U.S.-CERT Needs Enforcement Authority
DHS IG: Bigger Staff Needed to Perform Its Infosec MissionBy Richard L. Skinner
Inspector General, Department of Homeland Security
Notwithstanding its many accomplishments over the past several years, the U.S. Computer Emergency Readiness Team is still hindered in its ability to provide an effective analysis and warning program for the federal government in a number of ways.
Specifically, U.S.-CERT does not have the appropriate enforcement authority to help mitigate security incidents; it is not sufficiently staffed to perform its mission; and it has not finalized and approved its performance measures and policies and procedures related to cybersecurity efforts.
U.S.-CERT does not have the appropriate enforcement authority to ensure that agencies comply with mitigation guidance concerning threats and vulnerabilities. It needs the authority to enforce its recommendations so that federal agencies' systems and networks are protected from potential cyber threats. Without this authority, U.S.-CERT is limited in its ability to mitigate effectively ever evolving security threats and vulnerabilities. However, U.S.-CERT was not given the authority to compel agencies to implement its recommendations to ensure that system vulnerabilities and incidents are remediated timely.
U.S.-CERT's notices contain recommendations that address the threats and vulnerabilities in federal agencies' infrastructures. Additionally, U.S.-CERT products help to update federal information security policy and guidance. However, without the enforcement authority to implement recommendations, U.S.-CERT continues to be hindered in coordinating the protection of federal cyberspace.
Additional Staffing Could Help Meet Mission
U.S.-CERT does not have sufficient staff to perform its 24x7 operations as well as to analyze security information timely. U.S.-CERT is charged with providing response support and defense against cyber attacks for the federal civil executive branch known as .gov and information sharing and collaboration with state and local government, industry and international partners. Without sufficient staffing, U.S.-CERT cannot completely fulfill its responsibilities to analyze data and reports to reduce cyber threats and vulnerabilities as well as support the public and private sectors.
Although U.S.-CERT's authorized positions were increased from 38 in 2008 to 98 in 2010, as of January 2010, only 45 positions are filled. In October 2009, the DHS secretary announced that cybersecurity is an urgent priority for the nation and the department would hire additional cyber analysts, developers and engineers to ensure that crucial computer networks are not vulnerable to possible cyber attacks. Currently, U.S.-CERT augments its staffing shortages by contractor support.
U.S.-CERT has not developed a strategic plan to formalize goals, objectives and milestones. Specifically, U.S.-CERT has not identified or prioritized key activities for the division to monitor its progress in accomplishing its mission and goals. Without a strategic plan and performance measures, U.S.-CERT may have difficulty in achieving its goal to provide response support and defense against potential cyber attacks for the federal government.
According to program officials, U.S.-CERT is developing a strategic plan and revising the performance measures to align with the strategic plan. The strategic plan should describe how U.S.-CERT will perform its critical role by identifying and aligning goals, objectives and milestones through a variety of means and strategies. Also, the strategic plan should contain performance measures related to specific programs, initiatives, products and outcomes. As the sophistication and effectiveness of cyber attacks have been steadily advancing in recent years, a strategic plan can help U.S.-CERT to ensure that critical milestones and goals are accomplished in a timely manner. Strategic plan and performance measures will aid U.S.-CERT in evaluating its progress in building an effective organization capable of mitigating long-term cyber threats and vulnerabilities and improve program operations by promoting the appropriate application of information resources.
Policies and Procedures Have Not Been Approved
U.S.-CERT has not approved its policies and procedures to ensure that management and operational controls are implemented to defend against, analyze and respond to cyber attacks. Without the approved policies and procedures, U.S.-CERT may be hindered in its ability to respond to security incidents effectively and promote continuity of operations and consistency.
Leadership and staff turnover and a continually evolving mission have hindered U.S.-CERT's past efforts to update its standard operating procedures. Under the prior director, U.S.-CERT outsourced to contractors off-site the function to maintain and update procedures. The process of updating the procedures discontinued once the director departed. U.S.-CERT officials determined that the outsourced procedures did not fully address the mission or the day-to-day activities that cyber analysts encounter. According to the officials, outsourcing off-site was not the best method to update these policies and procedures since U.S.-CERT personnel have a better understanding of its mission. After internal reassessment, U.S.-CERT officials decided to use contractor support on-site to develop more concise and direct standard operation procedures.
U.S.-CERT is in the process of developing appropriately 80 to 90 standard operating procedures for its four sections pertaining to various areas of activity, such as, network and targeted analyses, malware submission handling and signature template development. The goal is to have a structure that maps to functions, roles, the organization and the mission. U.S.-CERT is attempting to make the procedures understandable and practical with contents based on analysts' experiences.
Recommendations
We recommend that the undersecretary of National Protection and Programs Directorate require the director of National Cybersecurity Division to:
- Establish specific outcome-based performance measures and a strategic plan to ensure that U.S.-CERT can achieve its mission, objectives and milestones.
- Approve policies and procedures to ensure that U.S.-CERT can effectively detect, process and mitigate incidents as well as perform its roles and responsibilities in a consistent manner.
- Improve communications with federal agency CIOs and CISOs to address their concerns, to identify areas of improvement about the program and to enhance U.S.-CERT's ability to combat cybersecurity challenges.
- Establish a consolidated, multiple classification level portal that can be accessed by the federal partners that includes real-time incident response related information and reports.
In part 2, Skinner addresses the problems U.S.-CERT confronts in sharing information with agencies from the Einstein intrusion detection and prevention systems.