Outcome-Based Measures Would Assist DHS in Assessing Effectiveness of Cybersecurity Efforts
GAO-13-275: Published: Apr 3, 2013. Publicly Released: Apr 10, 2013.
What GAO Found
While the primary responsibility for protecting the nation's communications networks belongs to private-sector owners and operators, federal agencies also play a role in support of their security, as well as that of critical components supporting the Internet. Specifically, private-sector entities are responsible for the operational security of the networks they own, but the Federal Communications Commission (FCC) and the Departments of Homeland Security (DHS), Defense, and Commerce have regulatory and support roles, as established in federal law and policy, and have taken a variety of related actions. For example, FCC has developed and maintained a system for reporting network outage information; DHS has multiple components focused on assessing risk and sharing threat information; Defense and DHS serve as co-chairs for a committee on national security and emergency preparedness for telecommunications functions; and Commerce has studied cyber risks facing the communications infrastructure and participates in standards development. However, DHS and its partners have not yet initiated the process for developing outcome-based performance measures related to the cyber protection of key parts of the communications infrastructure. Outcome-based metrics related to communications networks and critical components supporting the Internet would provide federal decision makers with additional insight into the effectiveness of sector protection efforts.
No cyber-related incidents affecting core and access networks have been recently reported to FCC and DHS through established mechanisms. Specifically, both FCC and DHS have established reporting mechanisms to share information on outages and incidents, but of the outages reported to FCC between January 2010 and October 2012, none were related to common cyber threats. Officials within FCC and the private sector stated that communication networks are less likely to be targeted themselves because they provide the access and the means by which attacks on consumer, business, and government systems can be facilitated.
Attributes of two pilot programs established by Defense to enhance the cybersecurity of firms in the defense industrial base (the industry associated with the production of defense capabilities) could be applied to the communications sector. The department's pilot programs involve partnering with firms to share information about cyber threats and responding accordingly. Considering these attributes can inform DHS as it develops procedures for expanding these pilot programs to all critical infrastructure sectors, including the communications sector.
Why GAO Did This Study
Ensuring the effectiveness and reliability of communications networks is essential to national security, the economy, and public health and safety. The communications networks (including core and access networks) can be threatened by both natural and human-caused events, including increasingly sophisticated and prevalent cyber-based threats. GAO has identified the protection of systems supporting the nation's critical infrastructure--which includes the communications sector--as a government-wide high-risk area.
GAO was asked to (1) identify the roles of and actions taken by key federal entities to help protect communications networks from cyber-based threats, (2) assess what is known about the extent to which cyber incidents affecting the communications networks have been reported to the FCC and DHS, and (3) determine if Defense's pilot programs to promote cybersecurity in the defense industrial base can be used in the communications sector. To do this, GAO focused on core and access networks that support communication services, as well as critical components supporting the Internet. GAO analyzed federal agency policies, plans, and other documents; interviewed officials; and reviewed relevant reports.
What GAO Recommends
GAO recommends that DHS collaborate with its partners to develop outcome-oriented measures for the communications sector. DHS concurred with GAO's recommendation.
For more information, contact Gregory C. Wilshusen at (202) 512-6244 or firstname.lastname@example.org.
Recommendation for Executive Action
Comments: DHS has begun taking initial steps to collaborate with public and private sector partners to develop, implement, and track sector outcome-oriented performance measures. For example, DHS initiated discussions regarding outcome-oriented measures across all critical infrastructure sectors as part of an effort to re-issue sector specific plans reflecting the 2013 National Infrastructure Protection Plan. However, documentation provided by DHS indicates the results of these efforts will not be realized for several months (estimated time frames for these efforts range from late 2014 to early 2015). In addition, DHS oficials stated that it also intends to leverage existing efforts by the Federal Communications Commission's Communications Security and Interoperability Reliability Council, which may address the development of the measures.
Recommendation: To help assess efforts to secure communications networks and inform future investment and resource decisions, the Secretary of Homeland Security should direct the appropriate officials within DHS to collaborate with its public and private sector partners to develop, implement, and track sector outcome-oriented performance measures for cyber protection activities related to the nation's communications networks.
Agency Affected: Department of Homeland Security