Is Protecting Vital Private IT a DHS Priority?GAO Questions DHS Process on Critical Infrastructure Security
In 2006, DHS issued guidance that instructed lead federal agencies, referred to as sector-specific agencies (see box), to develop plans for protecting the sector's critical cyber and physical infrastructure in industries such as banking and finance, energy and public health. These agencies issued plans in 2007, but GAO found that none fully addressed all 30 cybersecurity-related criteria identified in DHS's guidance and recommended that the plans be updated to address it by September 2008.
Reps. Yvette Clarke, chairwoman of the Homeland Security Subcommittee on Emerging Threats, Cybersecurity and Science and Technology, and James Langevin, co-chair of the House Cybersecurity Caucus, asked GAO to determine the extent to which sector plans have been updated to fully address DHS's cybersecurity requirements and assess whether these plans and related reports provide for effective implementation.
According to GAO, sector-specific agencies have yet to update their respective sector-specific plans to fully address key DHS cybersecurity conditions. Congressional investigators pointed out that only nine of 17 sector-specific plans (SSPs) have been updated, and of nine updates, only three addressed missing cyber criteria and those involved only a relatively small number of the criteria questioned.
"The lack of complete updates and progress reports are further evidence that the sector planning process has not been effective and thus leaves the nation in the position of not knowing precisely where it stands in securing cyber critical infrastructures," David Powner, GAO information technology management issues director, wrote in the 65-page report. "Not following up to address these conditions also shows DHS is not making sector planning a priority."
Jerald Levine, director of DHS's GAO/Office of Inspector General liaison office, took exception to some of Powner's conclusions. "The fact that SSPs have not been fully updated yet to include ongoing and planned cybersecurity activities does not correlate to a lack of cybersecurity planning and activities in the sectors or to the lack of effectiveness of planning," Levine wrote to Powner, after reviewing the draft of the GAO report. "The report also does not take into account to the many ongoing activities in the sectors related to cybersecurity."
Nation's Cyber Assets at Risk
DHS recently issued guidance specifically requesting that the sectors address cyber criteria shortfalls in their 2010 sector-specific plan updates, GAO reported. "Until the plans are issued, it is not clear whether they will fully address cyber requirements," Powner wrote. "The continuing lack of plans that fully address key cyber criteria has reduced the effectiveness of the existing sector planning approach and thus increases the risk that the nation's cyber assets have not been adequately identified, prioritized and protected."
The GAO report also cited recent studies by a presidential working group and an expert commission that identified shortfalls in the effectiveness of the current public-private partnership approach and related sector planning, and offered options for improving the process, including prioritizing sectors to focus planning efforts on those with the most important cyber assets and streamlining existing sectors to optimize their capacity to identify priorities and develop plans. "Given this, it is essential that DHS and the to-be-appointed (White House) cybersecurity coordinator determine whether the current process as implemented should continue to be the national approach and thus worthy of further investment," Powner said.
GAO recommended, and DHS concurred, that the department assess whether existing sector-specific planning processes should continue to be the nation's approach to securing cyber and other critical infrastructure and consider whether other options would provide more effective results.
"If the recommendation is intended to suggest that there is a binary choice between continuing the existing sector-specific planning approach and other options, DHS disagrees," DHS's Levine wrote. "Actions such as prioritization of efforts with or among sectors and use of supplemental approaches can move forward in parallel with ongoing sector-planning activity. ... DHS believes we must continue to refine our work with the private sector regarding cybersecurity to enhance the effectiveness of our partnerships."
The chairman of the House Homeland Security Committee, Rep. Bennie Thompson, issued a statement after the release of the GAO report, endorsing continuation of the sector-specific-plan approach. "Comprehensive completion and continual updating of sector-specific plans is vital to the protection of the nation's critical infrastructure," Thompson said. "With the recent reports on insecurities in our electric grid and other critical infrastructure, we need to address this issue with the urgency that it requires. The White House, the appropriate departments and agencies and Congress must engage in a dialogue about the future of this approach."