DHS Inspector General Finds Deficiencies in Department’s Cybersecurity Ops Coordination
The Department of Homeland Security inspector general found that a year after the department’s Office of Cybersecurity and Communications (CS&C) reorganized its internal structure, it “still faces challenges in sharing cyber threat information with other federal cyber operations centers.” CS&C, part of DHS’s National Protection and Programs Directorate (NPPD), reorganized in October 2012 to improve the National Cybersecurity and Communications Integration Center’s functionality, the DHS IG said in a report made public Monday. NCCIC has since enhanced partnerships with other federal cyberoperations centers to address specific incidents and increased interagency collaboration, the report said. The NCCIC also collaborated with the FBI and other public and private partners to release Joint Indicator Bulletins related to cyberthreats and conducted drills to improve cyberoperations centers’ capabilities and plans, the report said. But NPPD needs to address tech and workforce deficiencies -- issues NPPD told the IG it is working to improve (http://1.usa.gov/1a3ndpB).
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
NCCIC and other federal cyberoperations centers don’t currently have a common tool set to provide them all with shared situational awareness and enhanced incident management functionalities, the report said. NCCIC currently uses the U.S. Computer Emergency Readiness Team’s ticketing system to maintain cyberincident information. Although the US-CERT system does capture cyberincident information, it doesn’t link situational awareness alerts and bulletins that are associated to a specific incident, threat or vulnerability. The system may not then consistently track incidents across other NCCIC components and potentially makes NCCIC information less than comprehensive, the report said. Although federal cybercenters often share information among themselves, there’s no single “continuously updated, comprehensive picture of cyber threat and network status,” the report said. The IG recommended NPPD procure or develop technology that provides “enhanced incident management and analytical capabilities” that can allow improved linkage of cyberincident information. NPPD told the IG that CS&C is working through its Network Security Deployment division to release improved information sharing capabilities beginning in fiscal year 2014.
Federal cybercenters also don’t use a standard set of incident reporting categories, the report said. The Department of Defense uses a 10-category system, while DHS uses a seven-category system. DOD has identified where the two systems have corresponding incident categories, but the department also “acknowledges the need to establish common incident and event categories,” the report said. Many federal cybercenters are adopting the DOD system, while CS&C is working with the National Institute of Standards and Technology to revise its guidelines, the report said. The IG recommended NPPD collaborate with DOD and NIST to create a standard set of categories. Suzanne Spaulding, acting DHS undersecretary-NPPD, told the IG that DHS is working with the National Security Staff and the Office of Management and Budget to release new federal reporting guidelines soon and will continue to work with DOD to streamline information sharing between the two agencies.
NPPD also needs to raise staffing levels at the Office of Intelligence and Analysis (I&A) and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) to improve the NCCIC’s “operational capabilities,” the report said. I&A currently provides NCCIC with intelligence alert and analysis information on current and potential threats. I&A analysts are assigned to specific sectors but are currently able to provide coverage for only 14 hours a day, five days a week. ICS-CERT provides technical analysis and forensic investigations on vulnerabilities and threats involving industrial control systems, as well as situational awareness information to public and private sector partners. ICS-CERT is operational only 12 hours a day, five days a week. The IG recommended NPPD add staff to the ICS-CERT and work with I&A management to increase the number of analysts on its staff. Spaulding told the IG that ICS-CERT wants to add five additional full-time staffers in fiscal year 2014 and that I&A will “continue efforts to increase staffing."
NPPD suspended all training of its personnel in March because of sequestration, meaning NCCIC analysts “may not possess the full scope of skills necessary to perform their assigned incident response and mitigation duties,” the report said. Instead, NPPD staffers are relying on free training through the centralized DHS learning management system, attending local conferences and enrolling in training through the Federal Emergency Management Agency and other federal cybercenters, the report said. Only 10 of the 22 NCCIC analysts the IG randomly selected in its audit had received technical training between 2009 and 2013 because of a lack of training funds. Many analysts now rely more on personal and institutional knowledge to deal with cyberincidents, the report said. The IG recommended NPPD revise its training and exercise plan to include new qualifications and standards used in NCCIC’s revised “Concept of Operations.” Spaulding told the IG that NCCIC has begun expanding its training opportunities and will continue expanding as funding becomes available.
NPPD also needs to update its plan for continuity of operations to reflect the NCCIC realignment, the report said. The current NPPD plan contains an emergency plan that involves offices that no longer exist taking over specific functions in an emergency, meaning if NCCIC had to move to an alternate site, the NPPD plan “would not provide the specific guidance for sustaining performance” on cyber matters, the report said. The IG recommended NPPD revise its plan to reflect the current operational structure and finalize a draft from CS&C to ensure it also reflects that office’s current alignment. Spaulding told the IG it is set to review its plan in Q4.
The report’s assessment that DHS “doesn’t have its act together in terms of a coordinating role is like saying ‘we put together this giant bureaucracy without understanding what was going on and now it doesn’t do what we think it should do after the fact,'” said Allan Friedman, director of the Brookings Institution’s Center for Technology Innovation.