Despite the various accomplishments of the U.S.-CERT in the past few years, there are still many areas that need improvement, DHS’ Inspector General told members of the House Committee on Homeland Security.
During a hearing June 16, Richard Skiner told members U.S.-CERT has had some successes but still doesn’t provide analysis and warning for the federal government as it should.
“U.S.-CERT is still hindered in its ability to provide an effective analysis and warning program for the federal government in a number of ways,” Skiner said. “U.S.-CERT does not have the appropriate enforcement authority to help mitigate security incidents. It is not sufficiently staffed to perform its mission.”
“Further, U.S.-CERT has not finalized and approved its performance measures and policies and procedures related to cybersecurity efforts,” he added.
One way to fix the current situation is to provide U.S.-CERT with an enforcement authority, according to Skiner. Without the authority to enforce recommendations to protect federal systems and networks, U.S.-CERT will be limited in its ability to mitigate the changed threat landscape.
“U.S.-CERT remains without enforcement authority,” he said. “Without the enforcement authority to implement recommendations, U.S.-CERT continues to be hindered in coordinating the protection of federal cyberspace.”
Another central problem for U.S.-CERT is that the organization lacks adequate staff, according to Skiner. The organization has an authorized 98 positions, yet as of January 2010, only 45 were filled.
“U.S.-CERT does not have sufficient staff to perform its 24×7 operations as well as to analyze security information timely,” he said. “Without sufficient staff, U.S.-CERT cannot completely fulfill its responsibilities to analyze data and reports to reduce cyber threats and vulnerabilities as well as support the public and private sectors.”
In order to meet the current staffing shortages, U.S.-CERT relies on contractor support, Skiner said. Another problem facing U.S.-CERT is the lack of a strategic plan that would formalize objectives, milestones and goals, he added.
“Without a strategic plan and performance measures, U.S.-CERT may have difficulty in achieving its goal to provide response support and defense against potential cyber attacks for the federal government,” Skiner said.
U.S.-CERT also needs to improve its information sharing with other federal agencies to ensure the timely mitigation of vulnerabilities and threats, Skiner asserted. A major impediment is the various classification levels and network architectures used throughout the federal government, which hinders U.S.-CERT’s ability to share information effectively.
“It is essential that U.S.-CERT and the public and private sectors share cybersecurity information to ensure that appropriate steps can be taken to mitigate the potential effect of a cyber incident,” Skiner said. “By sharing potential security threats collected through its data sources, U.S.-CERT can provide agencies with detailed information regarding attacks to their networks.”
The inability to monitor federal networks in real time is another problem, according to the IG. The tools currently used by U.S.-CERT don’t allow for real-time analysis, which makes it difficult for U.S.-CERT to adequately defend federal networks.
“U.S.-CERT is unable to monitor federal cyberspace in real time,” Skiner said. “As a result, U.S.-CERT will continue to be challenged in protecting the federal cyberspace from security-related threats.”
U.S.-CERT is currently working to address some of these issues, according to the IG. The organization has made progress in implementing a cyber program the help other agencies protect IT systems and has developed a mentoring program to develop employee cyber skills.
“While progress has been made, U.S.-CERT still faces numerous challenges in effectively reducing the cybersecurity risks and protecting the nation’s critical infrastructure,” Skiner said.