Outcome-Based Measures Would Assist DHS in Assessing Effectiveness of Cybersecurity Efforts
GAO-13-275: Published: Apr 3, 2013. Publicly Released: Apr 10, 2013.
What GAO Found
While the primary responsibility for protecting the nation's communications networks belongs to private-sector owners and operators, federal agencies also play a role in support of their security, as well as that of critical components supporting the Internet. Specifically, private-sector entities are responsible for the operational security of the networks they own, but the Federal Communications Commission (FCC) and the Departments of Homeland Security (DHS), Defense, and Commerce have regulatory and support roles, as established in federal law and policy, and have taken a variety of related actions. For example, FCC has developed and maintained a system for reporting network outage information; DHS has multiple components focused on assessing risk and sharing threat information; Defense and DHS serve as co-chairs for a committee on national security and emergency preparedness for telecommunications functions; and Commerce has studied cyber risks facing the communications infrastructure and participates in standards development. However, DHS and its partners have not yet initiated the process for developing outcome-based performance measures related to the cyber protection of key parts of the communications infrastructure. Outcome-based metrics related to communications networks and critical components supporting the Internet would provide federal decision makers with additional insight into the effectiveness of sector protection efforts.
No cyber-related incidents affecting core and access networks have been recently reported to FCC and DHS through established mechanisms. Specifically, both FCC and DHS have established reporting mechanisms to share information on outages and incidents, but of the outages reported to FCC between January 2010 and October 2012, none were related to common cyber threats. Officials within FCC and the private sector stated that communication networks are less likely to be targeted themselves because they provide the access and the means by which attacks on consumer, business, and government systems can be facilitated.
Attributes of two pilot programs established by Defense to enhance the cybersecurity of firms in the defense industrial base (the industry associated with the production of defense capabilities) could be applied to the communications sector. The department's pilot programs involve partnering with firms to share information about cyber threats and responding accordingly. Considering these attributes can inform DHS as it develops procedures for expanding these pilot programs to all critical infrastructure sectors, including the communications sector.
Why GAO Did This Study
Ensuring the effectiveness and reliability of communications networks is essential to national security, the economy, and public health and safety. The communications networks (including core and access networks) can be threatened by both natural and human-caused events, including increasingly sophisticated and prevalent cyber-based threats. GAO has identified the protection of systems supporting the nation's critical infrastructure--which includes the communications sector--as a government-wide high-risk area.
GAO was asked to (1) identify the roles of and actions taken by key federal entities to help protect communications networks from cyber-based threats, (2) assess what is known about the extent to which cyber incidents affecting the communications networks have been reported to the FCC and DHS, and (3) determine if Defense's pilot programs to promote cybersecurity in the defense industrial base can be used in the communications sector. To do this, GAO focused on core and access networks that support communication services, as well as critical components supporting the Internet. GAO analyzed federal agency policies, plans, and other documents; interviewed officials; and reviewed relevant reports.
What GAO Recommends
GAO recommends that DHS collaborate with its partners to develop outcome-oriented measures for the communications sector. DHS concurred with GAO's recommendation.
For more information, contact Gregory C. Wilshusen at (202) 512-6244 or firstname.lastname@example.org.
Recommendation for Executive Action
Status: Closed - Implemented
Comments: In August 2014, DHS issued guidance to all sector-specific agencies to update their sector-specific plans (SSP) in response to the 2013 National Infrastructure Protection Plan. The guidance directed the agencies to include information on how sectors are going to measure the effectiveness of their security and resilience efforts. In January 2017, DHS provided us with a copy of the updated 2015 SSP for the Communications sector. The updated plan stated that the Communications Sector Coordination Council (CSCC) had independently developed a 2015 Communications Sector Annual Report outlining activities undertaken the previous year to ensure the nation's communication networks and systems are secure, resilient, and rapidly restored after a natural or manmade disaster. The 2015 Annual Report highlighted quantitative metrics for the sector surrounding the availability, reliability, resiliency, and integrity of the nation's communications networks. Additionally, the annual report stated that DHS had sponsored research commissioned by the FCC that focused on these same issues. According to the plan, the CSCC is engaged with DHS on these issues and continues to evaluate reasonable means to develop qualitative metrics. The CSCC is to provide an update on these developments in the 2016 Sector Annual Report, which DHS officials stated is in the final stages of review, with an anticipated release in August 2017. Based on the information provided, DHS demonstrated that it has taken actions to collaborate with its communications sector partners to determine methods of measuring for cyber protection activities.
Recommendation: To help assess efforts to secure communications networks and inform future investment and resource decisions, the Secretary of Homeland Security should direct the appropriate officials within DHS to collaborate with its public and private sector partners to develop, implement, and track sector outcome-oriented performance measures for cyber protection activities related to the nation's communications networks.
Agency Affected: Department of Homeland Security