DHS Urged To Bolster Cyber Infrastructure Security

Inside DHS' Classified Cyber-Coordination Headquarters

The Department of Homeland Security (DHS) is not appropriately handling its task to ensure that U.S. critical infrastructure will be resilient in the event of a disaster, according to the federal government's watchdog agency.

The DHS is in charge of cybersecurity for the critical infrastructure that powers networks of nationwide importance, such as power grids and telecommunications networks. These networks are largely owned by private operators, which the DHS is working closely with on disaster-recovery strategies.

While the agency is working to bridge the gap between the public and private sector to secure U.S. critical infrastructure, it could be doing more, according to a new report by the Government Accountability Office (GAO).

The DHS has been assessing network vulnerability onsite at critical infrastructure and key resources (CIKS) facilities, work that includes evaluating how network owners and operators are addressing resiliency gaps.

To do this, the agency operates a Protective Security Advisor Program (PSAP), which deploys security specialists, or Protective Security Advisors (PSAs), to help infrastructure owners and to act as mediators between them and the DHS and other government agencies at the federal, state and local levels.

Some of the problem the DHS has is in its management of these PSAs, according to the GAO. While the DHS has trained PSAs on the resiliency topics they should identify and help network owners and operators implement, it has not appropriately trained them to articulate their role with regard to resiliency issues, or to promote strategies and practices to those who own and operate critical infrastructure, according to the GAO.

Moreover, the GAO report suggests that the DHS's role as liaison to the private sector for this task, as well as the way the partnership is set up, may be too unwieldy for the agency to manage.

The DHS is struggling with how to share its recommendations on resiliency with network owners and operators because of the voluntary nature of the work, according to the report. While the DHS is responsible for securing critical infrastructure, it is not able to identify or promote practices that could be construed as standards to the operators of that infrastructure.

The DHS also faces challenges in coming up with resiliency strategies for the diversity of the networks it's trying to protect, according to the GAO.

To streamline its task to ensure critical infrastructure is resilient in the event of a disaster, the GAO is recommending the DHS develop resiliency performance measures and update its guidelines for the PSAs that work with network owners and operators.

The agency also should consider developing a better approach to disseminating resiliency information and recommendations.

The DHS said it is taking action to implement the first two recommendations but still considering what action, if any, to take on the third.