Working with the Private Sector and Other Levels of Government to Protect Cyber Critical Infrastructures
Cyber critical infrastructures are systems and assets incorporating information technology—such as the electric power grid and chemical plants—that are so vital to the nation that their incapacitation or destruction would have a debilitating effect on national security, the economy, and public health and safety.
As GAO has reported, the federal government faces many challenges in working with both the private sector and state and local governments to protect these essential assets, such as
- improving threat and vulnerability assessments;
- enhancing cyber analysis and warning capabilities, as well as securing key systems (e.g., control systems that monitor and control sensitive processes and physical functions); and
- developing recovery plans (e.g., public and private planning for Internet recovery).
Until these and other areas are effectively addressed, the nation’s cyber critical infrastructure will be put at risk by the increasing threats posed by terrorists, foreign intelligence services, and others.
^ Back to topWhat Needs to Be Done
GAO has reported over the last several years that the Department of Homeland
Security (DHS), which has lead responsibility for cyber critical infrastructure
protection (commonly referred to as cyber CIP), has yet to fully satisfy the
responsibilities specified in federal law and policy. To address these shortfalls,
GAO has made about 30 recommendations in the following key areas, many of which
have not been fully implemented:
- bolstering cyber analysis and warning capabilities (GAO-08-588).
- reducing organizational inefficiencies (GAO-08-607).
- completing actions identified during cyber exercises (GAO-08-825).
- developing sector-specific plans that fully address all of the cyber-related
criteria.
Highlights of GAO-08-113 (PDF) - improving cyber security of infrastructure control systems (which are computer-based
systems that monitor and control sensitive processes and physical functions).
Highlights of GAO-08-119T (PDF) - strengthening DHS’s ability to help recover from Internet disruptions.
Highlights of GAO-08-212T (PDF)
DHS has developed and implemented capabilities to address aspects of these key cyber security areas, but it has not fully satisfied any of them:
- In the area of cyber analysis and warning, GAO recommended in July 2008
that DHS improve the notifications issued by its U.S. Computer Emergency
Readiness Team (US-CERT) because these notifications did not fully address
15 key attributes of cyber analysis and warning.
Highlights of GAO-08-588 (PDF) - For example, although US-CERT developed and distributed a wide array of notifications, they were not consistently actionable or timely.
- In the area of cyber exercises, GAO recommended in September 2008 that
the department schedule and complete all corrective activities to address
lessons it had learned conducting a cyber attack exercise in 2006.
Highlights of GAO-08-825 (PDF) - Although DHS demonstrated progress in addressing these lessons learned, the actions it identified to address them had not been fully implemented.
Until these and other key cyber security areas are effectively addressed, the nation’s cyber critical infrastructure will be at risk by increasing threats posed by terrorists, nation-states, and others.
In addition, other federal agencies besides DHS are responsible for helping ensure that cyber CIP efforts are implemented effectively within the 18 infrastructure sectors—such as banking and finance, energy, and nuclear reactors. Meeting this goal will require agencies to take further action to build and maintain strong partnerships with public and private stakeholders.
