Report Takes Homeland Security Department To Cyber-Woodshed

The Department of Homeland Security's efforts to defend against hackers, computer criminals, and even techno-terrorists are plagued by serious problems that leave the country vulnerable, an Internal audit said.

The report, which was compiled and issued by the agency's inspector general, Clark Ervin, both praised the department and took it to task. "Despite the progress made, DHS faces significant challenges in developing and implementing a program to protect our national cyber-infrastructure," Ervin's report said.

The report focused on the department's National Cyber Security Division, a unit created last June that was to tackle Internet and network security. If the division's shortcomings continue, the report noted, they could leave the country's government and commercial computer networks vulnerable at a time when security threats are at an all-time high and expected to only increase in the future.

The NCSD "must address these issues to reduce the risk that the critical infrastructure may fail due to cyberattacks," the report said. If it doesn't, the consequences of an attack on networks and other technology infrastructure "can have a significant negative effect on the United States."

Computer attacks already cause billions of dollars in direct damages and indirect losses every year.

Many of the report's findings point to a problem that mimics those in the recently released 9/11 Commission's report, which noted that a breakdown of communication contributed to the terrorist attacks' success.

"NCSD has not instituted a formal communications process within DHS, or within the government, private, intelligence, or international communities. The communications process is critical to encouraging the sharing of critical cyberthreat and vulnerability information," the report said.

Other problems within the division uncovered by the audit include an inability to prioritize its initiatives, a lack of long-range plans with milestones that would give Congress a clue as to progress, and a failure to identify the resources it needs.

The NCSD was not immediately available for comment. But in a previous interview, Amit Yoran, the director of the NCSD and a former VP at security firm Symantec Corp., rejected charges that progress in his division has been slow.

Ervin's report did applaud the division in several areas. The creation of the United States Computer Emergency Response Team, which is to act as the coordinator of computer security information, last year and the establishment by the National Cyber Alert System in January were singled out as important accomplishments.

The report made a number of recommendations to the division's overseeing directorate. According to Ervin, all the recommendations have been taken to heart by the agency, but because none of the problems have been fully addressed, he's standing by the report. "The resulting widespread disruption of essential services after a cyberattack could delay the notification of emergency services, damage our economy, and put public safety at risk," the report concluded.