The Department of Homeland Security (DHS) has one of the most difficult cybersecurity missions across the Federal government but lacks a workforce plan to ensure the agency can conduct critical cybersecurity workforce reviews, a government watchdog recently found.
A Government Accountability Office (GAO) report published on Wednesday found that DHS, through its Cybersecurity and Infrastructure Security Agency (CISA) component, still needs to develop a workforce plan that addresses cybersecurity-related needs – especially when it comes to the chemical security workforce.
Specifically, the report said the plan should “include an analysis of any gaps in the program’s capacity and capability to perform its cybersecurity-related functions, and human capital strategies to address them.”
As of June 2023, GAO said, DHS had issued new guidance to help with chemical security workforce planning and CISA officials estimated that they will implement the requirements of the workforce plan by the end of August 2023.
The watchdog agency said fully addressing this recommendation by developing a cyber workforce plan will help the agency “ensure that it has the appropriate number of staff to carry out cybersecurity-related efforts.”
The GAO report highlighted 42 open recommendations across a variety of categories that DHS should prioritize, but in a podcast accompanying the report, GAO explained that when it comes to cybersecurity there is still “so much more work that’s needed.”
“I think that one thing that’s important to talk about is that DHS has probably the most difficult cyber mission in all of government because of three things,” explained GAO’s Chris Currie, an expert on DHS management. “One, they have to secure their own systems. And two, they have to secure other Federal agencies systems. And then three, they have to help the private sector and state and local governments secure their own systems as well. So it’s a huge, broad challenge.”
Currie explained that the chemical sector is just one sector that DHS helps to secure, working with thousands of chemical facilities across the country.
“One of the issues recently that has come up is not so much physical attacks to these facilities, but cyberattacks to their systems,” he said. “Those could often be as detrimental or damaging as someone actually trying to break into these facilities and steal chemicals or use them.”
“So DHS evaluates these facilities’ cybersecurity efforts through inspections that include, you know, on site reviews of policies and procedures. They interview officials. They basically verify that facilities are doing what they agreed to do in terms of security measures,” he continued. “And one of our recommendations is about helping DHS have the workforce it needs and the personnel it needs to do these cybersecurity workforce reviews.”
As for the emerging tech front, the GAO report also found that DHS needs to track and monitor all costs for its $4.3 billion Homeland Advanced Recognition Technology (HART) system for fingerprint matching and facial recognition.
The DHS Office of Biometric Identity Management (OBIM) provided an updated cost estimate to GAO in May 2023, and plans to incorporate the program’s actual costs in the next annual update to the HART Life Cycle Cost Estimate.
The bottom line of this report, according to Currie, is that it serves as a direct way for GAO “to directly communicate the most important things” to DHS that it needs to work on. “And because of that, it gets a lot more attention,” he said.