Skip to main content

U.S. vulnerable to cyber threats, experts warn

By Pam Benson, CNN National Security Producer
  • GAO: Cyber-security incidents reported by federal agencies up 400 percent
  • New inspector general's report critical of government's ability to respond
  • DHS does not have authority to require fix on cyber vulnerability
  • Senate bill would give president emergency powers to protect systems under attack

Washington (CNN) -- On the face of it, the disastrous oil spill in the Gulf of Mexico and the growing threat of a disabling cyber attack would seem to have little in common. But experts have warned Congress that the inability of government and industry to prevent or respond to a cyber threat could be equally disastrous.

A critical report from the Department of Homeland Security's inspector general released Wednesday concluded the agency responsible for protecting civilian computer and information networks was seriously understaffed and did not have the authority to order government agencies to protect their systems.

Former DHS official Stewart Baker told the House Homeland Security Committee that the BP oil spill should be a valuable lesson to those developing cyber-security strategy.

"If we knew how bad things were, how many corners were cut before the oil spill, we would have demanded action on part of industry as well as the government. We know we face exactly that kind of crisis in the context of cyber security," said Baker.

Rep. Jane Harman said it might even be worse. "We could have a broken network or networks, spewing tens of thousands of bits of information on critical infrastructure, national security and mission critical data, financial and personal data, etc. It could be as devastating or more devastating than the environmental catastrophe that's unfolding on our TV sets," said the Democrat from California

The number of cyber intrusions is growing dramatically. According to a Government Accounting Office analysis, the number of security incidents reported by federal agencies increased more than 400 percent between 2006 and 2009.

There were 278,000 indications of malicious activity per month targeting the civilian government cyber networks, DHS Assistant Secretary Gregory Schaffer told the committee.

The U.S. Computer Emergency Readiness Team (US-CERT) is the agency within DHS responsible for coordinating the government's efforts to defend against and respond to cyber attacks against the government's non-military systems.

Inspector General Richard Skinner said US-CERT does not have the authority to enforce its recommendations to federal agencies, impeding the government's ability to move forward on cyber security.

"Until they have that authority or until they have mechanisms in place to ensure that compliance in fact is taking place, we're going to continue to experience problems," said Skinner.

Schaffer acknowledged DHS does not have the authority to require a department or agency to correct a cyber vulnerability but when pressed by several lawmakers to identify what powers DHS needed, Schaffer would only say the administration is looking at the problem and did not have a position yet on specific authorities.

The inspector general's report criticized US-CERT for not being sufficiently staffed to carry out its mission. The agency is authorized to have 98 positions, but only 55 have been filled and 25 people are awaiting security clearances.

Committee Chairman Bennie Thompson, D-Mississippi, wanted to know why it will take two years to hire 80 people. Schaffer explained it is a difficult task because of competition within government and private industry for a very limited pool of highly skilled people.

"These people are not easily found," said Schaffer.

The inspector general's report also cited another problem at US-CERT, the lack of sustained leadership. In the past five years, there have been four directors.

Another area of concern cited by the inspector general is the use of Einstein, an intrusion detection software program developed by US-CERT and used to monitor federal computer networks. Skinner said only 21 agencies have Einstein installed in their infrastructure.

"We need to put pressure on federal partners to start taking cyber security a lot more seriously and start using the tools we've developed to help them secure their networks, communication systems and computers," said the inspector general.

Committee Chairman Thompson wanted to know what could be done about complaints from federal agencies that DHS was not sharing enough of the data collected from Einstein concerning possible security breaches.

Skinner said that is a complicated problem because a lot of the information is raw data and agencies may not have the capability to analyze it. Assistant Secretary Schaffer said DHS has a plan to expand the amount of information it shares with others, but it has to be done in a way that doesn't violate classification rules.

Schaffer also agreed with Skinner that the high volume of raw data needs to be processed by highly skilled personnel who can analyze it and turn it into executable action.

Skinner said US-CERT has made a lot of progress in implementing a cyber-security program, specifically citing information-sharing with the public and private sectors and increasing the skills and expertise of its staff. But he said a lot more needs to be done.

"The train has left the station. We are now chasing the problem instead of being ahead of it," said Skinner.

Several Homeland Security Committee members on both sides of the aisle thought the bill introduced last week by Sens. Joseph Lieberman of Connecticut, an independent who caucuses with the Democrats, and Susan Collins, R-Maine, would go a long way in getting the cyber security effort on track.

That bill calls for a permanent White House cyber security coordinator, creates a National Center for Cybersecurity and Communications within DHS to lead federal efforts to protect government and private networks, and gives the president emergency powers to protect systems under attack.