The Office of Inspector General (OIG) says the Department of Homeland Security (DHS) has improved cybersecurity collaboration and coordination, but gaps remain.
As cyber threats evolve, securing U.S. technology systems and networks from unauthorized access and potential exploits becomes more challenging. DHS, the National Security Agency, and the United States Cyber Command within the U.S. Department of Defense (DoD) agreed to address these challenges via a Cyber Action Plan (CAP) and memorandums.
OIG conducted an audit to assess DHS’ progress implementing the joint DHS-DoD cybersecurity efforts as required in the CAP and 2015 and 2018 memorandums.
The watchdog found that during the past six years, DHS participated in critical infrastructure programs, improved cyber situational awareness, co-located DHS and DoD liaisons, and conducted cybersecurity readiness training.
The U.S. Government and the private sector work closely on the security and resilience of critical infrastructure through a public-private relationship model — initiatives referred to as Pathfinder programs are one aspect of this model. Each Pathfinder program is meant to address the technologies, challenges, and threats facing a critical infrastructure sector. DHS participated in two Pathfinder programs during the past two years that were focused on the Energy and Financial Services critical infrastructure sectors. DHS officials told OIG that these Pathfinder efforts have been effective. Specifically, the Energy sector Pathfinder advanced threat information sharing, improved training and education to understand systemic risks, and developed joint operational preparedness and response activities. The Financial Services sector Pathfinder program enhanced security and resilience of the sector’s critical infrastructure and reduced operational risks.
DHS is also leading two additional initiatives: a malware sharing initiative to allow for the sharing of declassified malware information with trusted partners, and a mutual interest initiative to operationalize cyber threat information sharing.
To bolster cyber defence skills, DHS participated in 46 joint national-level cyber trainings and exercises, three of which it led, between 2015 and 2019. As part of this training, participating organizations responded to simulated attacks by practicing response policies and procedures.
OIG notes in its latest report, however, that it could not easily determine whether DHS had completed all requirements outlined in the CAP and memorandums because DHS did not sufficiently document the progress of its activities.
OIG also found that DHS did not effectively monitor its efforts and update its plans as required, which the auditors attributed to DHS not establishing performance measures with milestones for completing actions, as well as inadequate staffing and governance structure to ensure its joint cybersecurity efforts remained on track.