Topics: Security

GAO States Obvious: U.S. Cybersecurity Is Stinko

Posted by George Hulme, Sep 16, 2008 11:42 PM

The Government Accountability Office finds government's cybersecurity efforts lacking.

First, anyone have any idea why the U.S. government refers to information security as "cybersecurity?" I thought the term cyberspace went out of fashion about a decade ago. I guess it's better than referring to IT security as "Information Super-Highway" security.

Regardless of the nomenclature, if you want to be able to use "The Google," it’s very important that we keep all of the tubes on the Internet clean.

Back to the GAO's national information security findings. In a nutshell, the GAO found a number of challenges faced by the U.S. Computer Emergency Readiness Team in its charter to help secure the national IT infrastructure. (I'm sorry, but I just can't use the term "cyberspace" or "cybersecurity" -- simply makes the discipline sound silly).

The fascinating point I gleaned from the report is the number of new shortcomings the GAO proffered, compared with those they previously recommended. First, there is only one new challenge, straight from the GAO's report:

The newly identified challenge is creating warnings that are actionable and timely -- US-CERT does not consistently issue warnings and other notifications that its customers find useful.
I've always appreciated US-CERT's warnings as thorough and having no ax to grind, like many security vendors seem to have. My beef with US-CERT's warnings is that, at least the public one's I'm privy to, seem so late.

Here's the long list of shortcomings the GAO has previously informed all branches of our government that still remain unfixed:

• employing predictive cyber analysis -- the organization has not established the ability to determine broader implications from ongoing network activity, predict or protect against future threats, or identify emerging attack methods;
• developing more trusted relationships to encourage information sharing -- federal and nonfederal entities are reluctant to share information because US-CERT and these parties have yet to develop close working and trusted relationships that would allow the free flow of information;

• having sufficient analytical and technical capabilities -- the organization has difficulty hiring and retaining adequately trained staff and acquiring supporting technology tools to handle a steadily increasing workload; and

• operating without organizational stability and leadership within DHS -- the department has not provided the sustained leadership to make cyber analysis and warning a priority. This is due in part to frequent turnover in key management positions that currently also remain vacant. In addition, US-CERT's role as the central provider of cyber analysis and warning may be diminished by the creation of a new DHS center at a higher organizational level.

Until DHS addresses these challenges and fully incorporates all key attributes into its capabilities, it will not have the full complement of cyber analysis and warning capabilities essential to effectively performing its national mission.

Accordingly, we are making 10 recommendations to the Secretary of Homeland Security to improve DHS's cyber analysis and warning capabilities by implementing key cyber analysis and warning attributes and addressing the challenges, including:

• developing close working and more trusted relationships with federal and nonfederal entities that would allow the free flow of information,

• expeditiously hiring sufficiently trained staff and acquiring supporting technology tools to handle the steadily increasing workload,

• ensuring consistent notifications that are actionable and timely,

• filling key management positions to provide organizational stability and leadership, and

• ensuring that there are distinct and transparent lines of authority and responsibility assigned to DHS organizations with cybersecurity roles and responsibilities.
In written comments

What I find frustrating is that most of this stuff was heavily discussed and debated toward the end of 2002 and throughout 2003. The good news is that the GAO only found one new shortcoming. So while the situation isn't improving, it isn't getting much worse, either. That's one way we can look at it. Right?

To be clear: I'm not casting blame on US-CERT, because I'm not sure if these failings are not being rectified because of lack of DHS leadership, lack of budget from Congress, or lack of organizational will within the US-CERT -- or a blend of all of those reasons.

I do know what needs to get done isn't getting done.

« Web 2.0: Unison And Ubuntu | Main | Is Google Going To Buy Gaming Company Valve, Maker Of Half-Life? »

This is a public forum. United Business Media and its affiliates are not responsible for and do not control what is posted herein. United Business Media makes no warranties or guarantees concerning any advice dispensed by its staff members or readers.

Community standards in this comment area do not permit hate language, excessive profanity, or other patently offensive language. Please be aware that all information posted to this comment area becomes the property of United Business Media LLC and may be edited and republished in print or electronic format as outlined in United Business Media's Terms of Service.

Important Note: This comment area is NOT intended for commercial messages or solicitations of business.

Blog Categories
Healthcare Cloud Computing Enterprise 2.0 Digital Life Grok On Google Over The Air Outsourcing Global CIO Startup City Information Management Content Management Green Computing Full Nelson Unified Communications	Hardware Government IT Analytics Tech Stocks Interop Security Microsoft Apple Unvarnished Open Source Wolfe's Den David Berlind's Tech Radar Virtualization Storage Backup and Business Continuity
Blog Homepage