Home > Event Management, TechNews > DHS Failing At The Basics

DHS Failing At The Basics

From our "Oy Vey" department…

DHS achieves another failing grade. This time from the GAO which assessed the agency’s regional command centers.  Homeland Security Daily Wire reported last week that DHS’s twenty-five national and regional operations centers suffer from
poor collaboration and coordination, with shabby management preventing
the information-sharing network from reaching its full potential.

Aggregation and correlation of security information is one of the most basic elements of an incident response architecture.  Why can’t DHS do this well?!  Heck, I know how to build best practice response centers – they should call me.  Or call a real professional like Rich Grassie.  But gee whiz, call somebody!

First you organize your data sources.  They may be feeds from regional governments, law enforcement agenceis, news sources and private associates.  Then you organize technology inputs like sensor feeds from critical infrastructure facilities.  Concurrently you set up public-private information sharing in a specific region.  Not all of this has to be completed before the incident response station begins being useful.  It’s a process.

After setting up the inputs, apply the policies.  Strategic security consultants can build basic threshholds and escalation procedures.  Correlation engines can map sensor and news inputs to the policies.

Along the way, establish a reliable communications system to keep in touch with regional first responders and agencies.  Communications should include POTS telephone, IP telephony, radio, and text message broadcasting.

Finally, build a reporting and workflow management protocol that ensures that every event is processed efficiently.  None of this is rocket science – and it should have been done years ago.

Advertisements
Categories: Event Management, TechNews
  1. April 15, 2007 at 5:56 pm

    Ah Steve… you’re assuming they “want” to fix it.
    I’ve come to the sad realization that until there is some substantial penalty for poor security – nothing at all will change.
    At the beginning of April I was blogging about the National Nuclear Security Agency losing 20 desktop computers with sensitive information. The response by the agency:
    *****
    The report includes a response from the security agency that generally agrees with the findings. But the inspector general, Gregory H. Friedman, noted in his report that “the comments did not include planned corrective actions with target completion dates.”
    *****
    In other words… too bad, how sad, see ya next year.
    And it can’t just be taking them offline. That’s what they did to one of the departments, yet over a year later (as I vaguely recall) the problems still had not been corrected. (was it the Bureau of Indian Affairs… or some such thing).
    I think it has to be a sea change in the mindset of government workers. I have no idea how that will be accomplished.

  2. April 15, 2007 at 6:46 pm

    I know what you mean. But who is the “they” who needs to “want” to fix it? Is it the Secretary? Congress? The American people? the media?

  3. April 15, 2007 at 9:49 pm

    Right now you have the GAO that comes in and does the assessment. What happens then? To all outward appearances… nothing. That may not be true – but it’s the perception from the news articles.
    From that point – Congress (as they are the top of this food chain) needs to have some type of system in place to deal with non-compliance – they don’t.
    We know right now, that if there are high level policies – none are being enforced. Congress would need to mandate that each Department develop the policies you’ve outlined above within a limited period of time. Non-compliance results in people losing their jobs and hefty fines being assessed – even up to cutting systems off from the internet or possible prison terms for those in charge of security type of Departments like the DHS. Each department would then pass this down their own infrastructure.
    While the GAO is equipped to assess – I don’t know that they are equipped to enforce. Much as I hate the thought – ick, ick, ick, I think we’re looking at an oversight department. (as if government isn’t big enough – and as if oversight departments aren’t full of their own problems).
    As usual though, non-action starts at the top. Congress gave a mandate to the GAO to assess systems – they didn’t give them any power to DO anything – what else is new. For anything to be accomplished – Congress would have to place someone in charge of handing out the pink slips, assessing fines, etc… when things don’t get done. The case I was talking about earlier was enforced by the courts after a lawsuit was brought against that department. Even then that department didn’t really clean up its act. It’s also not realistic to think that we can enforce security through lawsuits – if nothing else – it takes far to long to get through the court system.
    What else do we know? Unless they are forced into the position – most people will not go out of their way to secure systems. It seems this truism even applies to people who work in security fields. To enforce mandates, you have to have laws and someone to enforce them. That’s the only way things will change.
    Okay, that’s a quick and dirty overview with little extended thought – FWIW. I’m sure others might have a better ideas. How to get there… I think that’s a book.

  4. April 19, 2007 at 6:52 am

    Thanks, Teresa. I appreciate this.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: