title:

Our tax dollars, almost at work

By Scott Bradner

About a year and a half ago the U.S. government released the "National Strategy to Protect Cyberspace." The strategy described in this report was mostly to get the Department of Homeland Security(DHS) to organize, support and communicate responses to and protection from attacks on the U.S. cyber technology infrastructure. Now the DHS Office of Inspector General has issued a report card on how DHS is doing so far. The report card paints a mixed, but on the whole not very good, picture of what DHS has done to date.

The cyberspace strategy (http://www.whitehouse.gov/pcipb/cyberspace_strategy.pdf ) was quite comprehensive. It described five priorities DHS should take into account when considering U.S. cybersecurity and recommended eight specific actions. The highest priority, according to the strategy, was the development of a national cyberspace security response system. The other priorities included the development of national cyberspace security programs for threat and vulnerability reduction system, and for awareness and training, the development of ways to secure government cyberspace and the development of national and international cybersecurity cooperation. The eight actions listed in the strategy provide specific suggestions on ways to achieve these priorities.

The report card, entitled "Progress and Challenges in Securing the Nation's Cyberspace (http://www.dhs.gov//dhspublic/interweb/assetlibrary/OIG_CyberspaceRpt_Jul04.pdf) notes that DHS has done a few cybersecurity things over the last year that were called for in the cyberspace strategy but spends most of its time saying that DHS needs to do better.

DHS established a National Cyber Security Division (NCSD) about year ago to be the focus of its cyber security efforts. NCSD then established the United States Computer Emergency Readiness Team (US-CERT) (http://www.us-cert.gov). This site does have some useful information on it but, at least to me, seems to be largely redundant with the 15 year old CERT Coordination Center (CERT/CC) (http://www.cert.org) run under federal contract by Carnegie Mellon University when it comes to information about specific cybersecurity attacks and countermeasures. NCSD also established the National Cyber Alert System, a trio of mailing lists run by US-CERT. These lists, according to the report card, had very little traffic even though a quarter of a million people had subscribed to one or more of them. NCSD also participated in a communication and coordination exercise run by Dartmouth, hosted a National Cyber Security Summit and set up three federal government organizations dealing with US government cybersecurity. This level of achievement seems a bit low considering an annual budget of over $75 million for the cybersecuirty activity.

The report card said that NCSD has yet to figure out how to prioritize its activities, set specific milestones for itself, figure out just how much money it will need to do its job, developed a strategic plan, define a way to measure its performance, develop a formal communications process within itself and with other organizations, or figure out how to provide formal guidance on cybersecurity issues to the DHS.

Cybersecurity is an ever more important issue in these troubled times. As one measure, the CERT has issued a couple of hundred Technical Cyber Alerts so far this year. I'm not sure that the most effective way to fight this problem is to create yet another government bureaucratic effort, I think that the government funded CERT/CC has done quite well over the years and that private efforts such as Symantec's security response web site (http://www.symantec.com/avcenter/) do an excellent job in the areas they cover. But, if there is to be a government effort it would be nice if we got more for our tax dollars than we have to date from DHS.

disclaimer: Lots of our tax money pays for research at Harvard, I'm sure that it is all perfectly justified but I did not ask the University for its opinion.