The Department of Homeland Security (DHS) has “a lot of work ahead” before it fully addresses its cybersecurity-related responsibilities, according to a recent report to Congress by the Government Accountability Office (GAO).

The report highlights the problems that DHS faces in fulfilling its responsibilities in protecting the cyber elements of the national critical infrastructure. For example, it has not developed national threat and vulnerability assessments, and it is having continued “difficulties in developing partnerships” with other agencies, state and local governments, and the private sector.

Another weakness noted by the GAO auditors is that DHS has no “government/industry contingency recovery plans for cybersecurity, including a plan for recovering key Internet functions” in the event of a major disruption.

The GAO does note DHS’s qualified successes. For example, its National Cyber Security Division (NCSD) is “a national focal point for addressing cybersecurity issues” that has “taken steps to develop partnerships and information-sharing mechanisms” with groups such as ISACs. Unfortunately, sharing information with the private sector is hampered by a lack of security clearances by private-sector partners and by the fear of “what information DHS would share with other federal agencies.”

Even worse, some partners described the erosion of the sharing process. One ISAC official noted that when his organization contacted DHS about a rumor of a dirty bomb being used at a national event, “ISAC officials were told to obtain the information from the media.”

The report concludes by pointing out that many of the recommendations GAO has made before—such as developing a strategic analysis and warning capability—remain undone or incomplete. A DHS official who responded to the report did not concur with most of the GAO’s recommendations, stating that many initiatives to solve these problems are already underway.

gao05434_dhs0905_1.pdf