Critical Infrastructure Protection: Department of Homeland Security Faces Challenges in Fulfilling Cybersecurity Responsibilities

GAO-05-434 May 26, 2005
Highlights Page (PDF)   Full Report (PDF, 78 pages)   Accessible Text   Recommendations (HTML)

Summary

Increasing computer interconnectivity has revolutionized the way that our government, our nation, and much of the world communicate and conduct business. While the benefits have been enormous, this widespread interconnectivity also poses significant risks to our nation's computer systems and, more importantly, to the critical operations and infrastructures they support. The Homeland Security Act of 2002 and federal policy established DHS as the focal point for coordinating activities to protect the computer systems that support our nation's critical infrastructures. GAO was asked to determine (1) DHS's roles and responsibilities for cyber critical infrastructure protection, (2) the status and adequacy of DHS's efforts to fulfill these responsibilities, and (3) the challenges DHS faces in fulfilling its cybersecurity responsibilities.

As the focal point for critical infrastructure protection (CIP), the Department of Homeland Security (DHS) has many cybersecurity-related roles and responsibilities that we identified in law and policy. DHS established the National Cyber Security Division to take the lead in addressing the cybersecurity of critical infrastructures. While DHS has initiated multiple efforts to fulfill its responsibilities, it has not fully addressed any of the 13 responsibilities, and much work remains ahead. For example, the department established the United States Computer Emergency Readiness Team as a public/private partnership to make cybersecurity a coordinated national effort, and it established forums to build greater trust and information sharing among federal officials with information security responsibilities and law enforcement entities. However, DHS has not yet developed national cyber threat and vulnerability assessments or government/industry contingency recovery plans for cybersecurity, including a plan for recovering key Internet functions. DHS faces a number of challenges that have impeded its ability to fulfill its cyber CIP responsibilities. These key challenges include achieving organizational stability, gaining organizational authority, overcoming hiring and contracting issues, increasing awareness about cybersecurity roles and capabilities, establishing effective partnerships with stakeholders, achieving two-way information sharing with these stakeholders, and demonstrating the value DHS can provide. In its strategic plan for cybersecurity, DHS identifies steps that can begin to address the challenges. However, until it confronts and resolves these underlying challenges and implements its plans, DHS will have difficulty achieving significant results in strengthening the cybersecurity of our critical infrastructures.



Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Implemented" or "Not implemented" based on our follow up work.

Director:
Team:
Phone:
David A. Powner
Government Accountability Office: Information Technology
No phone on record


Recommendations for Executive Action


Recommendation: In order to improve DHS's ability to fulfill its mission as an effective focal point for cybersecurity, the Secretary of Homeland Security should engage appropriate stakeholders to prioritize key cybersecurity responsibilities so that the most important activities are addressed first, including responsibilities that are not detailed in the cybersecurity strategic plan: (1) perform a national cyber threat assessment; (2) facilitate sector cyber vulnerability assessments--to include identification of cross-sector interdependencies; and (3) establish contingency plans for cybersecurity, including recovery plans for key Internet functions.

Agency Affected: Department of Homeland Security

Status: In process

Comments: The agency has not yet provided sufficient evidence of its efforts to address this recommendation. We expect updated information by October 2007 and will review it at that time.

Recommendation: In order to improve DHS's ability to fulfill its mission as an effective focal point for cybersecurity, the Secretary of Homeland Security should require the National Cyber Security Division to develop a prioritized list of key activities for addressing the underlying challenges that are impeding execution of its responsibilities.

Agency Affected: Department of Homeland Security

Status: In process

Comments: The agency has not yet provided sufficient evidence of its efforts to address this recommendation. We expect updated information by October 2007 and will review it at that time.

Recommendation: In order to improve DHS's ability to fulfill its mission as an effective focal point for cybersecurity, the Secretary of Homeland Security should identify performance measures and milestones for fulfilling its prioritized responsibilities and for performing activities to address its challenges, and track organizational progress against these measures and milestones.

Agency Affected: Department of Homeland Security

Status: In process

Comments: The agency has not yet provided sufficient evidence of its efforts to address this recommendation. We expect updated information by October 2007 and will review it at that time.