GAO: Infrastructure plans lack cybersecurity strategy

With 85 percent of the country’s critical infrastructure in private hands, the federal government must make sure that the 17 infrastructure sectors include cybersecurity in their plans to protect themselves against cyberattacks and disaster, an official of the Government Accountability Office has told two House panels. However, none of the sectors included in their sector plans all 30 cybersecurity criteria, such as key vulnerabilities and measures to reduce them, the official also testified. The critical infrastructure includes sectors such as water, transportation and energy, but even those chiefly physical infrastructure sectors rely on computerized control systems. Of the 17 sectors, information technology and communications had the strongest cybersecurity plans, said David Powner, director of GAO's information technology management issues. The agriculture, food and commercial sectors were the least comprehensive, he said. “Until the plans fully address key cyber elements, certain sectors may not be prepared to respond to a cyberattack against our nation’s critical infrastructure,” Powner said at a hearing held Oct. 31 by the House Homeland Security Committee’s Emerging Threats, Cybersecurity and Science and Technology Subcommittee and its Transportation Security and Infrastructure Protection Subcommittee. The Homeland Security Department, which issued a national plan last year for the sectors to use as a road map for their individual plans, acknowledged the shortcomings that GAO found and explained that these sector plans, released in May, represent only early efforts, said Greg Garcia, DHS’ assistant secretary for cybersecurity and communications. Federal agencies lead specific sectors and coordinate the critical infrastructure protection effort with the private sector. DHS is the sector-specific agency coordinating the communications and IT sectors. Garcia expects the Cross-Sector Cyber Security Working Group, formed in May as a forum to exchange information on common cybersecurity issues, will encourage sectors to collaborate to identify systemic cyber risks and mitigation strategies and share best practices. GAO recommended that DHS fully address the cybersecurity criteria by September 2008. The private sector needs to not only improve its plans but start implementing them, Powner said. “What’s important is the next annual report -- that there is some assurance that the plans are complete and that we are moving to implementation,” he said. Garcia said sectors are not meant to be uniformly comprehensive in their cybersecurity efforts, and they must balance cybersecurity risk against other risk management efforts and unique aspects of their infrastructure. “Cyber risk varies by sector, based on its dependence on cyber elements,” Garcia said. Sector annual reports had improved from initial efforts in 2006 to 2007. For example, more than half of the sectors identified at least one cybersecurity goal and/or priority in their 2007 reports in May. DHS is working with sectors to review cybersecurity priorities, assess effects of cyberattacks, develop protective programs and evaluate research and development initiatives to identify areas where additional capabilities are needed, Garcia said. DHS plans to offer workshops next year with its sector partners to consider incentives to encourage voluntary risk assessments, develop cross-sector cyber metrics and identify existing cyber research and development projects.