Critical Infrastructure Protection
Key Private and Public Cyber Expectations Need to Be Consistently Addressed
GAO-10-628, Aug 16, 2010
Additional Materials:
Contact:
Pervasive and sustained computer-based attacks pose a potentially devastating impact to systems and operations and the critical infrastructures they support. Addressing these threats depends on effective partnerships between the government and private sector owners and operators of critical infrastructure. Federal policy, including the Department of Homeland Security's (DHS) National Infrastructure Protection Plan, calls for a partnership model that includes public and private councils to coordinate policy and information sharing and analysis centers to gather and disseminate information on threats to physical and cyber-related infrastructure. GAO was asked to determine (1) private sector stakeholders' expectations for cyber-related, public-private partnerships and to what extent these expectations are being met and (2) public sector stakeholders' expectations for cyber-related, public-private partnerships and to what extent these expectations are being met. To do this, GAO conducted surveys and interviews of public and private sector officials and analyzed relevant policies and other documents.
Private sector stakeholders reported that they expect their federal partners to provide usable, timely, and actionable cyber threat information and alerts; access to sensitive or classified information; a secure mechanism for sharing information; security clearances; and a single centralized government cybersecurity organization to coordinate government efforts. However, according to private sector stakeholders, federal partners are not consistently meeting these expectations. For example, less than one-third of private sector respondents reported that they were receiving actionable cyber threat information and alerts to a great or moderate extent. Federal partners are taking steps that may address the key expectations of the private sector, including developing new information-sharing arrangements. However, while the ongoing efforts may address the public sector's ability to meet the private sector's expectations, much work remains to fully implement improved information sharing. Public sector stakeholders reported that they expect the private sector to provide a commitment to execute plans and recommendations, timely and actionable cyber threat information and alerts, and appropriate staff and resources. Four of the five public sector councils that GAO held structured interviews with reported that their respective private sector partners are committed to executing plans and recommendations and providing timely and actionable information. However, public sector council officials stated that improvements could be made to the partnership, including improving private sector sharing of sensitive information. Some private sector stakeholders do not want to share their proprietary information with the federal government for fear of public disclosure and potential loss of market share, among other reasons. Without improvements in meeting private and public sector expectations, the partnerships will remain less than optimal, and there is a risk that owners of critical infrastructure will not have the information necessary to thwart cyber attacks that could have catastrophic effects on our nation's cyber-reliant critical infrastructure. GAO recommends that the national Cybersecurity Coordinator and DHS work with their federal and private sector partners to enhance information-sharing efforts. The national Cybersecurity Coordinator provided no comments on a draft of this report. DHS concurred with GAO's recommendations.
Status Legend:
Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
- In Process
- Open
- Closed - implemented
- Closed - not implemented
Recommendations for Executive Action
Recommendation: The Special Assistant to the President and Cybersecurity Coordinator and the Secretary of Homeland Security, in collaboration with the sector lead agencies, coordinating councils, and the owners and operators of the associated five critical infrastructure sectors, should take two actions: (1) use the results of this report to focus their information-sharing efforts, including their relevant pilot projects, on the most desired services, including providing timely and actionable threat and alert information, access to sensitive or classified information, a secure mechanism for sharing information, and providing security clearance and (2) bolster the efforts to build out the National Cybersecurity and Communications Integration Center as the central focal point for leveraging and integrating the capabilities of the private sector, civilian government, law enforcement, the military, and the intelligence community.
Agency Affected: Department of Homeland Security
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Special Assistant to the President and Cybersecurity Coordinator and the Secretary of Homeland Security, in collaboration with the sector lead agencies, coordinating councils, and the owners and operators of the associated five critical infrastructure sectors, should take two actions: (1) use the results of this report to focus their information-sharing efforts, including their relevant pilot projects, on the most desired services, including providing timely and actionable threat and alert information, access to sensitive or classified information, a secure mechanism for sharing information, and providing security clearance and (2) bolster the efforts to build out the National Cybersecurity and Communications Integration Center as the central focal point for leveraging and integrating the capabilities of the private sector, civilian government, law enforcement, the military, and the intelligence community.
Agency Affected: Department of Homeland Security
Status: Open
Comments: DHS representatives stated that they are providing security clearances, improving access to sensitive or classified information: 1) Providing security clearances: DHS has processed hundreds of security clearances. To date, they have completed 1272 at the secret level; 13 at the top-secret level, and 49 at the top-secret sensitive compartmentalized information (TS/SCI) level. In early August, they waiting on 3 TS/SCIs to be completed. Sectors involved in this process include chemical; communications; banking and finance; agriculture and food; nuclear reactors, material and waste; transportation; defense industrial base; energy; information technology and, postal and shipping. 2) Access to sensitive or classified information: DHS is providing Chief Information Officer?s (CIO) from selected critical infrastructure sectors temporary clearances in order to facilitate better strategic decision making by sharing sensitive and classified threat information. DHS hosted CIOs from the chemical sector In March 2011, and CIOs from the nuclear sector during July 2011. DHS is planning to meet with CIOs from the financial sector and the oil and natural gas sector later during 2011. DHS?s goal is to share information with at least 20-25 CIOs in each sector. 3) Agreement with Financial Services: DHS has established a pilot program with the Banking and Finance sector through a classified Memorandum of Agreement to share threat information between DHS and financial services analysts. Since program implementation, analysts have determined that quarterly meetings are more valuable and that it is not necessary to me everyday to share cyber threat information. During emergency or urgent situation, critical information will be shared as needed independent of regularly scheduled quarterly meetings. 4) Improving information sharing: During August, DHS will look at various pilot projects to improve cooperative research and the development of information sharing. This work is being accomplished through a unified coordination group and cooperative agreements. DHS has meetings scheduled with three different anti-virus vendors, two information sharing and analysis centers, three internet service providers and four managed security providers. DHS is managing relationships with a total of 21 entities that are non-government critical infrastructures. The Critical Infrastructure Sharing Collaboration Program is involved with the relationship of data flow. The Cross Sector Information Sharing Framework is involved with bringing on additional information sharing and analysis center. In response to recommendation 2: DHS is continuing its efforts to build out the National Cybersecurity and Communications Integration Center (NCCIC) as the central focal point for leveraging and integrating the capabilities of the private sector, civilian government, law enforcement, the military, and the intelligence community. Numerous DHS components are collocated in NCCIC and continues to serve as an always on cyber incident response and management center. This includes US-CERT, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), and the National Coordinating Center for Telecommunications.