Wednesday, September 17, 2008

U.S. Cyber Security Not Adaquate

The U.S. Government Accountability Office (GAO) has released a report (originally dated July 2008) critical of the U.S. Government's cyber security.

The report defined, in part, the threat:
"There is increasing concern among both government officials and industry experts regarding the potential for a cyber attack on the national critical infrastructure, including the infrastructure’s control systems. The Department of Defense (DOD) and the Federal Bureau of Investigation, among others, have identified multiple sources of threats to our nation’s critical infrastructure, including foreign nation states engaged in information warfare, domestic criminals, hackers, virus writers, and disgruntled employees working within an organization. In addition, there is concern about the growing vulnerabilities to our nation as the design, manufacture, and service of information technology have moved overseas. For example, according to media reports, technology has been shipped to the United States from foreign countries with viruses on the storage devices. Further, U.S. authorities are concerned about the prospect of combined physical and cyber attacks, which could have devastating consequences. For example, a cyber attack could disable a security system in order to facilitate a physical attack."
The GAO broadly assessed operations in four areas: Monitoring, Analysis, Warning and Response and found issues in each domain.

One of the key challenges the report identified was organizational and management issues within the U.S. Department of Homeland Security (DHS) stating that the cyber security initiative is:
"...operating without organizational stability and leadership within DHS—the department has not provided the sustained leadership to make cyber analysis and warning a priority. This is due in part to frequent turnover in key management positions that currently also remain vacant. In addition, US-CERT’s role as the central provider of cyber analysis and warning may be diminished by the creation of a new DHS center at a higher organizational level."

Until DHS addresses these challenges and fully incorporates all key attributes into its capabilities, it will not have the full complement of cyber analysis and warning capabilities essential to effectively performing its national mission."

CRITICAL INFRASTRUCTURE PROTECTION: DHS Needs to Better Address Its Cybersecurity Responsibilities

No comments: