GAO: Infrastructure plans lack cybersecurity strategy

With 85 percent of the country’s critical infrastructure in private hands, the federal government must make sure that the 17 infrastructure sectors include cybersecurity in their plans to protect themselves against cyberattacks and disaster, an official of the Government Accountability Office has told two House panels. However, none of the sectors included in their sector plans all 30 cybersecurity criteria, such as key vulnerabilities and measures to reduce them, the official also testified.

The critical infrastructure includes sectors such as water, transportation and energy, but even those chiefly physical infrastructure sectors rely on computerized control systems. Of the 17 sectors, information technology and communications had the strongest cybersecurity plans, said David Powner, director of GAO's information technology management issues. The agriculture, food and commercial sectors were the least comprehensive, he said.

“Until the plans fully address key cyber elements, certain sectors may not be prepared to respond to a cyberattack against our nation’s critical infrastructure,” Powner said at a hearing held Oct. 31 by the House Homeland Security Committee’s Emerging Threats, Cybersecurity and Science and Technology Subcommittee and its Transportation Security and Infrastructure Protection Subcommittee.

The Homeland Security Department, which issued a national plan last year for the sectors to use as a road map for their individual plans, acknowledged the shortcomings that GAO found and explained that these sector plans, released in May, represent only early efforts, said Greg Garcia, DHS’ assistant secretary for cybersecurity and communications.

Federal agencies lead specific sectors and coordinate the critical infrastructure protection effort with the private sector. DHS is the sector-specific agency coordinating the communications and IT sectors.

Garcia expects the Cross-Sector Cyber Security Working Group, formed in May as a forum to exchange information on common cybersecurity issues, will encourage sectors to collaborate to identify systemic cyber risks and mitigation strategies and share best practices.

GAO recommended that DHS fully address the cybersecurity criteria by September 2008. The private sector needs to not only improve its plans but start implementing them, Powner said.

“What’s important is the next annual report -- that there is some assurance that the plans are complete and that we are moving to implementation,” he said.

Garcia said sectors are not meant to be uniformly comprehensive in their cybersecurity efforts, and they must balance cybersecurity risk against other risk management efforts and unique aspects of their infrastructure.

“Cyber risk varies by sector, based on its dependence on cyber elements,” Garcia said.

Sector annual reports had improved from initial efforts in 2006 to 2007. For example, more than half of the sectors identified at least one cybersecurity goal and/or priority in their 2007 reports in May. DHS is working with sectors to review cybersecurity priorities, assess effects of cyberattacks, develop protective programs and evaluate research and development initiatives to identify areas where additional capabilities are needed, Garcia said.

DHS plans to offer workshops next year with its sector partners to consider incentives to encourage voluntary risk assessments, develop cross-sector cyber metrics and identify existing cyber research and development projects.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.


  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

  • Cloud
    cloud migration

    DHS cloud push comes with complications

    A pressing data center closure schedule and an ensuing scramble to move applications means that some Homeland Security components might need more than one hop to get to the cloud.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.