WASHINGTON -- The U.S. Department of Homeland Security needs to develop a recovery plan for widespread attack on the Internet, and it needs stable leadership in cybersecurity, a government investigator told a U.S. Senate subcommittee today.
While DHS can track Internet threats, it doesn't have an Internet recovery plan or a national cybersecurity threat assessment, David Powner, director of IT management in U.S. Government Accountability Office, told a subcommittee of the Senate Homeland Security and Governmental Affairs Committee. DHS is making progress but more work needs to be done, he said.
"Until DHS addresses its many challenges ... it cannot function as a cybersecurity focal point for coordinating federal law and policy," Powner added. "The result is an increased risk, and large portions of our critical infrastructure are unprepared to effectively handle a cybersecurity attack."
Senators echoed Powner's criticisms, first outlined in a GAO report released in May. "The United States does not currently have a robust ability to detect a coordinated attack on our critical infrastructure, nor does it have a measurable recovery and reconstitution plan for key mechanisms of the Internet and telecommunications system," said Senator Tom Coburn, an Oklahoma Republican and chairman of the Federal Financial Management, Government Information and International Security Subcommittee.
DHS is working hard to improve the nation's cybersecurity efforts, said Andy Purdy, acting director of the DHS National Cyber Security Division. Purdy outlined several efforts underway at DHS. A draft of a national infrastructure vulnerability assessment, including a cybersecurity assessment, should be completed within a couple of months, and the DHS Internet Disruption Working Group is working on a plan for Internet recovery after a major attack, he said.
The cyber division is also supporting efforts to push IPv6, a more secure version of the current Internet Protocol, Purdy said. The division is encouraging software vendors to create more secure products, and it plans to renew efforts to work with other agencies and private companies to identify the most significant cyberattack possibilities, he said.
Purdy also noted that DHS Secretary Michael Chertoff announced last week he would create a new position, an assistant secretary for cyber and telecommunications security. Purdy told senators that a new high-level cybersecurity leader should end high turnover in the cyber division's leadership, and the new assistant secretary will "accelerate" cybersecurity efforts.
"We believe [the GAO report] has provided a fair assessment of the progress to date and agree that while considerable work has been done, much work remains to meet the challenges in this rapidly changing area," Purdy said.
Physical Security Comes First?
Senator Thomas Carper, a Delaware Democrat, repeated long-time complaints that cybersecurity issues have taken a back seat to physical security issues at DHS. "The importance of cybersecurity is often times overlooked in the discussion of homeland security," Carper said. "Cybersecurity plays an important role in the protection of our critical infrastructure."
An attack on cyber infrastructure combined with an attack on physical infrastructure like a railroad could cripple emergency response, Carper said. Senators also raised concerns about the possibility of attacks on Internet-based controls for utilities such as waste management plants or the electric grid.
Powner listed a number of criticisms of the DHS cyber efforts, including what GAO sees as a difficulty to develop relationships with other federal agencies, with state and local governments, and with private industry. DHS also has no generally accepted methodologies for analyzing Internet attacks, and it has not fully developed a plan to respond to such attacks on utility control systems, Powner said.