Government and industry need to do a better job of sharing information about cybersecurity threats to U.S. critical infrastructure, according to the Government Accountability Office.
The government isn’t giving industry officials the timely and actionable information on cyber threats that they expect, nor is industry always meeting government expectations for sharing cyber threat data, according to the Government Accountability Office.
Just 27 percent of 56 industry representatives surveyed by GAO said the government was, to a great or moderate extent, giving them timely and actionable cyber threat information and alerts. Industry officials also reported a lack of access to classified information, a secure way to share that data, security clearances and a single central government source for cyber information, GAO said in a report released Aug. 16.
“Private-sector stakeholders are not consistently receiving their expected services from their federal partners because, in part, federal partners are restricted in the type of information that can be shared with the private sector and lack an understanding about each sector’s specific information requirements,” auditors concluded.
Government officials reported to GAO that industry is mostly meeting their expectations in several areas, although they said some improvements could be made. The extent to which industry is fulfilling government’s expectations varies by critical-infrastructure sector, auditors said. Some industry officials don't want to share their proprietary information with the federal government because of worries about public disclosure.
Officials working with the information technology sector reported the private sector was giving it only one of the 10 services that were expected, GAO said.
GAO focused its reporting on the banking and finance, communications, defense industrial base, energy, and IT sectors because of their reliance on cyber assets. The auditors analyzed reports and interviewed officials involved in those sectors.
The government has identified a total of 18 critical infrastructure sectors. Each sector has a council comprised of industry officials and a council that includes local, state and federal government officials. The councils are supposed to work together to bolster critical infrastructure protection.
The Homeland Security Department has issued the National Infrastructure Protection Plan (NIPP) as the framework for dealing with threats – including those that are cyber-based – to that infrastructure.
“Without improvements in meeting private- and public-sector expectations, the partnerships will remain less than optimal and there is a risk that owners of critical infrastructure will not have the appropriate information and mechanisms to thwart sophisticated cyberattacks that could have catastrophic effects on our nation’s cyber-reliant critical infrastructure,” GAO said.
GAO recommended that the White House cybersecurity coordinator and DHS use its findings to focus on cybersecurity information-sharing efforts and to bolster DHS’ new National Cybersecurity and Communications Integration Center.
The cybersecurity coordinator didn’t provide it with comments on the findings, GAO said. DHS agreed with the recommendations and described efforts under way to deal with them. DHS said it is integrating public- and private-sector partners into that new center.
Three senior Democrats on the House Homeland Security Committee, including Chairman Rep. Bennie Thompson (D-Miss.), said in a statement that the report shows that public- and private-sector cybersecurity efforts aren’t always on the same page.
“Given the growing nature of the threat, DHS and the private sector must commit to cooperative efforts to ensure the safety of our nation’s cyber infrastructure and security of the critical functions it provides,” he said.