Working with the Private Sector and Other Levels of Government to Protect Cyber Critical Infrastructures

What Needs to Be Done | Key Reports

Cyber critical infrastructures are systems and assets incorporating information technology—such as the electric power grid and chemical plants—that are so vital to the nation that their incapacitation or destruction would have a debilitating effect on national security, the economy, and public health and safety.

As GAO has reported, the federal government faces many challenges in working with both the private sector and state and local governments to protect these essential assets, such as

  • improving threat and vulnerability assessments;
  • enhancing cyber analysis and warning capabilities, as well as securing key systems (e.g., control systems that monitor and control sensitive processes and physical functions); and
  • developing recovery plans (e.g., public and private planning for Internet recovery).

Until these and other areas are effectively addressed, the nation's cyber critical infrastructure will be put at risk by the increasing threats posed by terrorists, foreign intelligence services, and others. For this reason, GAO designated this area as high-risk in 2003.

^ Back to topWhat Needs to Be Done

To protect the nation's cyber critical infrastructures, the Bush Administration issued a 2003 national strategy and related policy directives aimed at improving cyber security nationwide. The strategy and policies designated the Department of Homeland Security (DHS) as the focal point for federal cyber critical infrastructure protection (CIP) and assigns the department key cyber security responsibilities, including

  • developing a national plan for cyber critical infrastructure protection;
  • planning for and coordinating cyber incident response and recovery; and
  • identifying and assessing cyber threats and vulnerabilities.

Over the last several years, GAO has reported on our nation's efforts to fulfill essential aspects of its cybersecurity strategy. For example, GAO has reported since 2005 that DHS has yet to fully satisfy the responsibilities specified in federal law and policy. To address these shortfalls, GAO has made about 30 recommendations in the following key areas, many of which have not been fully implemented:

Highlights of GAO-08-1157T (PDF)

  • bolstering cyber analysis and warning capabilities.
    Highlights of GAO-08-588 (PDF)
  • reducing organizational inefficiencies).
    Highlights of GAO-08-607 (PDF)
  • completing actions identified during cyber exercises.
    Highlights of GAO-08-825 (PDF)
  • developing sector-specific plans that fully address all of the cyber-related criteria.
    Highlights of GAO-08-113 (PDF)
  • improving cyber security of infrastructure control systems (which are computer-based systems that monitor and control sensitive processes and physical functions).
    Highlights of GAO-08-119T (PDF)
  • strengthening DHS’s ability to help recover from Internet disruptions.
    Highlights of GAO-08-212T (PDF)

DHS has developed and implemented capabilities to address aspects of these key cyber security areas, but it has not fully satisfied any of them:

  • In the area of cyber analysis and warning, GAO recommended in July 2008 that DHS improve the notifications issued by its U.S. Computer Emergency Readiness Team (US-CERT) because these notifications did not fully address 15 key attributes of cyber analysis and warning.
    Highlights of GAO-08-588 (PDF)
    • For example, although US-CERT developed and distributed a wide array of notifications, they were not consistently actionable or timely.
  • In the area of cyber exercises, GAO recommended in September 2008 that the department schedule and complete all corrective activities to address lessons it had learned conducting a cyber attack exercise in 2006.
    Highlights of GAO-08-825 (PDF)
    • Although DHS demonstrated progress in addressing these lessons learned, the actions it identified to address them had not been fully implemented.

Further, with regard to the national strategy, GAO reported in March 2009 that there were 12 key areas of the strategy that required improvement. Since then, the Obama Administration has performed a review of the strategy and issued in May 2009 a list of short and long term actions, which are largely consistent with our past reports and recommendations, to strengthen the strategy.

Highlights of GAO-09-432T (PDF)

Moreover, other federal agencies besides DHS are responsible for helping ensure that cyber CIP efforts are implemented effectively within the 18 infrastructure sectors—such as banking and finance, energy, and nuclear reactors. Meeting this goal will require agencies to take further action to build and maintain strong partnerships with public and private stakeholders.

Until these and other key cyber security areas are effectively addressed, the nation's cyber critical infrastructure will be at risk by increasing threats posed by terrorists, nation-states, and others. Consequently, GAO continues to designate this area as high-risk and reported it as such in its most recent high-risk update

Highlights of GAO-09-271 (PDF)

^ Back to topKey Reports

National Cybersecurity Strategy

Key Improvements Are Needed to Strengthen the Nation's Posture
GAO-09-432T, Mar 10, 2009

Critical Infrastructure Protection

DHS Needs to Better Address Its Cybersecurity Responsibilities
GAO-08-1157T, Sep 16, 2008

Cyber Analysis and Warning

DHS Faces Challenges in Establishing a Comprehensive National Capability
GAO-08-588, Jul 31, 2008

Critical Infrastructure Protection

Sector-Specific Plans' Coverage of Key Cyber Security Elements Varies
GAO-08-113, Oct 31, 2007

Critical Infrastructure Protection

Multiple Efforts to Secure Control Systems Are Under Way, but Challenges Remain
GAO-08-119T, Oct 17, 2007

Critical Infrastructure Protection

Department of Homeland Security Faces Challenges in Fulfilling Cybersecurity Responsibilities
GAO-05-434, May 26, 2005
More Reports More Results Toggle
GAO Contact
portrait of David Powner

David Powner

Director, Information Technology

pownerd@gao.gov

(202) 512-9286