The Office of Inspector General (OIG) says the Department of Homeland Security (DHS) has improved cybersecurity collaboration and coordination, but gaps remain.
As cyber threats evolve, securing U.S. technology systems and networks from unauthorized access and potential exploits becomes more challenging. DHS, the National Security Agency, and the United States Cyber Command within the U.S. Department of Defense (DoD) agreed to address these challenges via a Cyber Action Plan (CAP) and memorandums.
OIG conducted an audit to assess DHS’ progress implementing the joint DHS-DoD cybersecurity efforts as required in the CAP and 2015 and 2018 memorandums.
The watchdog found that during the past six years, DHS participated in critical infrastructure programs, improved cyber situational awareness, co-located DHS and DoD liaisons, and conducted cybersecurity readiness training.
The U.S. Government and the private sector work closely on the security and resilience of critical infrastructure through a public-private relationship model — initiatives referred to as Pathfinder programs are one aspect of this model. Each Pathfinder program is meant to address the technologies, challenges, and threats facing a critical infrastructure sector. DHS participated in two Pathfinder programs during the past two years that were focused on the Energy and Financial Services critical infrastructure sectors. DHS officials told OIG that these Pathfinder efforts have been effective. Specifically, the Energy sector Pathfinder advanced threat information sharing, improved training and education to understand systemic risks, and developed joint operational preparedness and response activities. The Financial Services sector Pathfinder program enhanced security and resilience of the sector’s critical infrastructure and reduced operational risks.
DHS is also leading two additional initiatives: a malware sharing initiative to allow for the sharing of declassified malware information with trusted partners, and a mutual interest initiative to operationalize cyber threat information sharing.
To bolster cyber defence skills, DHS participated in 46 joint national-level cyber trainings and exercises, three of which it led, between 2015 and 2019. As part of this training, participating organizations responded to simulated attacks by practicing response policies and procedures.
OIG notes in its latest report, however, that it could not easily determine whether DHS had completed all requirements outlined in the CAP and memorandums because DHS did not sufficiently document the progress of its activities.
OIG also found that DHS did not effectively monitor its efforts and update its plans as required, which the auditors attributed to DHS not establishing performance measures with milestones for completing actions, as well as inadequate staffing and governance structure to ensure its joint cybersecurity efforts remained on track.
As per a 2018 memorandum, the Secretary of Defense, in coordination with the Secretary of Homeland Security, is authorized to provide, detail, or assign as many as 50 cybersecurity technical personnel to DHS within any fiscal year, with the option to extend for an additional year. According to OIG, DHS has not yet increased the number of its DoD-detailed technical staff to the level that DHS and DoD agree is appropriate to enhance cybersecurity efforts. In July 2020, DoD issued guidance limiting the number to a maximum of 20 personnel, subject to increase based on review. OIG found that as of August 2020, DHS had just 10 DoD personnel who were each serving a 6-month detail.
Ultimately, while the watchdog acknowledged the improvements made, it said DHS has not fully accomplished the interagency goals of joint DHS-DoD cybersecurity efforts and needs an implementation plan that identifies milestones and progress to help it effectively protect the nation’s critical infrastructure.
OIG has made five recommendations to further improve collaboration and coordination, with which DHS has agreed:
- Develop an implementation plan to conduct periodic assessments for monitoring the progress of goals and activities and complete annual updates on action items.
- Conduct centralized tracking and completion of signed closeout summaries to reconcile the ongoing, outstanding, and open tasks and activities.
- Establish performance measures to ensure the effectiveness and completion of the CAP and associated 2015 and 2018 memorandum activities.
- Establish the DHS governance structure and ensure it consists of an Executive Committee that meets at least semi-annually and a Steering Committee that meets at least quarterly.
- Establish a plan for the appropriate allocation of technical personnel to ensure DHS-DoD effective coordination and collaboration efforts.
DHS stated it will develop an implementation plan to address the unresolved action goals, activities, and action items by March 31, 2022. This effort will include conducting periodic assessments and annual updates for remaining and future goals, activities, and action items. Performance metrics will be in place by the same date and will be reviewed quarterly. And DHS said it would continue to work with DoD counterparts to advocate for additional allocation of DoD technical personnel in support of joint DHS/DoD priorities. This work is expected to continue through September 30, 2022.