[ISN] DHS lags in cybersecurity, GAO says

From: InfoSec News (alerts@private)
Date: Thu Mar 22 2007 - 00:03:13 PST


By Alice Lipowicz
March 21, 2007

Although the Homeland Security Department has increased its attention to 
cybersecurity in the past six months, it still has not implemented 25 
recommendations that are needed to fulfill its cyber responsibilities, 
according to a new report [1] from the Government Accountability Office.

DHS in September 2006 named Greg Garcia assistant secretary of 
cybersecurity and telecommunications and has made progress on improving 
awareness and coordination since then, the report states.

But much work remains to be done on 25 recommendations related to 
assessing cyberthreats and vulnerabilities, providing warning of 
cyberattacks, improving information sharing and coordinating response 
and recovery following a cyberattack, including Internet recovery, the 
GAO said.

While DHS has made progress in addressing some of these recommendations 
much work remains to be done, the GAO said.

The report summarized progress in private-sector infrastructure 
protection, including cybersecurity, for the nations 17 sectors, among 
which are energy, financial services, food, information technology and 
water supply. All 17 sector coordinating councils delivered their sector 
protection plans to the federal government on schedule by December 2006, 
the GAO said, but the quality of the plans varied. Each of the 17 
sectors was supposed to include cybersecurity components in its plans.

The private sector participants reported challenges in the planning that 
include lack of effective relationships with DHS, reflecting a lack of 
trust; high employee turnover; and lack of understanding of 
infrastructure operations at DHS. Other critical challenges involve 
delays in obtaining guidance from the government and in receiving 
numerous changes in guidance on how to do infrastructure protection 
planning, the GAO report states.

Some private sector participants were fearful of sharing sensitive 
information on their vulnerabilities and weak spots to their sector 
coordinating councils because they worried the information might be 
released to the public or subject them to lawsuits, the report states.

Alice Lipowicz writes for Washington Technology, an 1105 Government 
Information Group publication.

[1] http://www.gao.gov/new.items/d07626t.pdf

Visit the InfoSec News Security Bookstore

This archive was generated by hypermail 2.1.3 : Thu Mar 22 2007 - 00:17:36 PST