The unreadiness team

Sunday, June 20, 2010

THE REPORT is chilling. Optimistically titled "U.S. Computer Emergency Readiness Team Makes Progress in Securing Cyberspace, but Challenges Remain," it paints a disturbing picture of a national security disaster waiting to happen. The U.S. Computer Emergency Readiness Team, or CERT, established in 2003 to coordinate national cyber-defense efforts, is an arm of the Department of Homeland Security (DHS) tasked with "analyzing and reducing cyber threats and vulnerabilities, disseminating cyber threat warning information, and coordinating cyber incident response activities." But this vast responsibility has come with little and confusing authority.

The report released last week by the DHS inspector general reveals an institution that is floundering. CERT is understaffed, with no capacity to do anything other than process data for anomalies and react to breaches after the fact with fixes it has no authority to enforce. Among the report's findings: Of the 98 positions authorized for the emergency readiness team, only 45 are filled, forcing it to rely on outside contractors to perform even basic functions such as updating operating procedures.

After seven years, CERT still lacks a strategic plan, goals or any performance measures to assess its progress. Making its role as the nation's ostensible first line of cyber defense still more difficult is the fact that it has no authority to ensure that any of its safety recommendations are implemented, even by the other federal agencies it is charged with protecting. Many partner agencies reported not receiving any instructions for CERT's primary monitoring software, making it difficult for them to access information about threats.

Implementing the recommendations of the report -- as CERT has already begun to do with six of the seven outlined suggestions -- marks a good start, but challenges remain. A broken hiring process whose onerous suitability requirements keep new employees from starting work for as long as 12 months -- even if they already have top-secret clearance -- is stretching an already thin force to its breaking point, forcing employees to shoulder tasks for which they were not hired. And there is a significant lag time in detecting and responding to threats that a recently acquired software tool will not be able to close for a projected six months.

But even if CERT becomes ideally efficient, it cannot solve the cyber-security crisis on its own. The overwhelming majority of the networks that comprise the nation's cyber infrastructure are privately owned, making public-private partnership for the research and development of better response strategies the key to keeping ahead of online threats. This must become the focus of national cyber-security policy.

© 2010 The Washington Post Company