Continued from page 1

The former official said patch management and other software maintenance on US-CERT systems was not performed by US-CERT personnel but rather by staff from another part of the department. The former official called the arrangement “classic stovepiping.”

“It is a classic pothole of IT being segregated away from the mission-owner,” the former official said, referring to the management of US-CERT. Even in a computer security organization like US-CERT, the former official said, “IT management issues often fall towards the bottom of the to-do list. It is not sexy work.”

One private-sector IT security specialist, who asked for anonymity because he works with the federal government and did not want to jeopardize his relationships there, told The Washington Times in an e-mail that “This is a management/leadership issue.”

“I do know they’re way over-burdened there [at US-CERT] considering the mission they have but you have to take care of your own house,” especially because of US-CERT’s position as the focal point for warnings about new vulnerabilities and other cyberthreats, the specialist said.

News of the report would make the work of US-CERT harder because it would undermine the agency’s reputation among security professionals, the specialist said. “It’s a credibility issue, and you have to be on your ‘A’ game when it comes to setting the example.”

“It looks like they’re going to get a lot of attention within the department as a result of this [report],” the specialist added. “I honestly believe that they’re swamped with work, competing priorities and a huge mission. … That is why prioritization is essential.”

But the former official told The Times that making such problems public made it harder to prioritize computer security issues in a rational way. “Throwing it out there like that just adds to the governance issues.”

“The department has already taken action to fulfill the recommendations of this report,” Homeland Security spokeswoman Amy Kudwa said in a statement.

She said the department recently implemented “a software management tool that will automatically deploy operating system and application security patches and updates to mitigate current and future vulnerabilities.”