Is US-CERT Ready for a Cyber Attack?

According to GAO, US-CERT may not be capable of fulfilling its mission. Yikes!

While other people peruse light or trashy novels on the beach, I spent the summer reading through government reports on cybersecurity.

I was reviewing an GAO report from June 25, 2009 titled, "Cybersecurity, Continued Federal Efforts are Needed to Protect Critical Systems and Information," when I came across some rather shocking declarations buried in the report which are worth calling attention to.

The report assesses cybersecurity status and progress throughout DHS including at the United States Computer Emergency Readiness Team or US-CERT. On its website, US-CERT says that it is, "charged with providing response support and defense against cyber attacks for the Federal Civil Executive Branch (.gov) and information sharing and collaboration with state and local government, industry, and international partners." So in the event of a devastating cyber attack, we all count upon US-CERT to detect the event, collect and share data, and then manage the response effort throughout the government and private sector.

Clearly, this is a central role for event detection, analysis, and response. Unfortunately, US-CERT may not be capable of performing these critical tasks. The GAO Report states that US-CERT:

1. "Has not established a baseline of the nation's critical network assets and operations." Translation: We can't really tell if there is a problem since we don't know what we have or how it normally behaves.

2. "Also provided warnings by developing and distributing a wide array of attack and other notifications; however these notifications were not consistently actionable or timely." Translation: US-CERT is distributing useless information so people will ignore it.

3. "Did not possess the resources to handle multiple events across the nation." Translation: We may be okay if cyber terrorists attack us using the Melissa virus, but if they launch simultaneous attacks across distributed critical infrastructure, we're screwed.

The section concludes with this bureaucratic but frightening statement, "we also concluded that without fully implementing the key attributes, US-CERT did not have the full complement of cyber analysis and warning capabilities essential to effectively perform its national mission."

Holy cow! Senators Rockefeller and Snowe are working on a cybersecurity bill, President Obama is looking for a cybersecurity coordinator, and at the same time, the GAO is telling us that US-CERT isn't prepared for a cyber attack.

In my humble opinion, Washington's urgency and priorities around cybersecurity have to change quickly. We need action, not political horse trading, lobbying, and legislative agendas. Must we suffer an attack before this happens?

• DHS
• federal government
• security
• US-CERT