By Jonathan Krim Washington Post Staff Writer
Friday, July 23, 2004; Page E01
The Department of Homeland Security's efforts to battle computer-network and Internet attacks by hackers and other cyber-criminals suffer from a lack of coordination, poor communication and a failure to set priorities, according to an internal report released yesterday.
The report, by the department's inspector general, said the shortcomings of the National Cyber Security Division leave the country vulnerable to more than mere inconvenience to businesses and consumers.
The division "must address these issues to reduce the risk that the critical infrastructure may fail due to cyber attacks," the report said. "The resulting widespread disruption of essential services after a cyber attack could delay the notification of emergency services, damage our economy and put public safety at risk."
Among the report's recommendations is that the division develop a process for overseeing efforts of federal, state and local governments to better protect their systems.
The report cited progress in some areas since the division was formed in June 2003 as part of the federal reorganization that created the DHS. It praised the creation of a cyber-security coordination center called US-CERT, and an alert system that includes a Web site and automated notification to tech-security professionals of security threats making their way through cyberspace.
But the report comes at a time of heightened frustration among technology company executives and members of Congress that cyber-security is not getting enough attention and is poorly understood by some senior department officials. The issue is not just the possibility of a broad cyber-terrorist attack, those people say, but the daily attacks that are costing U.S. businesses and computer users hundreds of millions of dollars a year and countless hours of lost productivity.
"If we are at war, as Bush and [Homeland Security Secretary Tom] Ridge say we are . . . based on this report, we are clearly not on a war footing on cyber-security, or in DHS," said F. William Conner, chief executive of Entrust Inc., a Texas cyber-security company. "I read about the progress, but they've got the wrong measuring stick. Progress has to be measured against external risk."
Especially irksome to some executives and security experts is that the department has not adopted some of the practices they argue that government agencies, companies and organizations should employ to reduce the risk of cyber-attacks.
"The department as a whole isn't leading by example," said Alan Paller, head of the SANS Institute in Bethesda, a computer security research group. Paller, who praises some of the cyber division's work, said the department should take the lead in using its buying power to demand that software vendors make their products more secure. Paller said the agency is not doing so.
Paul Kurtz, head of the recently formed Computer Security Industry Alliance, a corporate trade group, said the HS was reluctant to participate in a cyber-security exercise sponsored by Dartmouth University, and did so only after pressure from the White House.