GAO-05-434 Critical Infrastructure Protection: Department of Homeland Security Faces Challenges in Fulfilling Cybersecurity Responsibilities

To view the full product, including the scope and methodology, click on the link above. For more information, contact David Powner at (202) 512-9286 or [email protected]. As the focal point for critical infrastructure protection (CIP), the Department of Homeland Security (DHS) has many cybersecurity-related roles and responsibilities that we identified in law and policy (see table below for 13 key responsibilities). DHS established the National Cyber Security Division to take the lead in addressing the cybersecurity of critical infrastructures. While DHS has initiated multiple efforts to fulfill its responsibilities, it has not fully addressed any of the 13 responsibilities, and much work remains ahead. For example, the department established the United States Computer Emergency Readiness Team as a public/private partnership to make cybersecurity a coordinated national effort, and it established forums to build greater trust and information sharing among federal officials with information security responsibilities and law enforcement entities. However, DHS has not yet developed national cyber threat and vulnerability assessments or government/industry contingency recovery plans for cybersecurity, including a plan for recovering key Internet functions. DHS faces a number of challenges that have impeded its ability to fulfill its cyber CIP responsibilities. These key challenges include achieving organizational stability, gaining organizational authority, overcoming hiring and contracting issues, increasing awareness about cybersecurity roles and capabilities, establishing effective partnerships with stakeholders, achieving two-way information sharing with these stakeholders, and demonstrating the value DHS can provide. In its strategic plan for cybersecurity, DHS identifies steps that can begin to address the challenges. However, until it confronts and resolves these underlying challenges and implements its plans, DHS will have difficulty achieving significant results in strengthening the cybersecurity of our critical infrastructures. • Develop a national plan for critical infrastructure protection, including cybersecurity. • Develop partnerships and coordinate with other federal agencies, state and local governments, and the private sector. • Improve and enhance public/private information sharing involving cyber attacks, threats, and vulnerabilities. • Develop and enhance national cyber analysis and warning capabilities. • Provide and coordinate incident response and recovery planning efforts. • Identify and assess cyber threats and vulnerabilities. • Support efforts to reduce cyber threats and vulnerabilities. • Promote and support research and development efforts to strengthen cyberspace security. • Promote awareness and outreach. • Foster training and certification. • Enhance federal, state, and local government cybersecurity. • Strengthen international cyberspace security. • Integrate cybersecurity with national security. Source: GAO analysis …