The key office at DHS for coordinating cyber security is ICS-CERT (Industrial Control Systems-Cyber Emergency Response Team). It has nothing to do with U.S. business and cyber, but, rather, with cyber and public infrastructure. Its mission is described as follows:
“The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) works to reduce risks within and across all critical infrastructure sectors by partnering with law enforcement agencies and the intelligence community and coordinating efforts among Federal, state, local, and tribal governments and control systems owners, operators, and vendors. Additionally, ICS-CERT collaborates with international and private sector Computer Emergency Response Teams (CERTs) to share control systems-related security incidents and mitigation measures.”
However, “The departments of Homeland Security and Defense, including the National Security Agency, have no way of sharing current alerts about computer breaches with each other or industry.” The DHS IG’s report explains that “There is one system for circulating event reports, a separate one for circulating directions on how to respond, and no real-time system for joining the two.”
DHS’s Office of Intelligence and Analysis, an organization that provides all-source intelligence and operational support to the agency (and, therewith, the government), has only enough workers to operate 14 hours per day, for five days per week. ICS-CERT only 12, five days a week.
The audit also reports that the NCCIC (National Cybersecurity and Communications Integration Center) lacks specialized training. NCCIC houses ICS-CERT, US-CERT, and the NCCT (National Coordinating Center for Telecommunications.) More damning than the lack of training is that statement that only 10 of 22 NCCIC analysts received technical training in malware analysis between 2009 and 2013. In the auditor’s report, there’s a nifty flow chart (unfortunately nonreproducible here) that shows four major analysis offices under NCCIC. Again, only 22 analysts in those offices, the majority of them untrained?
DHS handles all of its cyber-related matters under the Office of Cybersecurity and Communications, of which NCCIC is one of five parts, the others being the Network Security Deployment, the Federal Resilience Network, the Office of Emergency Communications, and the Stakeholder Engagement and Cyber Infrastructure Resilience.
You’ll be happy to learn that DHS officials say they’re working with the Department of Commerce’s National Institute of Standards and Technology (NIST) to develop a set of “incident categories.” Cyber attack has been with us for years and the government still hasn’t been able to figure out how to divide the incidents into categories-an obvious outcome for only paying attention to cyber attacks 12-14 hours a day, five days a week.
NIST’s October 22 report, “Preliminary Cybersecurity Framework to help critical infrastructure owners and operators reduce cybersecurity risks in industries such as power generation, transportation, and telecommunications,” stated that it was staging a 45-day public comment period so that it can release to office framework in February.
Even if you agree with the Obama administration that attention to cyber assault on infrastructure is the only crucial threat to the U.S. economy, progress is more than slow.GlobalSecurity.org reports that
“At a time when electric companies are witnessing an unprecedented rise in cyber-attacks against their industrial control systems (ICS) and supervisory control and acquisition systems (SCADA) that monitor and regulate power grids, the response of industry executives has ranged from paralysis to indifference.”
The website claims that this can hardly be due to management ignorance and cites the evidence that ICS-CERT (see above) responded to 198 cyber incidents across all critical infrastructure sectors in 2012, 41 percent of which were in the energy sector. An NSS Labs report paints an even more sobering picture: ICS/SCADA vulnerability disclosures have increased more than 600% since 2010.
Yet, energy utilities executives seem willing to ignore the known threat of cyber attacks because neither the market nor the government “adequately punish companies that cost their customers money and lives.”
Indeed, PricewaterhouseCoopers’ and Ernst & Young’s recent surveys show that American business is not much better at meeting its vulnerability to cyber attack. Last year the administration declared its intention to coordinate with business and Congress offered to make private sector-government reporting and information exchange easier. Nothing happened. Claiming budgetary constraints, businesses are not stepping up their cyber defenses, and most are hiding from their shareholders how much ever-increasing hacking and cyber attacks are hurting their bottom lines.
The failure to allocate funds to develop adequate cyber by the government and private business alike all but guarantees thatthe “Cyber Pearl Harbor,” Former Secretary of Defense Leon Panetta warned about over a year ago, is just around the corner.