Regardless of the nomenclature, if you want to be able to use "The Google," it's very important that we keep all of the tubes on the Internet clean.
Back to the GAO's national information security findings. In a nutshell, the GAO found a number of challenges faced by the U.S. Computer Emergency Readiness Team in its charter to help secure the national IT infrastructure. (I'm sorry, but I just can't use the term "cyberspace" or "cybersecurity" -- simply makes the discipline sound silly).
The fascinating point I gleaned from the report is the number of new shortcomings the GAO proffered, compared with those they previously recommended. First, there is only one new challenge, straight from the GAO's report:
The newly identified challenge is creating warnings that are actionable and timely -- US-CERT does not consistently issue warnings and other notifications that its customers find useful.
I've always appreciated US-CERT's warnings as thorough and having no ax to grind, like many security vendors seem to have. My beef with US-CERT's warnings is that, at least the public one's I'm privy to, seem so late.
Here's the long list of shortcomings the GAO has previously informed all branches of our government that still remain unfixed:
• employing predictive cyber analysis -- the organization has not established the ability to determine broader implications from ongoing network activity, predict or protect against future threats, or identify emerging attack methods;
• developing more trusted relationships to encourage information sharing -- federal and nonfederal entities are reluctant to share information because US-CERT and these parties have yet to develop close working and trusted relationships that would allow the free flow of information;
• having sufficient analytical and technical capabilities -- the organization has difficulty hiring and retaining adequately trained staff and acquiring supporting technology tools to handle a steadily increasing workload; and
• operating without organizational stability and leadership within DHS -- the department has not provided the sustained leadership to make cyber analysis and warning a priority. This is due in part to frequent turnover in key management positions that currently also remain vacant. In addition, US-CERT's role as the central provider of cyber analysis and warning may be diminished by the creation of a new DHS center at a higher organizational level.
Until DHS addresses these challenges and fully incorporates all key attributes into its capabilities, it will not have the full complement of cyber analysis and warning capabilities essential to effectively performing its national mission.
Accordingly, we are making 10 recommendations to the Secretary of Homeland Security to improve DHS's cyber analysis and warning capabilities by implementing key cyber analysis and warning attributes and addressing the challenges, including:
• developing close working and more trusted relationships with federal and nonfederal entities that would allow the free flow of information,
• expeditiously hiring sufficiently trained staff and acquiring supporting technology tools to handle the steadily increasing workload,
• ensuring consistent notifications that are actionable and timely,
• filling key management positions to provide organizational stability and leadership, and
• ensuring that there are distinct and transparent lines of authority and responsibility assigned to DHS organizations with cybersecurity roles and responsibilities. In written comments
What I find frustrating is that most of this stuff was heavily discussed and debated toward the end of 2002 and throughout 2003. The good news is that the GAO only found one new shortcoming. So while the situation isn't improving, it isn't getting much worse, either. That's one way we can look at it. Right?
To be clear: I'm not casting blame on US-CERT, because I'm not sure if these failings are not being rectified because of lack of DHS leadership, lack of budget from Congress, or lack of organizational will within the US-CERT -- or a blend of all of those reasons.
I do know what needs to get done isn't getting done.