DHS needs power to compel agencies to fix security holes

"If you're not compliant, you need to be held accountable," Inspector General Richard Skinner said. Manuel Balce Ceneta/AP file

The Homeland Security Department doesn't have the power to compel agencies to fix known security vulnerabilities in their computer systems, a problem that keeps them vulnerable to cyberattacks, representatives from watchdog groups inside and outside the department said on Wednesday.

The U.S. Computer Emergency Readiness Team at DHS, created in 2003 to coordinate efforts to defend against cyberattacks, has made progress in developing capabilities to detect cyber incidents in networks governmentwide. But the team "does not have the appropriate enforcement authority to ensure that agencies comply with mitigation guidance concerning threats and vulnerabilities," said Richard Skinner, inspector general at DHS, in his testimony before the House Homeland Security Committee.

Gregory Wilshusen, director of information security issues at the Government Accountability Office, referenced during testimony a recent GAO report that found an intrusion detection system managed by US-CERT that monitors network traffic for potential malicious activity, called Einstein 2, had been deployed to only six federal agencies as of September 2009. Determining whether Einstein is helping government officials detect and respond to attacks remains difficult because DHS does not have the means to measure how agencies respond to security alerts.

DHS should have the authority to require agencies to fix known security vulnerabilities, Skinner said. "What then needs to be worked out is how they exercise that authority to compel compliance. . . . If you're not compliant, you need to be held accountable."

But even within agencies, existing federal security law makes it difficult for officials to force officials to work on network vulnerabilities, Wilshusen noted. "The Federal Information Security Management Act just said that [chief information officers] and certifying security officers are responsible for ensuring compliance [with the law], but not enforcing compliance. That one word made a difference."

A bill introduced in the Senate on June 10 would strengthen US-CERT's authority and update FISMA by requiring agencies to actively monitor networks for vulnerabilities. It also would transfer oversight of federal information security from the Office of Management and Budget to Homeland Security.

But giving DHS more authority won't drive agencies to fall in line because the department does not control cybersecurity funding, said Stewart Baker, a partner with the law firm Steptoe and Johnson LLP and former assistant secretary for policy at DHS.

"The difficulty with telling agencies what to do is that you're telling them to spend money that they were going to spend on something else on computer security," he said. "There needs to be support from OMB [to] either say, 'We can find the money,' or 'I'm sorry, take the cut.' "

A number of members of the committee pledged support for the Senate bill and vowed to introduce a House version.