GAO: Infrastructure plans lack cybersecurity strategy

With 85 percent of the country’s critical infrastructure in private hands, the federal government must make sure that the 17 infrastructure sectors include cybersecurity in their plans to protect themselves against cyberattacks and disaster, an official of the Government Accountability Office has told two House panels. However, none of the sectors included in their sector plans all 30 cybersecurity criteria, such as key vulnerabilities and measures to reduce them, the official also testified.

The critical infrastructure includes sectors such as water, transportation and energy, but even those chiefly physical infrastructure sectors rely on computerized control systems. Of the 17 sectors, information technology and communications had the strongest cybersecurity plans, said David Powner, director of GAO's information technology management issues. The agriculture, food and commercial sectors were the least comprehensive, he said.

“Until the plans fully address key cyber elements, certain sectors may not be prepared to respond to a cyberattack against our nation’s critical infrastructure,” Powner said at a hearing held Oct. 31 by the House Homeland Security Committee’s Emerging Threats, Cybersecurity and Science and Technology Subcommittee and its Transportation Security and Infrastructure Protection Subcommittee.

The Homeland Security Department, which issued a national plan last year for the sectors to use as a road map for their individual plans, acknowledged the shortcomings that GAO found and explained that these sector plans, released in May, represent only early efforts, said Greg Garcia, DHS’ assistant secretary for cybersecurity and communications.

Federal agencies lead specific sectors and coordinate the critical infrastructure protection effort with the private sector. DHS is the sector-specific agency coordinating the communications and IT sectors.

Garcia expects the Cross-Sector Cyber Security Working Group, formed in May as a forum to exchange information on common cybersecurity issues, will encourage sectors to collaborate to identify systemic cyber risks and mitigation strategies and share best practices.

GAO recommended that DHS fully address the cybersecurity criteria by September 2008. The private sector needs to not only improve its plans but start implementing them, Powner said.

“What’s important is the next annual report -- that there is some assurance that the plans are complete and that we are moving to implementation,” he said.

Garcia said sectors are not meant to be uniformly comprehensive in their cybersecurity efforts, and they must balance cybersecurity risk against other risk management efforts and unique aspects of their infrastructure.

“Cyber risk varies by sector, based on its dependence on cyber elements,” Garcia said.

Sector annual reports had improved from initial efforts in 2006 to 2007. For example, more than half of the sectors identified at least one cybersecurity goal and/or priority in their 2007 reports in May. DHS is working with sectors to review cybersecurity priorities, assess effects of cyberattacks, develop protective programs and evaluate research and development initiatives to identify areas where additional capabilities are needed, Garcia said.

DHS plans to offer workshops next year with its sector partners to consider incentives to encourage voluntary risk assessments, develop cross-sector cyber metrics and identify existing cyber research and development projects.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.