Summary
Cyber analysis and warning capabilities are critical to thwarting computer-based (cyber) threats and attacks. The Department of Homeland Security (DHS) established the United States Computer Emergency Readiness Team (US-CERT) to, among other things, coordinate the nation's efforts to prepare for, prevent, and respond to cyber threats to systems and communications networks. GAO's objectives were to (1) identify key attributes of cyber analysis and warning capabilities, (2) compare these attributes with US-CERT's current capabilities to identify whether there are gaps, and (3) identify US-CERT's challenges to developing and implementing key attributes and a successful national cyber analysis and warning capability. To address these objectives, GAO identified and analyzed related documents, observed operations at numerous entities, and interviewed responsible officials and experts.
Cyber analysis and warning capabilities include (1) monitoring network activity to detect anomalies, (2) analyzing information and investigating anomalies to determine whether they are threats, (3) warning appropriate officials with timely and actionable threat and mitigation information, and (4) responding to the threat. GAO identified 15 key attributes associated with these capabilities. While US-CERT's cyber analysis and warning capabilities include aspects of each of the key attributes, they do not fully incorporate all of them. For example, as part of its monitoring, US-CERT obtains information from numerous external information sources; however, it has not established a baseline of our nation's critical network assets and operations. In addition, while it investigates if identified anomalies constitute actual cyber threats or attacks as part of its analysis, it does not integrate its work into predictive analyses. Further, it provides warnings by developing and distributing a wide array of notifications; however, these notifications are not consistently actionable or timely. US-CERT faces a number of newly identified and ongoing challenges that impede it from fully incorporating the key attributes and thus being able to coordinate the national efforts to prepare for, prevent, and respond to cyber threats. The newly identified challenge is creating warnings that are consistently actionable and timely. Ongoing challenges that GAO previously identified, and made recommendations to address, include employing predictive analysis and operating without organizational stability and leadership within DHS, including possible overlapping roles and responsibilities. Until US-CERT addresses these challenges and fully incorporates all key attributes, it will not have the full complement of cyber analysis and warning capabilities essential to effectively performing its national mission.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change
from "In process" to "Implemented" or "Not implemented" based on our follow up work.
Director:
Team:
Phone:
David A. Powner
Government Accountability Office: Information Technology
No phone on record
Recommendations for Executive Action
Recommendation: To fully establish a national cyber analysis and warning capability, the Secretary of Homeland Security should address deficiencies in each of the attributes identified for monitoring, including establish a comprehensive baseline understanding of the nation's critical information infrastructure and engage appropriate nonfederal stakeholders to support a national-level cyber monitoring capability.
Agency Affected: Department of Homeland Security
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To fully establish a national cyber analysis and warning capability, the Secretary of Homeland Security should address deficiencies in each of the attributes identified for analysis, including expanding its capabilities to investigate incidents.
Agency Affected: Department of Homeland Security
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To fully establish a national cyber analysis and warning capability, the Secretary of Homeland Security should address deficiencies in each of the attributes identified for warning, including ensuring consistent notifications that are targeted, actionable, and timely.
Agency Affected: Department of Homeland Security
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To fully establish a national cyber analysis and warning capability, the Secretary of Homeland Security should address deficiencies in each of the attributes identified for response, including ensuring that US-CERT provides assistance in the mitigation of and recovery from simultaneous severe incidents, including incidents of national significance.
Agency Affected: Department of Homeland Security
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Secretary of Homeland Security should address the challenges that impede DHS from fully implementing the key attributes, including engaging appropriate stakeholders in federal and nonfederal entities to determine ways to develop closer working and more trusted relationships.
Agency Affected: Department of Homeland Security
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Secretary of Homeland Security should address the challenges that impede DHS from fully implementing the key attributes, including expeditiously hiring sufficiently trained cyber analysts and developing strategies for hiring and retaining highly qualified cyber analysts.
Agency Affected: Department of Homeland Security
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Secretary of Homeland Security should address the challenges that impede DHS from fully implementing the key attributes, including identifying and acquiring technological tools to strengthen cyber analytical capabilities and handling the steadily increasing workload.
Agency Affected: Department of Homeland Security
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Secretary of Homeland Security should address the challenges that impede DHS from fully implementing the key attributes, including developing predictive analysis capabilities by defining terminology, methodologies, and indicators, and engaging appropriate stakeholders in other federal and nonfederal entities.
Agency Affected: Department of Homeland Security
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Secretary of Homeland Security should address the challenges that impede DHS from fully implementing the key attributes, including filling key management positions and developing strategies for hiring and retaining those officials.
Agency Affected: Department of Homeland Security
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Secretary of Homeland Security should address the challenges that impede DHS from fully implementing the key attributes, including ensuring that there are distinct and transparent lines of authority and responsibility assigned to DHS organizations with cybersecurity roles and responsibilities, including the Office of Cybersecurity and Communications and the National Cybersecurity Center.
Agency Affected: Department of Homeland Security
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
