The U.S. General Accounting Office issued a report this month which evaluates the Department of Homeland Security's efforts on cybersecurity. If they had to grade the DHS, it would be "incomplete" -- the GAO's key message is that DHS has started work in a number of areas, but hasn't fully addressed any of them.
It really is a mixed bag -- the report does acknowledge several areas where promising work has begun. It identifies what it thinks are the underlying issues, among them:
- lack of "organizational stability" at the DHS;
- inability to set priorites for any of its efforts, particularly for fixing internal DHS issues;
- poor information sharing, even within the programs specifically designed to share information.
The DHS got a chance to respond to the report, and their response is appended and predictable. They basically said "we agree that everyone should take cybersecurity more seriously and the other stakeholders should get more involved (i.e. pass the buck), but we disagree that we haven't set priorites for fixing our internal problems and that we don't have measurable milestones in place." To which the GAO responded: "You guys haven't even come forth with anything other than a vague plan for how you're addressing the last set of issues we raised with you, and you've presented no evidence to us that you are making any progress, other than saying 'that's in process' whenever we ask for anything."
Pages 55-59 list the major issues the GAO sees with DHS. The organizational ones are pretty scary. also, I've blogged previously about research funding for DHS -- out of its $1B research budget, a mere $60 million goes to cybersecurity. You could put all of this together and come to the conclusion that cybersecurity is not a priority for DHS; it has minimal funding, no authority, and scarce attention from DHS leadership, thus leading to ineffectiveness and a revolving door in the key positions as good people get frustrated with their inability to make anything happen inside an organization that is more concerned with colored alert charts and x-raying shoes at airports than it is with actually securing critical infrastucture.
The executive summary has a particularly damning last paragraph, excerpted here:
DHS faces a number of challenges that have impeded its ability to fulfill its cyber CIP responsibilities. These key challenges include achieving organizational stability, gaining organizational authority, overcoming hiring and contracting issues, increasing awareness about cybersecurity roles and capabilities, establishing effective partnerships with stakeholders, and demonstrating the value DHS can provide.
So let me get this straight: the organization is a mess, they have no authority, they can't hire people to do work, no one knows what they do, they don't work and play well with others, and they haven't compellingly demonstrated that they add any value.
My Government At Work For Me.
1:43:49 PM 
|
