Inspector General Criticizes Cybersecurity Efforts

US-CERT, the team in charge of protecting critical infrastructure against cyberattack, is hampered by inadequate staffing, authority and performance measures, a new report says.
The team in charge of protecting critical U.S. infrastructure against cyberattacks has been deemed inadequately prepared and staffed to do so by the U.S. Inspector General.

In a report released Wednesday, the federal watchdog agency said that the Department of Homeland Security's U.S. Computer Emergency Readiness Team's (US-CERT) does not have the authority to make federal agencies comply with its recommendations.

The team also is not "sufficiently staffed to perform its mission," according to the report, released Wednesday.

Moreover, US-CERT has yet to finalize performance measures, policies and procedures related to its cybersecurity efforts, making it difficult to assess the goals of its activity against results.

The federal government created US-CERT in 2003. US-CERT is in charge of a partnership between the federal government and private companies to defend critical infrastructure in the U.S. It is meant to analyze and reduce cyber threats and coordinate how federal agencies, private companies, local governments and other stakeholders in cyber security share information.

Locking down cybersecurity policies and efforts is a top priority for the Obama administration, and the DHS has been at the forefront, working closely with both public and private organizations as well as law enforcement.

But the Inspector General's report said the agency and the team it's put in place to lead cybersecurity still faces numerous challenges to securing critical U.S. infrastructure.

US-CERT is meant to make recommendations to federal agencies so they can better protect themselves against cyber attacks. However, the team has no authority to see that agencies actually carry out its recommendations.

The proposed Federal Information Security Management Act (FISMA) 2008 legislation would have given it some authority, but that was not passed, leaving US-CERT without any way to enforce its mission, according to the report.

Short staffing also is a critical problem, according to the report. The team was allowed to increase its ranks from 38 in 2008 to 98 in 2010, but only 45 positions are currently filled.

The report cites leadership turnover as one of the reasons the team has struggled to recruit and keep qualified staff. In the past five years, US-CERT has had four directors; the position currently remains unfilled since April. It also takes about nine to 12 months to clear applicants for work at US-CERT due to its rigorous security clearances, according to the report, which also is a staffing challenge.

There was some positive news to report. US-CERT is in the process of developing both a strategic plan and performance measures to help it do its job better, according to the report. The team also is developing about 80-90 standard operating procedures to provide more structure to its mission, which should also help it perform better.