[ISN] DHS responds to criticism of database on vulnerable infrastructure

From: InfoSec News (alerts@private)
Date: Wed Jul 19 2006 - 22:30:25 PDT


By Chris Strohm
July 19, 2006 

A top Homeland Security Department official lashed out in frustration 
Tuesday at critics who say the department is failing to make good 
judgments when it comes to risks and threats facing the country.

The department has come under heavy criticism recently -- and become the 
butt of jokes by late-night comedians -- due to its decision in May to cut 
urban antiterror funding to major metropolitan areas and an inspector 
general's report last week that found a national database of vulnerable 
targets rife with locations that pose no security risk.

The IG cited more than 32,000 assets out of about 72,000 in the database 
that "are not nationally significant," including a Mule Day Parade in 
Columbia, Tenn.; an Old MacDonald's Petting Zoo in Woodville, Ala.; an 
Amish popcorn factory in Berne, Ind.; a bean festival in Mountain View, 
Ark.; and the Kangaroo Conservation Center in Dawsonville, Ga.

Robert Stephan, the department's assistant secretary for infrastructure 
protection, told reporters that the inspector general "ignored" the facts 
and came to conclusions that are "fundamentally false."

"This is just a ridiculous thing that happened," he said.

Stephan, speaking at an event billed as a briefing on a recently released 
National Infrastructure Protection Plan, defended the asset database the 
plan relied on, but acknowledged that the department now faces a serious 
public perception problem.

Senate Democrats scolded the department last week by including a provision 
in the fiscal 2007 Homeland Security appropriations bill that requires it 
to comply with the inspector general's recommendations for overhauling the 

The amendment, offered by Sen. Barbara Boxer, D-Calif., would prohibit the 
department from spending preparedness funds on administrative and 
management employee travel until the recommendations are implemented or 
officials explain to Congress why they were not.

"The Inspector General's report outlines a case of gross mismanagement 
within the Department of Homeland Security," Boxer said. "There is no 
excuse for including sites facing no significant threat at a time when the 
Department of Homeland Security is downgrading its risk assessment for San 
Diego, Sacramento and other high-risk locations."

Attempting to set the record straight, Stephan said neither he nor key 
members of his management team were interviewed for the IG's report. He 
said low-level members of his staff were initially interviewed, but none 
of their input showed up in the report.

"The lower level provided feedback that was ignored by the IG," he said, 
adding that the inspector general never came back for additional 

Stephan did acknowledge that the database contains locations and assets 
that are not at risk, but he said that information is raw data provided by 
state and local governments.

He asserted the department does not include no-risk assets in making 
decisions about priorities or how to spend money and distribute grants. 
"No single raw data point . . . has any relevance to anything," he said.

He said those decisions are made after evaluating targets based on threat, 
vulnerability and the consequence of an attack.

Stephan added that the department's National Infrastructure Protection 
Plan identifies critical infrastructure for 17 sectors, and how the 
federal government will work with state and local governments and the 
private sector to protect those assets.

"We now have a playbook, commonly agreed to in an organized manner," he 
said. "This is a way out of the wilderness."

The private sector, however, is not required to comply with the plan.

2006 by National Journal Group Inc. All rights reserved.

Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.

This archive was generated by hypermail 2.1.3 : Wed Jul 19 2006 - 22:41:06 PDT