Homeland official spreads blame for delayed infrastructure reviews

The Homeland Security Department official in charge of protecting the nation's critical infrastructure told a joint House subcommittee hearing Wednesday that failure to meet a congressional mandate to assess infrastructure vulnerabilities is a shared responsibility.

"No, ma'am, it's not complete. But much of that is outside the control of [the department]," Robert Liscouski, assistant Homeland Security secretary for infrastructure protection, told Californian Zoe Lofgren, the ranking Democrat on the Homeland Security Subcommittee on Cybersecurity, Science, and Research and Development.

The department must develop a comprehensive way to assess infrastructure vulnerabilities. Liscouski highlighted numerous initiatives undertaken so far and said a national database of some 33,000 sites is growing every day. But he said assessments of the degree of risk to infrastructure changes constantly based on threats, so developing the assessment list is a continuous process.

He added that much of the progress depends on the private sector, which reportedly owns about 80 percent of the nation's critical infrastructure, and on state and local authorities. In addition, other federal entities, including the Agriculture, Health and Human Services, and Transportation departments, are involved.

"This is a national problem," Liscouski said, adding later, "We're finding out the rising tide of [Homeland Security] doesn't float all boats."

Robert Dacey, director of information security at the General Accounting Office, said in prepared testimony that several challenges remain to the successful operation of industry-specific information sharing and analysis centers (ISACs), which exist to provide private-sector coordination on infrastructure protection. Full committee ranking Democrat Jim Turner of Texas said the department has the mandate to ensure that vulnerabilities are assessed and that actions are taken to protect the infrastructures. "It seems to me you have the task of coming in here and telling us what it is going to take to get this done to do what Congress mandated," Turner said. He asked whether more resources are needed.

Liscouski said a recent comment that it would take five years to complete the assessments "was taken out of context" and that things should get done in a "reasonable amount of time." Liscouski also said the department would like to have a national scorecard on the status of each sector, but "the technology is not there yet."

Full committee Chairman Christopher Cox, R-Calif., asked whether legislation is needed to help accomplish department objectives with the ISACs. But Liscouski firmly resisted, arguing that the private sector, where he worked before joining the department, should drive the process. Liscouski also stopped short of suggesting that more resources are needed.

George Newstrom, Virginia technology secretary, testified that communications have "gotten exponentially better" since the department's establishment in March 2003.

Dave McCurdy, president of the Electronic Industries Alliance and executive director of the Internet Security Alliance, testified that the potential is unrealized for improved coordination between the private sector and the department.

Separately, Liscouski apologized for submitting late testimony and said responses to previous subcommittee questions are "a work in progress."