Watchdog: DHS Still Struggles with Cyber Response

The Department of Homeland Security is responsible for the gargantuan task of securing federal civilian agency computer networks from cybersecurity threats.

Recent legislative proposals -- offered in the wake of the massive breach of federal personnel records this past summer -- advocate expanding the agency’s role in protecting the dot-gov domain.

But according to a new watchdog report, the agency still struggles to coordinate its cyber-response activities and lacks an automated information-sharing tool to share cyberthreat data between components within the department -- let alone between government and the private sector, which the Obama administration and some lawmakers have been pressing for.

That’s according to a Sept. 4 memo from DHS Inspector General John Roth, published Tuesday, and sent to officials in Homeland Security’s National Protection and Programs Directorate, U.S. Immigration and Customs Enforcement and the U.S. Secret Service.

In addition, the IG found scattershot training for cybersecurity professionals in the department. with some analysts paying for their own training courses to keep their skills fresh.

DHS Lacks Departmentwide Strategy

Confusion abounds about the roles of various DHS components when it comes to responding to cyberincidents, according to the IG.

Cyber personnel across ICE, NPPD and the Secret Service -- three of the DHS components with the heaviest cybersecurity workload -- “do not have a clear understanding of each other’s responsibilities and operational and investigative capabilities as needed to effectively coordinate and collaborate to fulfill DHS’ cyber mission,” the IG’s memo stated.

For example, cyber personnel at DHS headquarters told the IG they were not familiar with extent of ICE’s cyber responsibilities, which includes child exploitation and computer forensic investigations.

“This lack of understanding has led to conflicts regarding assignments and response to incidents,” the IG noted. ICE cyber analysts told investigators some incidents had been referred to the wrong part of DHS or even erroneously referred to outside agencies.

“Ultimately, this confusion may have restricted DHS from using all of its cybersecurity capabilities or caused delays in its response and recovery efforts,” the IG concluded.

Last December, Homeland Security stood up a new policy shop to coordinate DHS components’ cybersecurity activities. However, the office’s limited staff has been slow to make headway setting out clear lines of authority.

DHS management told the IG it has since created a “2015 Cyber Strategy,” vetted by its components and submitted in July for final approval. The new strategy mandates an implementation plan within 90 days.

IG: DHS Needs Automated Threat Sharing

DHS components also struggle to communicate in real-time about cyber incidents, because the agency lacks a departmentwide capability for sharing cyberthreat and vulnerability information.

The current process, a hodgepodge of reporting methods, “has limited the analysts’ and investigators’ abilities to develop a comprehensive picture of the incidents or correlations and trends among cyber attacks,” investigators concluded.

Senior officials “acknowledged the need for a system that can integrate component data to provide a continuously updated, comprehensive picture” of cyberthreats, auditors noted. “However, such a system has not been established because the department currently does not have the infrastructure to support an enterprisewide system.”

The IG recommended DHS cyber officials develop a plan for rolling out new automated information-sharing capabilities. DHS management agreed with the recommendation, saying the agency’s chief information officer and deputy and deputy undersecretary for cybersecurity and communications have already begun work to share cyberthreat information to improve civilian agency network defense.

Broader sharing of threat indicators in near real time is expected to be in place by September 2016.

Training: Skills Gaps and Duplicative Costs

The IG also criticized the lack of coordinated cybersecurity training across the department.

Components arrange their own training, “incurring significant, duplicative costs,” in some cases, according to the IG, and contributing to skills gaps in others.

DHS components told auditors they were cutting back on training because of budget shortfalls.

One ICE analyst told the IG he had not attended any formal training in four years, in part because of the sequester budget cuts and that he had invested his own time and money to obtain the necessary training.

Investigators recommended DHS management develop an agencywide cybersecurity training curriculum.

“Without developing the departmentwide training program, component personnel may not posses the skills necessary to perform their assigned incident response duties or investigative responsibilities in the event of a cyberattack,” the IG report stated.