The Department of Homeland Security has released a redacted version of an Inspector General’s report on the agency’s efforts to protect cyberspace and the nation’s cyber infrastructure. The report comes just as the Pentagon releases its cybersecurity strategy and the White House and Congress make significant announcements concerning cybersecurity legislation and oversight.
The report is based on review of internal policies and procedures, and specifically addresses the agency’s progress implementing the recommendations in The National Strategy to Secure Cyberspace. It made ten recommendations, which management within DHS has already begun to implement, according to the report.
“DHS has made progress in working and sharing information with federal, state, and local governments and the public sector; raising cybersecurity awareness; and implementing educational programs that focus on cybersecurity,” the report stated. “However, significant work remains to address the open actions and recommendations and attain the goals outlined in the Strategy, National Infrastructure Protection Plan, and Comprehensive National Cybersecurity Initiative.”
The report noted the need for more robust planning, as well as a better trained workforce to address cyber challenges. DHS has the lead on combating cyber threats, in collaboration with federal, state and local governments, as well as industry, academia and international partners.
Information sharing was cited as a key progress area for DHS’ cybersecurity efforts. The Global Cyber Security Management Group is tasked with establishing cybersecurity education and training partnerships, to do things like standardizing roles, skills and competencies.
One criticism is that the Cybersecurity and Communications office has not developed a strategic implementation plan outlining responsibilities, performance measures and milestones and how it will address open actions and recommendations. Another criticism is that performance criteria and metrics have not been developed to track progress against priorities. In response to these criticisms the IG report noted four recommendations concerning the establishment of priorities, roles and responsibilities; strategic planning aligned with organization goals; and the development of performance criteria and progress measurement.
The other IG focus area related to training and system vulnerabilities. A DHS-administered database used to track cyber intrusions and system vulnerabilities has issues of its own, according to the report. Both contract and government personnel with access to secure systems were noted for having expired training certificates. Heavily redacted paragraphs outlined system vulnerabilities that put data at risk.
The final six recommendations included in the report related to the technical vulnerabilities created by improper account access and lack of training among personnel.
The IG report’s release earlier this month came just a week before a much-hyped Pentagon cyber strategy, focused on improving defenses and the need for cyber-trained personnel. The White House’s International Strategy for Cyberspace was released at a press conference in May.