Report shows holes in cybersecurity plan

Study gives mixed picture of the Homeland Security Department's implementation of the national cybersecurity strategy.

A report sent to a House oversight committee last month details the Homeland Security Department's progress in implementing the national cybersecurity strategy issued early last year.

The 35-page report, sent in reply to a request by the House Homeland Security Committee for a detailed account of the strategy's implementation, shows both progress and remaining work. There has been no formal progress report from the Bush administration since the strategy's release in January 2003.

The report also breaks down the fiscal 2005 funding request for each item. The department's National Cyber Security Division is leading the implementation.

The report shows that an assessment of vulnerabilities to critical infrastructures long sought by Congress is targeted for 2005, with a process for assessing Internet weaknesses due later this year.

Perhaps the most touted accomplishment in the report is the establishment of a public-private structure for responding to national-level cyber incidents by designating the U.S. Computer Emergency Readiness Team (US-CERT) as the department's cybersecurity operational body. US-CERT, a long-respected operation at Carnegie-Mellon University, launched a national cyber-alert system in January.

US-CERT now includes the former Federal Computer Incident Response Center (FedCIRC) transferred to Homeland Security from the General Services Administration. This summer, it is launching a private-public partnership involving the panorama of stakeholders in the critical infrastructure community, and this year the center will update various aspects of a "partner portal," a secure Web site for coordination and information sharing.

Work remains on an "ambitious and necessary" mandate in the strategy to develop a round-the-clock cyber-response center, the department said. "There exist a number of active and planned projects within the [cybersecurity division] to locate and combine the correct mix of people, processes and technology needed to create this capability," the report said. For instance, a new "watch center" combining various functions is being built for early next year.

The department is expanding the Critical Infrastructure Warning Information Network (CWIN), a private communications network for voice and data with no dependence on the Internet or public network. CWIN terminals have been installed in key government and industry network centers and in a United Kingdom facility. Other extensions are underway in the project, for which $12.8 million is requested for fiscal 2005.

The Cyber Interagency Incident Management Group, created to coordinate intra-governmental preparedness and response operations, was created after the Livewire simulated terrorist attack exercise in October 2003. A compromise amendment to the Homeland Security appropriations bill on the Senate floor this week would move more funding within the cybersecurity division's budget to cyber exercises, increasing that item from $1.85 million to $3.5 million, according to an administration official.

The report describes a number of active exercises nationwide.

The report also identifies issues related to: overcoming private-sector reluctance to share proprietary information with the government, authenticating electronic transactions, improving the security of government work "outsourced" to the private sector, securing wireless networks, improving state and local information sharing and analysis centers, and enhancing the ability to identify sources of cyber attacks.