The federal agency in charge of securing the government's computer systems is unable to monitor the networks or analyze threats in real time, and it lacks the authority and staff it needs to do its job, according to an internal report.
The U.S. Computer Emergency Readiness Team must share information about threats and trends more quickly and in greater detail with other federal departments so they can better protect themselves, the audit said.
Issued Wednesday by the Homeland Security Department's inspector general, the report lays out criticism that long has been aired by U.S. officials and outside experts who say the government's computer systems are vulnerable to attacks, are persistently probed, and lack the needed management and security standards.
And it highlights many of the problems Congress is trying to address in a number of bills aimed at creating a more effective government structure to improve and enforce security standards.
Cyber security has become a top priority for the government, bolstered by President Barack Obama's declaration last year that it is "one of the most serious economic and national security challenges we face." Officials say U.S. networks are scanned and probed millions of times a day, and in some cases breached by hackers, cyber criminals and other nations.
The 35-page report said the Computer Emergency Readiness Team, which is a part of DHS, has made progress helping federal agencies protect against computer-based threats, including the creation of a cyber center. But it said the team does not have the enforcement authority it needs to get other federal agencies to take the steps required to secure their systems.
In a detailed response to the report, DHS Undersecretary Rand Beers noted that the inspector general did not make a recommendation on how the agency could gain more enforcement authority. But he said the agency agrees that giving DHS more formal authority would be helpful.
Members of Congress currently are tussling over legislation that would give Homeland Security greater power to draft and enforce standards, and require federal agencies to more quickly address gaps in their computer systems. Other lawmakers say that authority should reside in the White House and with the National Institute of Standards and Technology.
Sen. Susan Collins, R-Maine, who along with Sen. Joe Lieberman, I-Conn., has legislation to increase the DHS' power, said the agency needs "precise authorities with real teeth." That effort got a boost Wednesday as key House members said they would introduce a similar bill.
The report also said the Computer Emergency Readiness Team has been plagued with staff shortages and leadership turnover, hindering its ability to retain qualified staff. And due to the security clearance process, it can take nine months to 12 months for a new hire to begin work.
DHS is in the middle of a major boost in staffing. In early 2009, the readiness team had 16 employees, but the number jumped to 31 by October, and is now at 55, with another 25 workers in the hiring process.
The report notes that officials from other federal agencies have complained that the readiness team doesn't quickly share data on cyber threats or incidents. DHS officials responded that much of the data is from intelligence agencies and is classified at various levels, making it difficult to coordinate and share.
