Secretary of Homeland Security should address the challenges that impede DHS from fully implementing the key attributes, including ensuring that there are distinct and transparent lines of authority and responsibility assigned to DHS organizations with cybersecurity roles and responsibilities, including the Office of Cybersecurity and Communications and the National Cybersecurity Center.||
DHS created the National Cybersecurity and Communications Integration Center under the Office of Cybersecurity and Communications to serve as a centralized operations center for multiple DHS organizations, as well as other government entities and the private sector. Further, DHS issued the interim National Cyber Incident Response Plan that assigns roles and responsibilities to DHS organizations, as well as others, in a national cyber emergency. However, DHS has not completed detailed documents called for by the National Cyber Incident Response Plan. In particular, the charter and concept of operations for the Cyber Unified Coordination Group, the entity responsible for the centralized coordination between public and private sector entities during a national cyber emergency, are draft interim documents and not in final form. Nevertheless, DHS has made significant progress in defining the lines of authority and responsibility for its entities. For example, DHS had developed a CONOPS for the US-Computer Emergency Response Team (US-CERT) that describes US-CERT's roles and responsibilities as it interacts and collaborates with other DHS organizations such as the National Cybersecurity and Communications Integration Center, Office of Emergency Communications, Industrial Control System-CERT, and Office of Intelligence and Analysis.