Our tax dollars, almost at work

Cybersecurity is an ever-more important issue in these troubled times. As one measure, the CERT has issued a couple hundred Technical Cyber Alerts so far this year. I’m not sure that the most effective way to fight this problem is to create another government bureaucratic effort; the government-funded CERT/CC has done quite well over the years and private efforts such as Symantec’s security response Web site do an excellent job in the areas they cover. But, if there is to be a government effort, it would be nice if we got more for our tax dollars than we have from DHS.

About a year and a half ago the U.S. government released the National Strategy to Protect Cyberspace. This report was mostly to get the Department of Homeland Security to organize, support and communicate responses to and protection from attacks on the U.S. cybertechnology infrastructure. Now the DHS Office of Inspector General has issued a report card on how DHS is doing that paints a mixed, but on the whole not very good, picture.

The cyberspace strategy was comprehensive. It described five priorities DHS should take into account when considering U.S. cybersecurity and recommended eight specific actions.

According to the strategy, the highest priority was development of a national cyberspace security response system. The other priorities included: development of national cyberspace security programs for threat and vulnerability reduction systems; creation of programs for awareness and training; development of ways to secure government cyberspace; and establishment of national and international cybersecurity cooperation.

The eight actions listed in the strategy provide specific suggestions on ways to achieve these priorities.

The report card, titled “Progress and Challenges in Securing the Nation’s Cyberspace”  notes that DHS has done a few cybersecurity things over the last year that were called for, but mostly says that DHS needs to do better.

DHS established a National Cyber Security Division (NCSD) about year ago to focus on its cybersecurity efforts. NCSD then established the U.S. Computer Emergency Readiness Team (US-CERT). Its Web site, www.us-cert.gov, has some useful information. But it seems to be largely redundant with the 15-year-old CERT Coordination Center (CERT/CC) at www.cert.org run under federal contract by Carnegie Mellon University when it comes to information about specific cybersecurity attacks and countermeasures.

NCSD also established the National Cyber Alert System, a trio of mailing lists run by US-CERT.

According to the report card, these lists had very little traffic even though a quarter of a million people had subscribed to one or more of them. NCSD also participated in a communication and coordination exercise run by Dartmouth College, hosted a National Cyber Security Summit and set up three government organizations dealing with U.S. government cybersecurity. This level of achievement seems low considering an annual budget of more than $75 million for the cybersecurity activity.

The report card said NCSD has yet to figure out how to prioritize its activities, set specific milestones for itself or figure out just how much money it will need to do its job. Nor has NCSD developed a strategic plan, the report said, defined a way to measure its performance, developed a formal communications process within itself and with other organizations, or figured out how to provide formal guidance on cybersecurity issues to the DHS.

Cybersecurity is an ever-more important issue in these troubled times. As one measure, the CERT has issued a couple hundred Technical Cyber Alerts so far this year. I’m not sure that the most effective way to fight this problem is to create another government bureaucratic effort; the government-funded CERT/CC has done quite well over the years and private efforts such as Symantec’s security response Web site do an excellent job in the areas they cover. But, if there is to be a government effort, it would be nice if we got more for our tax dollars than we have from DHS.

Disclaimer: Lots of our tax money pays for research at Harvard. I’m sure it is all perfectly justified, but I did not ask the university for its opinion.