Inspector General: DHS lacks authority, staff to protect federal networks

The Department of Homeland Security (DHS) team in charge of responding to cyberattacks lacks the authority and staff to protect the government’s civilian networks, according to the department’s inspector general.

DHS Inspector General Richard Skinner said the U.S. Computer Emergency Readiness Team (US-CERT) “does not have the appropriate enforcement authority to help mitigate security incidents."


"Additionally, it is not sufficiently staffed to perform its mission,” Skinner said in prepared remarks at a Wednesday hearing of the House Homeland Security Committee.

Since US-CERT lacks the authority to enforce its recommendations, Skinner said, agencies are free to ignore them. He also noted that, as of January, fewer than half of the 98 staff positions had been filled and the team had yet to develop a strategic plan or performance measures.

"Leadership and staff turnover and a continually evolving mission have hindered US-CERT’s past efforts to update its standard operating procedures," Skinner said.

In his opening statement, Chairman Bennie Thompson (D-Miss.) agreed with Skinner's assessment, blaming turnover in leadership and a reliance on contractors for the team's shortcomings. He cited a Government Accountability Office report that cybersecurity incidents reported in the government have risen 400 percent in the past four years.

"[US-CERT does] not have sufficient staff to analyze security information. It cannot develop internal capacity because contractors outnumber federal employees by about 3 to 1," Thompson said.

"It has not developed leadership consistency because US-CERT has had four directors in five years,” he said. “Given these administrative failings, it should come as no surprise that day-to-day operations may suffer."

Rep. Pete King (R-N.Y.) said he strongly supports the Senate Homeland Security Committee cybersecurity bill introduced last week, and looks forward to introducing a companion bill in the House. The bill would give DHS the authority to require other federal agencies and certain private-sector industries to comply with the department's cybersecurity recommendations.

Greg Schaeffer, DHS assistant secretary for cybersecurity and communications, said the administration has made cybersecurity a priority. He discussed some of the progress made by DHS, including deploying the Einstein 2 security monitoring system, which is currently used at 11 agencies. It has more sophisticated detection and response capabilities than its predecessor.

Schaeffer also said the number of cybersecurity workers in his department tripled last year and that he hopes to double that again in the coming year.