JUNE 16, 2010
U.S. Hampered in Fighting Cyber Attacks, Report Says
By SIOBHAN GORMAN
WASHINGTON--The U.S. government's ability to counter cyber attacks against its nonmilitary computer systems is largely ineffective, according to a report from an internal watchdog to be released Wednesday.
The Homeland Security Department branch that monitors cyber attacks can't force other agencies to protect their systems, is woefully understaffed and its ability to manage responses to cyber attacks has been hindered by constant turnover, said the department's inspector general.
The department's U.S. Computer Emergency Readiness Team, known as US-CERT, also withheld data from other federal agencies that could have helped them address security breaches, the report found.
The team "is still hindered in its ability to provide an effective analysis and warning program for the federal government in a number of ways," according to congressional testimony outlining the report from Inspector General Richard Skinner. The remarks, prepared for a hearing Wednesday, were reviewed by The Wall Street Journal.
Homeland Security spokeswoman Amy Kudwa said the Obama administration has given "unprecedented" attention to cybersecurity matters at the department. Homeland Security is on a cyber hiring binge, she said, with plans to hire 260 cybersecurity specialists by the end of the year across the department, including new employees at US-CERT.
"We have built a world-class cybersecurity leadership team," she added. "US-CERT provides a single, accountable focal point" within the federal government to "secure the federal executive branch civilian networks."
The department's implementation of its flagship cybersecurity program, dubbed Einstein, has been particularly rocky, Mr. Skinner found.
Einstein is supposed to identify possible intrusions into government computer systems and provide agencies information to repair the security breach. But it and other tools aren't collecting information fast enough to protect government systems.
"US-CERT is unable to monitor federal cyberspace in real time," according Mr. Skinner's prepared remarks. "As a result, US-CERT will continue to be challenged in protecting the federal cyberspace from security-related threats."
Einstein isn't yet deployed to all nonmilitary agencies, giving Homeland Security an incomplete picture of threats to government networks.
Several federal agencies told Mr. Skinner that Homeland Security isn't sharing data from Einstein with them, preventing them from identifying potential threats to their computer networks. These agencies, which Mr. Skinner doesn't name, also said that they haven't received sufficient training on how the Einstein program works.
A newer version of the Einstein program, which is currently being tested on a limited basis, should detect threats faster and provide the ability to block attacks, Mr. Skinner found. But it isn't clear when the upgraded version will be fully developed and deployed, especially when many agencies still lack the earlier version of the program because their systems aren't ready to install it.
Meanwhile, US-CERT is working at half-strength-having filled only 45 of 98 available positions, Mr. Skinner found. The team "does not have sufficient staff to perform its 24x7 operations," Mr. Skinner found. Contractors are used to compensate for staff shortages. Ms. Kudwa said Homeland Security has now filled 55 of those positions and is working to fill 25 more.
Mr. Skinner does credit the department with making some progress in addressing cyber threats by establishing working groups with private industry and issuing bulletins and reports on emerging threats.
House Homeland Security committee Chairman Bennie Thompson, who will question Mr. Skinner on his findings at a hearing Wednesday, said the report underscores major deficiencies at the department.
"It does not have sufficient staff to analyze security information," the Mississippi Democrat said. "It has not developed leadership consistency because US-CERT has had four directors in five years. Given these administrative failings, it should come as no surprise that day-to-day operations may suffer."
Some former federal cybersecurity officials said, however, that the department's handling of cyber threats is actually worse than Mr. Skinner's report suggests.
"US-CERT is buried deep within [Homeland Security] with no authorities, period," said a former U.S. cybersecurity official. "Anything buried that deep within an organization is just riddled with politics."
Mr. Skinner's report "only said 50% of what was wrong," the former official added. "It's just a shame that it's in that bad a shambles."
Write to Siobhan Gorman at siobhan.gorman@wsj.com