Skinner: DHS cyber security lacks focus

The National Cyber Security Division of the Homeland Security Department needs to do a better job of establishing priorities for key programs and managing them effectively, according to a new inspector general report.

Although the division has made progress since 2004 in achieving its mission of advancing the nation's cyber security, officials have not set strategic priorities nor set a detailed schedule for achieving them, states a report from DHS Inspector General Richard L. Skinner.

"NCSD has not prioritized specific initiatives, taking into consideration the required resources to ensure the timely completion of its initiatives," Skinner wrote. "As a result, many of NCSD's initiatives are not complete and progress to date has been limited."

For example, the Control Systems Security Program, which is intended to reduce vulnerabilities of control systems for critical infrastructure such as power plants, is not scheduled to go into effect until fiscal 2009. In addition, a computer forensics laboratory for investigating cyber breaches is not expected to be fully operational until fiscal 2009.

In addition, the IT Sector Specific Plan, which was developed in December 2006 by the IT industry along with the division, recommends 70 activities to be performed within the next three years to improve cyber security. Many of those activities require the cooperation of the division. However, the division has not prioritized nor scheduled those activities yet, the report said.

"Taken in total, the number of existing and new actions required of NCSD is significant and could overextend the capabilities of the division if not prioritized and properly resources," Skinner concluded.

The division currently has 107 employees, comprising 31 federal employees, 72 contractors and four detainees. Division officials agreed with Skinner's recommendation to priorities activities and to set milestones for critical tasks.

Skinner made 13 other recommendations for the division, some of which have already resulted in actions satisfying the recommendation. For example, Skinner recommended consolidating the tracking of all milestones for progress; however, division officials disagreed with the findings leading to the recommendation. After discussion and updating of the division's strategic plan, Skinner said the recommendation had been satisfied.

The division also disagreed with the findings leading to Skinner's recommendations that it develop additional performance measures and to conduct analysis of agency reports of cyber incidents. Following additional discussion and actions, those recommendations also were satisfied.

Division officials agreed with the inspector general's advice to improve information sharing, perform annual security testing, provide security awareness training to contractors and develop procedures for sharing sensitive information.