Department of Homeland Security officials can’t protect America’s digital assets as well as they should because millions of tax dollars are being wasted in a bureaucratic system that drowns cyber-security tasks in red tape, a government watchdog said Tuesday.

Fourteen years after the 9/11 attacks, Homeland Security still lacks a department-wide cyber-security training program and has yet to define each of its components’ duties in combating a digital attack, said DHS Inspector General John Roth.

Russian, North Korean and Chinese hackers have repeatedly penetrated U.S. digital security and infrastructure systems such as transportation and utility power in recent years.

DHS also lacks a department-wide strategy that defines “the components’ cyber responsibilities and capabilities,” Roth said. Agencies’ “cyber personnel do not have a clear understanding of each other’s responsibilities … to effectively coordinate and collaborate.”

The DHS IG said “this lack of understanding has led to conflicts regarding assignments and response to incidents,” including “instances in which incidents were referred to the wrong components within DHS … or outside of the department,” including the FBI.

Such confusion may have delayed DHS’s “response and recovery efforts” after cyber incidents.

“DHS plays a pivotal role in coordinating the national response to cyber incidents that result from the vulnerabilities created by our increased reliance on IT systems,” Roth said. “While our audit showed improved coordination between DHS components in carrying out cyber-security functions, we have identified duplication of effort and lack of effective policies and controls.”

The department also hasn’t “established a department-wide, comprehensive training program to enhance the skillsets of cyber analysts and investigators.” Instead, each agency within DHS develops its own training program, which causes “significant, duplicative costs.”

Training DHS components together would also “promote knowledge sharing,” and “would be more cost-effective,” the report said.

DHS officials estimate that a department-wide training program will be created by March 31, 2016 and a comprehensive assignment of responsibilities by Feb. 29, 2016.

Roth said his investigators found cyber-security gaps in the U.S. Immigration and Customs Enforcement and the U.S. Secret Services’ websites.

“We identified vulnerabilities on internal websites at ICE and USSS that may allow unauthorized individuals to gain access to sensitive data,” he said.

Consequently, an attacker could allow attackers to steal government secrets or alter databases. In fact, ICE officials told the IG that its website isn’t scanned to detect cyber-security weaknesses.

“This limits the ability of ICE to identify and resolve website-based weaknesses.”

A cyber-security expert pointed to the obsolete model on which DHS was based when it was created in 2003.

DHS is “continuing the federal bureaucracy, which is why we have all these issues,” said Institute for Critical Infrastructure Technology Senior Fellow James Scott. “It’s compartmentalized. There’s a lack of universal standards.”

Follow Ethan on Twitter.

Copyright 2015 The Daily Caller News Foundation