The Harlow Report - GIS

ISSN 0742-468X
Since 1978
On-line Since
Y2K
Print This Article Email This Article

DHS’s Responsibilities for Cybersecurity

Part of the war on terrorism and the war on crime centers around protecting our critical infrastructure. In case you have not noticed, we no longer are an agricultural society. In fact while we may be considered a services society, it is important to note that these services almost wholly depend on this nation's IT infrastructure.

It would be nice to think that we can sit back and let the government protect us, but the reality is that this is a joint responsibility between the government, law enforcement and those of us who use information technology to provide our services.

The GAO and Congress

In its testimony before the Subcommittee on Federal Financial Management, Government Information, and International Security, Senate Committee on Homeland Security and Governmental Affairs, the GAO (Government Accountability Office) presented the findings of its CRITICAL INFRASTRUCTURE PROTECTION: Challenges in Addressing Cybersecurity report.

The GAO is this government's watchdog. They prepared this particular report because increasing computer inter-connectivity has revolutionized the way that our government, our nation, and much of the world communicate and conduct business. While the benefits have been enormous, this widespread interconnectivity also poses significant risks to our nation's computer systems and, more importantly, to the critical operations and infrastructures they support. The Homeland Security Act of 2002 and federal policy established the Department of Homeland Security (DHS) as the focal point for coordinating activities to protect the computer systems that support our nation's critical infrastructures. GAO was asked to summarize previous work, focusing on (1) DHS's responsibilities for cybersecurity-related critical infrastructure protection (CIP), (2) the status of the department's efforts to fulfill these responsibilities, (3) the challenges it faces in fulfilling its cybersecurity responsibilities, and (4) recommendations GAO has made to improve cybersecurity of our nation's critical infrastructure.

Cybersecurity and DHS

DHS's Key Cybersecurity Responsibilities:

  1. Develop a national plan for critical infrastructure protection, including cybersecurity.
  2. Develop partnerships and coordinate with other federal agencies, state and local governments, and the private sector.
  3. Improve and enhance public/private information sharing involving cyber attacks, threats, and vulnerabilities.
  4. Develop and enhance national cyber analysis and warning capabilities.
  5. Provide and coordinate incident response and recovery planning efforts.
  6. Identify and assess cyber threats and vulnerabilities.
  7. Support efforts to reduce cyber threats and vulnerabilities.
  8. Promote and support research and development efforts to strengthen cyberspace security.
  9. Promote awareness and outreach.
  10. Foster training and certification.
  11. Enhance federal, state, and local government cybersecurity.
  12. Strengthen international cyberspace security.
  13. Integrate cybersecurity with national security.

What the GAO Found:

As the focal point for CIP, the Department of Homeland Security (DHS) has many cybersecurity-related roles and responsibilities that GAO identified in law and policy (see list above for 13 key responsibilities). DHS established the National Cyber Security Division to take the lead in addressing the cybersecurity of critical infrastructures.

While DHS has initiated multiple efforts to fulfill its responsibilities, it has not fully addressed any of the 13 responsibilities, and much work remains ahead. For example, the department established the United States Computer Emergency Readiness Team (CERT) as a public/private partnership to make cybersecurity a coordinated national effort, and it established forums to build greater trust and information sharing among federal officials with information security responsibilities and law enforcement entities. However, DHS has not yet developed national cyber threat and vulnerability assessments or government/industry contingency recovery plans for cybersecurity, including a plan for recovering key Internet functions.

DHS faces a number of challenges that have impeded its ability to fulfill its cybersecurity-related CIP responsibilities. These key challenges include achieving organizational stability, increasing awareness about cybersecurity roles and capabilities, establishing effective partnerships with stakeholders, and achieving two-way information sharing with these stakeholders. In its strategic plan for cybersecurity, DHS identifies steps that can begin to address the challenges. However, until it confronts and resolves these underlying challenges and implements its plans, DHS will have difficulty achieving significant results in strengthening the cybersecurity of our critical infrastructures, according to the report. In recent years, GAO has made a series of recommendations to enhance the cybersecurity of critical infrastructures that if effectively implemented could greatly improve our nation's cybersecurity posture.