Cometh another Congressional hearing on the Department of Homeland Security–DHS–and its ability to lock down the entire nation’s cyber infrastructure. Cometh more finger pointing. The Government Accountability Office–GAO–released a report on DHS’ uphill battle for cybersecurity. With no ostensible end to this job, it’s easy to tell Sisyphus to push harder.
“DHS is unique among federal civilian agencies in that it is responsible for improving and promoting the cybersecurity of not only its own internal computer systems and networks, but also those of other Federal agencies and the private-sector owners and operators of critical infrastructure,” the GAO report states.
Forever tasked with getting this boulder up the hill, with everyone else on its back, it’s a task of mythical proportions. But where do the nation’s cyber efforts need the biggest shove?
Since 2016, GAO has provided 29 recommendations to DHS specifically related to cybersecurity risk. Among those, eight of nine recommendations for the National Cybersecurity Protection System–NCPS–are yet to be fully implemented.
NCPS capabilities represent DHS’ toolkit for intrusion detection and prevention, content filtering, analytics, and information sharing. The capabilities are known operationally as EINSTEIN. No genius needed here. One for nine could be improved.
GAO noted that the Continuous Diagnostics and Mitigation Program–CDM–is also behind schedule for several agencies. DHS is authorized to help pay for the initial costs, but agency adoption isn’t on track, particularly in the area of fully-functioning agency dashboards.
GAO also says better effort is needed on the workforce front. With a known skills gap in cyber, DHS could be doing a better job articulating its need. GAO notes the agency “had not identified all of its cybersecurity positions and critical skill requirements.”
It’s not all doom and gloom for DHS. GAO lauded the agency on “important progress” in key areas of cybersecurity risk management. Those include:
- Providing limited intrusion detection and prevention capabilities to Federal entities
- Issuing binding operational directives to agencies regarding cybersecurity
- Serving as the Federal-civilian interface for information-sharing between public and private sectors
- Promoting the use of the NIST Cybersecurity Framework to agencies and industry
GAO pointed to the broad authorities the Congress has granted DHS to promote cybersecurity. That said, with legions assailing government networks Kirstjen Nielson, Paul Beckman, and Kevin Cox face an uphill path ahead.