Critical infrastructure regulators need to improve cyber metrics

Shutterstock image: shadowed hacker.

Despite closer ties and better teamwork between critical infrastructure providers and the federal agencies that help protect their systems from cyberattack, the government lacks a consistent way to gauge threats and security progress, according to a study by the Government Accountability Office.

GAO's IT team examined how agencies mitigate cyber risks to critical infrastructure providers and found that 11 of the 15 sectors it monitored had significant cyber risks, but only a few had processes in place to measure the threat and track efforts to mitigate them.

Critical infrastructure sectors include communications, energy, financial services, emergency services and commercial facilities such as shopping malls and stadiums.

According to the study, 12 of the 15 sectors had not identified incentives to promote cybersecurity as proposed in the National Infrastructure Protection Plan (NIPP). However, the auditors noted that the agencies responsible for those sectors are participating in a working group to determine appropriate incentives.

The report states that agencies for three sectors "had not yet made significant progress in advancing cyber-based research and development within their sectors because it had not been an area of focus for their sector."

GAO said the departments of Defense, Energy, and Health and Human Services had established performance metrics for their three sectors, but agencies covering the other 12 sectors have not developed ways to measure and report on the effectiveness of their cyber risk mitigation activities or their sectors' cybersecurity posture.

Those agencies must instead rely on information voluntarily provided by the private sector to measure cybersecurity efforts. Encouraging companies to share such information with the government has been a hot topic of debate, and legislative efforts have sought to protect companies from liability and shield proprietary information from competitors.

NIPP directs sector-specific agencies and their nongovernmental partners to identify high-level outcomes to facilitate progress toward national goals and priorities. Until agencies develop performance metrics and collect data on the progress of their cybersecurity improvement efforts, GAO said they might be unable to adequately monitor the effectiveness of their cyber risk mitigation activities.

In a podcast accompanying the study, GAO's Director of Information Security Issues Gregory Wilshusen said progress is being made, with coordinating councils and working groups set up to address the security of industrial control systems. However, he noted that additional work needs to be done and cited the lack of appropriate performance metrics for some sector-specific agencies.

Bottom line: The cyberthreat to critical infrastructure is significant, Wilshusen said.

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at [email protected] or follow him on Twitter at @MRockwell4.


  • Image: Shutterstock

    COVID, black swans and gray rhinos

    Steven Kelman suggests we should spend more time planning for the known risks on the horizon.

  • IT Modernization
    businessman dragging old computer monitor (Ollyy/

    Pro-bono technologists look to help cash-strapped states struggling with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help.

Stay Connected