14 DAY TRIAL // The Government Accountability Office (GAO) released, on September 16, a report that outlines the problems found and recommendations made following an investigation into how the Department of Homeland Security (DHS) handles its cybersecurity responsibilities. One particular subject concerned the security notifications released by DHS's US Computer Emergency Readiness Team (US-CERT) which were deemed “not consistently actionable or timely.”
US-CERT is, according to their own website, “a partnership between the Department of Homeland Security and the public and private sectors” which was established in 2003 in order to protect the Internet infrastructure across US. Its declared responsibilities are to analyze security threats and spread the gathered information through security advisories and also to coordinate incident response procedures.
The GAO report claims that US-CERT falls short from what is expected of them by giving several examples in this regard. Therefore, according to their investigation, US-CERT failed to completely address the 15 “key cyber analysis and warning attributes” that describe its four capabilities (monitoring, analysis, warning and response) during July 2008. It is noted that while US-CERT addressed parts of these key attributes, it did not fully cover them.
The report also points out that, for example, US-CERT did not establish a layout of the nation's critical network assets and operations. Furthermore, following their cybethreat analyses, they failed to specify the larger implications of a particular threat or the attacks that could result in the future. In addition, the information was released later than it should have been or did not efficiently reach the affected groups.
The report concludes that even if US-CERT helped a certain number of third-party entities to resolve and contain several attacks, it does not currently have the resources to handle multiple incidents happening across the country at the same time. As a result of this investigation, GAO notes, ten recommendations were made in order to address the shortfalls of US-CERT, out of which nine were accepted by the Department of Homeland Security.