While the Homeland Security Department has been charged with coordinating cyberspace security and recovery, GAO found that the initiatives so far lack authority, and the relationship between the initiatives is unclear.
David Powner, GAO's director of information technology management issues, told a Senate subcommittee during a hearing timed to coincide with the release of the report that it is unclear what government entity is in charge, what the government's role should be and when it should jump in. "Despite federal policy requiring DHS to develop this public-private plan, today no such plan exists," Powner said.
The hearing began badly for DHS. Oklahoma Republican Tom Coburn, the chairman of the Federal Financial Management, Government Information and International Security Subcommittee, refused to admit the testimony of department undersecretary for preparedness George Foresman. Coburn said the testimony was late.
"For the testimony to come in last night is unacceptable, and it will not be accepted," he said.
Coburn reprimanded Homeland Security for spending "millions of dollars over the past year," making little progress, releasing its national infrastructure protection plan three years late, and failing to hire an assistant secretary in charge of cyber security and Internet recovery.
"America expects DHS and the private sector to take every reasonable measure to protect us from terrorism. I am not convinced that threshold has been met," Powner said.
Foresman did not directly address Coburn's criticism, but he did say progress is being made and it does take time to build trust with the private-sector groups that own most of the Internet infrastructure. He said a working group was established and met last November.
"There are a lot of folks that say it's not where it should be, and I agree," Foresman said. "We know we must be prepared for the cyber version of a Hurricane Katrina or 9/11 [terrorist] attacks." He said he agrees with the GAO report on what needs to happen next.
GAO recommended establishing dates for revising the national response plan, establishing a timeline and priorities for efforts identified by the working group, and directing Congress to consider clarifying the legal framework guiding Internet recovery.
AT&T, ISS and Verisign were among the companies that testified. They said the government needs an early warning system for widespread Internet attacks, a clear line of command for a disaster and more investment in cyber security.
They also asked the government to hire a cyber-security czar, but Coburn said it is the patriotic duty for someone in industry to step forward and take the pay cut to do the government job.
"Any one of you want to volunteer for that position?" Coburn asked.