It’s at least as likely that our country will be hit by a major, crippling Pearl Harbor-like cyber attack as it is that San Francisco will be hit by a magnitude 8 earthquake. So maybe people should take note of a new report which suggests that we are woefully prepared to defend ourselves against it, or respond effectively if it happens.
The report was released last week by the Inspector General of the Department of Homeland Security. Its overly optimistic title is, “U.S. Computer Emergency Readiness Team Makes Progress in Securing Cyberspace, but Challenges Remain.”
The report focuses on the US Computer Emergency Readiness Team, or CERT, which was created to coordinate the nation’s cyber-defense efforts. CERT is a division of the Department of Homeland Security (DHS) that is specifically tasked to analyze and reduce cyber threats and vulnerabilities, disseminate cyber threat warning information, and coordinate cyber incident response activities.
According to the report, CERT is barely functioning, 7 years after it was established.
To begin with, CERT is understaffed. Only 45 of the 98 positions approved for the emergency readiness team are filled. As a result, it relies on contractors to carry out the most basic activites like updating operating procedures. It basically can do nothing except process data for anomalies and react to breaches after the fact.
Want more? CERT has no strategic plan, let alone performance measures on which to assess progress. It also lacks the authority to assure its safety recommendations are implemented, even by the federal agencies it is supposed to protect.
Then again, even if CERT somehow morphs into a highly effective organization, it’s well to remember that the vast majority of the networks that make up our country’s cyber infrastructure are privately owned, and therefore beyond its auspices.
At least we can say we were warned.