Incident Response, Network Security, TDR, Threat Management

Report finds US-CERT mishandling cybersecurity role

The Department of Homeland Security (DHS) division tasked with coordinating the cyber defense of federal agencies is falling short in several areas, according to an independent investigative body.

US-CERT, which stands for the U.S. Computer Emergency Response Team, lacks enforcement authority, is understaffed and has failed to create appropriate means to evaluate its performance, said Richard Skinner, inspector general of the DHS, in a statement delivered Wednesday to the U.S. House Committee on Homeland Security.

In addition, the division is not sufficiently sharing information about threats and vulnerabilities, and technology to detect and prevent intrusions has not been adequately deployed to all federal agencies, Skinner said.

"While progress has been made, US-CERT still faces numerous challenges in effectively reducing the cybersecurity risks and protecting the nation's critical infrastructure," the statement said.

US-CERT, founded in 2003, "is responsible for analyzing and reducing cyber threats and vulnerabilities, disseminating cyber threat warning information and coordinating cyber incident response activities," Skinner said.

But the division has been unable to fulfill that mission because it lacks the authority to force agencies to deploy its recommendations, Skinner said. Also, US-CERT fails to appropriately staff its round-the-clock operations, preventing it from evaluating security risks and sharing information in real time. The team is authorized to have 98 members, but as of January, only 45 positions were filled, Skinner said.

Moreover, US-CERT lacks a strategic plan to identify goals and measure performance, Skinner said. It also lacks a standard operating procedure "that maps to functions, roles, the organization and the mission."

From a technology perspective, US-CERT is charged with overseeing the implementation of "Einstein" at federal agencies, a solution used to detect unauthorized network traffic. Most agree Einstein is a valuable tool, but a number of security officials at agencies said US-CERT was doing a poor job of sharing Einstein data across entities. In addition, a number of agencies have not even installed the technology due to outdated network infrastructures.

"This data could assist agencies in performing analyses with their locally collected data to identify potential threats and vulnerabilities," Skinner said. "Also, agency officials stated that it would be helpful for US-CERT to list which agencies are being attacked and provide common trends to other agencies to determine whether the incident is isolated or systemic."

In its current form, Einstein does not enable US-CERT to conduct real-time traffic analysis. But the division currently is evaluating an enhanced build of the technology that would permit real-time, full-packet inspection, threat prevention and incident response.

In the full report, DHS responded to each of the inspector general's recommendations.

The success of US-CERT dramatically is improving, according to a DHS statement emailed to on Wednesday.

"Cybersecurity has been elevated in an unprecedented way in [DHS] under this administration — this is no longer your father's US-CERT," the statement said. "We have built a world-class cybersecurity leadership team, and through US-CERT, [DHS] is working more closely than ever with our partners in the private sector and across the federal government. US-CERT provides a single, accountable focal point to support federal stakeholders as they make key operational and implementation decisions and secure the federal executive branch civilian networks."

The inspector general report comes as federal lawmakers are considering sweeping legislation that would redefine the role of government in cybersecurity.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.