From the U.S. Government Accountability Office, www.gao.gov Transcript for: Protecting the Nation's Infrastructure from Cyber Attacks Description: What's being done to help get a grip on the threat hackers pose to the nation's banking institutions, dams, and other critical areas of infrastructure? We explore the issue. Related GAO Work: GAO-18-211: Critical Infrastructure Protection: Additional Actions Are Essential to Assessing Cybersecurity Framework Adoption Released: February 2018 [ Background Music ] [ Nick Marinos: ] I think it's really important to point out just how important critical infrastructure is. [ Sarah Kaczmarek: ] Welcome to GAO's Watchdog Report, your source for news and information from the U.S. Government Accountability Office. I'm Sarah Kaczmarek. From everyday banking services to satellite communications to water dams, all of these are just a few things that are a part of daily life in the U.S. that makes up its critical infrastructure. The operation of these systems is largely computerized and a potential cyber security attack that could disrupt normal operations is always a threat. Recently, I sat down with Nick Marinos, a director on our Information Technology team, to talk about GAO's new report on the nation's infrastructure. [ Nick Marinos: ] For years, the federal government has been helping to provide good guidance towards how to establish cyber security protections, whether it's a federal agency or private sector. And in this world, we've seen the federal government put together a voluntary standard known as the NIST Cyber Security Framework, and this framework is a set of standards that companies can point to in trying to come up with a better approach to cyber security. [ Sarah Kaczmarek: ] And how useful has this framework been? [ Nick Marinos: ] We went out to the federal government agencies that have responsibilities in this area as well as private sector organizations and asked them what they see in terms of how to adopt this framework. We found there to be four key challenges. The first is that we heard that there are challenges in ensuring that there are enough funds and resources to actually implement the cyber security protections that are being recommended. We also saw that there are challenges in having the right people with the right knowledge and skills to be able to implement those cyber security protections. We've also seen challenges in scenarios where sectors may have their own specific regulatory requirements that may compete or conflict with the cyber security framework. For example, the financial services sector, which is a very heavily regulated industry, may have other government regulations that they have to address that could complicate trying to adopt this voluntary standard. And finally, we also saw that there are other key priorities. There are many risks that these organizations face and so cyber security is one of many risks that they have to manage. [ Sarah Kaczmarek: ] So now you said that this framework is voluntary. Do we have a sense or have they been able to measure how much of the framework is being used? [ Nick Marinos: ] So most sectors have taken a lot of steps to facilitate and promote the use of the framework, but by and large we've seen little success by those efforts to determine whether or not organizations are actually using the framework to establish better cyber security protections. Specifically, we went to the federal agencies and to the private sector organizations and found that none of them had put together ways to actually measure whether the framework is actually yielding better results when it comes to cyber security. [ Sarah Kaczmarek: ] And have there been any cases in the U.S. or elsewhere where hackers have done significant damage based on one of these cyberattacks? [ Nick Marinos: ] Yes, I think we could look at a global example for probably the best case and most well-known scenario, which is the Ukrainian power sector, which faced a very significant attack on its electric grid back in 2015-2016. So it had a really big impact based on attacks that every company may face, including last year when we saw the WannaCry attack take down hundreds of thousands of computers around the world, which included schools, hospitals, businesses, and other entities. [ Background Music ] [ Sarah Kaczmarek: ] From what Nick said, it sounds like a tall order for the public and private sectors to prevent cyberattacks. I asked Nick to walk me through his team's recommendations. [ Nick Marinos: ] So our nine recommendations focused in, again, on those federal agencies that have responsibilities for coordinating with the private sector to ensure better security. We basically asked them to go out and work with their private sector partners to come up with a way to really measure whether or not all the effort that's being put into establishing and keeping up to date this framework are actually yielding good results when it comes to cyber security. [ Sarah Kaczmarek: ] So taking a step back, what do you see is the bottom line here? [ Nick Marinos: ] I think it's really important to point out just how important critical infrastructure is. You know, this is the stuff that we rely on every single day for our normal lives to continue being normal. It's really important for the federal government and the private sector to work together to ensure good cyber security in the critical infrastructure space. [ Background Music ] [ Sarah Kaczmarek: ] Thanks for listening to the Watchdog Report. To hear more podcasts, subscribe to us on Apple Podcasts. [ Background Music ] [ Sarah Kaczmarek: ] For more from the congressional watchdog, the U.S. Government Accountability Office, visit us at GAO.gov.