DHS has dropped the ball on network security: report

Department of Homeland Security agency lacks authority and staff to do the job

Bleak doesn't begin to describe the picture painted by this morning's news coverage of a 35-page government report scoring - and excoriating - the nation's ongoing inability to protect critical network operations from cyber attack.

From an Associated Press story:

The federal agency in charge of securing the government's computer systems is unable to monitor the networks or analyze threats in real time, and it lacks the authority and staff it needs to do its job, according to an internal report.

The U.S. Computer Emergency Readiness Team must share information about threats and trends more quickly and in greater detail with other federal departments so they can better protect themselves, the audit said.

Wired.com, unrestricted by the journalistic conventions of Associated Press, put the matter more succinctly in a story headlined: "DHS Geek Squad: No Power, No Plan, Lots of Vacancies."

Back in 2003, the Department of Homeland Security set up with U.S. Computer Emergency Readiness Team (US-CERT) to spot vulnerabilities in the government's networks, and coordinate responses when those flaws are exploited. But seven years later, US-CERT is still "without a strategic plan," DHS Inspector General Richard Skinner tells the House Homeland Security Committee.

The group is working at less than half-strength, with 45 of 98 positions filled. And when US-CERT finds holes in the networks, all it can do is gently suggest recommendations to other federal agencies. Those other groups don't have to listen.

Federal Computer Week has more on the hiring challenges:

(Greg Schaffer, DHS' assistant secretary for cybersecurity and communications) said that DHS is moving quickly to hire more cybersecurity staff. He said that at the start of fiscal 2009, US-CERT only had 16 DHS staff members compared to today's 55 with plans to hire 25 more staff by the end of September. US-CERT is supported by many more contractors.

"The type of people that we need to hire...are not easily found. The skill sets that we are looking for are very specific and are very high-level," Schaffer said. "They are sought after by every department and agency that is trying to implement their program, by the private sector players who are anxious to ensure that their systems are defended."

The Wall Street Journal delves into some of the detail:

The department's implementation of its flagship cybersecurity program, dubbed Einstein, has been particularly rocky, (Inspector General Richard) Skinner found.

Einstein is supposed to identify possible intrusions into government computer systems and provide agencies information to repair the security breach. But it and other tools aren't collecting information fast enough to protect government systems.

"US-CERT is unable to monitor federal cyberspace in real time," according Mr. Skinner's prepared remarks. "As a result, US-CERT will continue to be challenged in protecting the federal cyberspace from security-related threats."

And, toward the end of its story, the Wall Street Journal quotes an anonymous source who suggests that the inspector's general's scathing report was actually a bit sugar-coated.

"US-CERT is buried deep within [Homeland Security] with no authorities, period," said a former U.S. cybersecurity official. "Anything buried that deep within an organization is just riddled with politics."

Mr. Skinner's report "only said 50% of what was wrong," the former official added. "It's just a shame that it's in that bad a shambles."

Now the only question that matters is whether anyone in Washington will be able to do anything about it.

Welcome regulars and passersby. Here are a few more recent Buzzblog items. And, if you'd like to receive Buzzblog via e-mail newsletter, here's where to sign up.

2010's 25 Geekiest 25th Anniversaries.

Good news for the economy: More people are quitting their jobs.

Scientist 'infected by computer virus' catches publicity fever

        8 in 10 browsers leave identifiable "fingerprints," EFF warns.

How many zettabytes can dance on the had of a pin?

Dear Apple: Please make "magical" disappear from your iPad marketing.

How the 'Net would have saved Coke from New Coke.

I have absolutely nothing to say about the iPad.

Clever video technique shows there really are two sides to any story.

Doing the Laptop Drive of Shame, Part III

True: This site is not Snopes.com

Cell-phone gabber in fast-food line gets his just deserts

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2010 IDG Communications, Inc.