GAO report questions DHS cybersecurity efforts

WASHINGTON - The U.S. Department of Homeland Security (DHS) has failed to fulfill the cybersecurity responsibilities it has been assigned since its creation in January 2003, according to a government report released Thursday.

DHS has not created national cyber vulnerability assessments or government and industry recovery plans for cyber attacks, according to the report, issued by the U.S. Government Accountability Office (GAO). The agency has "not fully addressed any" of its 13 key cybersecurity areas, the GAO report said.

Cyber attacks are becoming more and more likely to threaten vital national infrastructure, the report says, and the tools to launch cyber attacks are becoming more and more easy to find.

DHS needs to address several challenges, including more organizational stability in its National Cyber Security Division, better awareness of its cybersecurity roles, and better partnerships with private industry, the GAO report said. "Much work remains ahead," the GAO report said. "Until it confronts and resolves these underlying challenges and implements its plans, DHS will have difficulty achieving significant results in strengthening the cybersecurity of our critical infrastructure."

DHS disagreed with the report's "overall conclusion," although the agency agrees that it has many cybersecurity challenges, said DHS spokesman Kirk Whitworth. "The department has taken aggressive measures to enhance cybersecurity throughout our nation," he said.

Among DHS's key cybersecurity responsibilities: identifying and assessing cyber threats, promoting cybersecurity awareness, improving government cybersecurity, and promoting cybersecurity research.

DHS has taken several steps to improve cybersecurity, including establishing the U.S. Computer Emergency Readiness Team to respond to cyber threats and it has improved communication on cyber issues between federal offices and law enforcement officers, the GAO report said. But the report recommends DHS takes several steps to improve cybersecurity, such as performing a national cyber threat assessment, setting priorities for addressing the agency's cybersecurity challenges, and creating a way to track cybersecurity improvements at DHS.

The GAO report will come as no surprise to many IT vendors and trade groups, which have called for DHS to focus more on cybersecurity issues. DHS needs to better work with the private sector and provide cybersecurity leadership, said Harris Miller, president of the Information Technology Association of America (ITAA), in an interview earlier this month. The ITAA and other groups have called for DHS to appoint an assistant secretary for cybersecurity, instead of the current lower-level director of cybersecurity, as a way to bring more attention to cybersecurity issues.

"Have we made enough progress yet in those areas?" Miller said. "I think the clear answer is no."

Democrats in Congress criticized DHS for a lack of attention on cybersecurity after the report was released. Representative Zoe Lofgren, the top Democrat on the House Homeland Security Subcommittee on Cybersecurity, said DHS needs a higher-level cybersecurity leader. Lofgren, from California, asked for the report, along with subcommittee Chairman Mac Thornberry, a Texas Republican.

"This GAO report only confirms what we have known all along -- that DHS has failed to meet the responsibility for critical infrastructure protection," Lofgren said in a statement. "And even worse, this report proves that a national plan to secure our cyber networks is virtually nonexistent. There is no doubt that these vulnerabilities will continue to hamper our homeland security efforts if we do not make cyber security a major priority."