The Department of Homeland Security's efforts to battle computer-network and Internet attacks by hackers and other cyber-criminals suffer from a lack of coordination, poor communication and a failure to set priorities, according to an internal report released yesterday.
The report, by the department's inspector general, said the shortcomings of the National Cyber Security Division leave the country vulnerable to more than mere inconvenience to businesses and consumers.
The division "must address these issues to reduce the risk that the critical infrastructure may fail due to cyber attacks," the report said. "The resulting widespread disruption of essential services after a cyber attack could delay the notification of emergency services, damage our economy and put public safety at risk."
Among the report's recommendations is that the division develop a process for overseeing efforts of federal, state and local governments to better protect their systems.
The report cited progress in some areas since the division was formed in June 2003 as part of the federal reorganization that created the DHS. It praised the creation of a cyber-security coordination center called US-CERT, and an alert system that includes a Web site and automated notification to tech-security professionals of security threats making their way through cyberspace.
But the report comes at a time of heightened frustration among technology company executives and members of Congress that cyber-security is not getting enough attention and is poorly understood by some senior department officials. The issue is not just the possibility of a broad cyber-terrorist attack, those people say, but the daily attacks that are costing U.S. businesses and computer users hundreds of millions of dollars a year and countless hours of lost productivity.
"If we are at war, as Bush and [Homeland Security Secretary Tom] Ridge say we are . . . based on this report, we are clearly not on a war footing on cyber-security, or in DHS," said F. William Conner, chief executive of Entrust Inc., a Texas cyber-security company. "I read about the progress, but they've got the wrong measuring stick. Progress has to be measured against external risk."
Especially irksome to some executives and security experts is that the department has not adopted some of the practices they argue that government agencies, companies and organizations should employ to reduce the risk of cyber-attacks.
"The department as a whole isn't leading by example," said Alan Paller, head of the SANS Institute in Bethesda, a computer security research group. Paller, who praises some of the cyber division's work, said the department should take the lead in using its buying power to demand that software vendors make their products more secure. Paller said the agency is not doing so.
Paul Kurtz, head of the recently formed Computer Security Industry Alliance, a corporate trade group, said the HS was reluctant to participate in a cyber-security exercise sponsored by Dartmouth University, and did so only after pressure from the White House.
Kurtz added that follow-through has been poor on the government's highly touted public-private partnership with industry to address security issues. That effort was part of a White House directive on cyberspace that mandated tighter controls for federal agencies but called for a voluntary plan for the private sector. After a meeting late last year, the partnership yielded five major reports and dozens of recommendations, but little in the way of further action.
"Not enough is happening" even to fulfill the Bush directive, said Rep. Zoe Lofgren (D-Calif)., who represents Silicon Valley.
To try to increase attention on cyber-security, several industry groups are supporting a bill co-sponsored by Lofgren and Rep. William M. "Mac" Thornberry (R-Tex.) that would elevate the director of the cyber division, currently Amit Yoran, to assistant secretary with more direct access to top DHS officials.
But Robert P. Liscouski, assistant secretary for information analysis and infrastructure protection, who oversees the Cyber Security Division, said the notion of separating attention on cyber-threats from overall infrastructure protection would be bad policy.
"Cyber . . . is a very key priority for us," said Liscouski, a former police officer and Coca-Cola Co. security executive. But elevating it to special status "is a step back," he said, arguing that physical and cyber-security are closely connected.
Thornberry said that philosophy is "kind of a dumbing down of our cyber-security efforts. Cyber has some unique features."
Liscouski said he also has to focus on where the greatest threat lies and that overall he thinks the division is making progress.
"The fact that I'm not on the bully pulpit is more a reflection of where our threat is," he said, referring to tech industry's desire that the Homeland Security Department take a lead role in pushing companies to make cyber-security a top priority. "The dominant threat has been a physical threat."
He acknowledged the department's initial reluctance to participate in the Dartmouth exercise because the division was still organizing itself and might not have been able to "engage in a meaningful way." But he said it was highly valuable in the end.
Industry executives say that if, as the administration has said, it wants to rely on their expertise to help formulate cyber-security policy, it should heed their advice now.
Harris N. Miller, head of the Information Technology Association of America, said his group "continues to be concerned that DHS does not have adequate resources devoted to cyber-security and that the cyber-security head does not have adequate visibility within the bureaucracy. Improvements are coming, but slowly. The question is whether the nation can afford to wait."