Senator Warns of DHS Struggle with Cyber Security

A report by outgoing Senator Tom Coburn warns that DHS is struggling to fulfill its duties to protect the nation from cyber attack.
A report by outgoing Senator Tom Coburn warns that DHS is struggling to fulfill its duties to protect the nation from cyber attack.

U.S. Senator Tom Coburn (R-OK) used his final days in office to warn that the U.S. Department of Homeland Security (DHS) is struggling to fulfill its mission to protect the nation from cyber attack.

The report, “A Review of the Department of Homeland Security’s Missions and Performance,” (PDF) was released on Saturday, as the retiring Senator from Oklahoma was leaving office. In it, the outgoing Senator said that DHS’s strategy and programs “are unlikely to protect us from the adversaries that pose the greatest cybersecurity threat.”

The warnings on DHS cyber operations were part of a larger critique of the Department in the report, in which Coburn called on reforms of Homeland Security focused on accountability and streamlining.

Despite spending $700 million annually on a range of cybersecurity programs, Coburn said it is hard to know whether the Department’s efforts to assist the private sector in identifying, mitigating or remediating cyber incidents provide “significant value” or are worth the expense. DHS programs are still heavily weighted towards software vulnerability mitigation, Coburn says, an activity that “will not protect the nation from the most sophisticated attacks and cybersecurity threats.”

DHS has also repeatedly run afoul of Government auditors in the Government Accountability Office for failing to adhere to security standards in managing its own information infrastructure, Coburn notes.

Coburn was the ranking member of the U.S. Senate Committee on Homeland Security and Governmental Affairs prior to his retirement. He was a frequent and vocal critic of government waste. And waste – or the best use of taxpayer dollars – is the thrust of the Coburn report, with the Senator arguing that DHS’s $700 million cybersecurity budget could better be spent elsewhere.

There are substantive critiques as well. Coburn argues that DHS’s National Cybersecurity Protection System (NCPS) has yet to be deployed across all civilian federal networks and relies on signature-based detection of known threats – an approach that will not detect many modern threats and attacks. The Department’s Continuous Diagnostics and Mitigation (CDM) program also comes in for criticism: costing $142.6 million in FY 2014 despite tepid adoption across the government.

U.S. Government agencies have been frequent victims of cyber attacks in the last year. Attacks – some attributed to foreign governments – have targeted everything from The White House to the Office of Personnel Management to NOAA, the National Oceanic and Atmospheric Administration.

Coburn recommended a variety of measures to improve Homeland Security’s management of its responsibilities vis-a-vis cyberspace. Among them: streamlining Congressional oversight of the Department so that it can be managed more holistically.

He also recommended that Congress require DHS to focus on its basic
responsibilities for securing its networks, practicing good cybersecurity, and assisting the Office of Management and Budget with its job of overseeing federal civilian agencies’ cybersecurity practices.

When it comes to helping private sector firms, Coburn said DHS and Congress should be “cautious and realistic” about what the Department can do, given its myriad other responsibilities.

Finally, the Department should focus less on vulnerability monitoring and signature based detection and shift to supporting the work of other agencies and private sector firms that are pursuing more effective strategies for deterring adversaries in cyber space, he said.

Coburn is being replaced by incoming Senator James Langford. A spokeswoman from his office declined to comment on the report on Tuesday, noting the ongoing transition to a new Congress. Security Ledger sent an e-mail to the Department of Homeland Security seeking comment but had not heard back prior to publication. We will update this story once we do.