We’ve already seen what can happen when one of the nation’s critical services is disrupted by a cyberattack. In May 2021, a ransomware attack on Colonial Pipeline led to the temporary disruption of gasoline and petroleum product delivery across much of the southeast United States—leading to Americans waiting in long lines at gas stations up and down the East Coast.
The federal government is worried about these kinds of cyberattacks, and is working with private sector entities, and state and local governments that manage critical infrastructure to prevent them. A key part of this effort is sharing important information about potential threats.
Today’s WatchBlog post looks at our new report on how key information is shared and what more needs to be done to improve these efforts to better protect critical infrastructure.
Examples of Critical Infrastructure
What are the cybersecurity threats and why is information sharing so important?
Cyber threats against critical infrastructure—like dams, ports, and utilities—can come from many different types of groups with a range of motivations. Nation states (for example, Russia and China), as well as transnational criminal groups, activists, and sometimes individuals like disgruntled employees have all been known to carry out cyberattacks. They can be motivated by things like monetary gains, or they can be seeking economic, political, or military advantages.
The challenge to preventing these attacks is their ever-changing and increasingly sophisticated tactics and techniques. These include things like infiltrating networks, disabling security software, and stealing data. Federal agencies gather information on these methods to better understand how attacks can occur and how to prevent them. But information gathering alone can’t prevent attacks. Federal agencies need to share what they know in a timely manner with those at risk of attack. Using this information, the organizations managing our critical infrastructure can make more informed decisions regarding threat detection and prevention.
The challenges in sharing cyber threat information
There are 14 federal entities that play key roles in helping to protect critical infrastructure from cyberattacks. Some of them are known for their involvement in cybersecurity issues, like the Cybersecurity Infrastructure Security Agency (CISA) and the FBI. Others might be well-known, but their involvement with cybersecurity could be surprising to you. For example, the same TSA that keeps us safe at airports is also responsible for protecting our nation’s gasoline pipelines.
These agencies use a variety of methods to share information with each other and organizations that manage critical infrastructure, including holding briefings and developing educational products. For example, in February, CISA and others issued a threat information product regarding North Korean-sponsored ransomware attacks on our health care and public health infrastructure. The below graphic shows the types of info-sharing efforts used and how many agencies (out of 14) used them.
Entities representing critical infrastructure owners and operators told us there are great benefits in getting information about threats from federal agencies. But they also identified a number of challenges that limit this sharing. For example, those entities told us that they did not always receive timely and actionable cyber threat information from federal agencies.
What should the federal government do to better protect critical infrastructure?
Earlier this year, the White House issued its National Cybersecurity Strategy and implementation plan for addressing the nation’s long-standing cybersecurity challenges—including those relating to cyber threat information sharing. The implementation plan includes eight initiatives that could help agencies address challenges to sharing cyber threat information. But we found that the implementation plan did not identify performance measures for those eight initiatives to know whether the implementation plan is helping to tackle the challenges.
As the federal government works to implement the new National Cybersecurity Strategy, we also think it is important that agencies evaluate their current methods of sharing information and whether any methods should be consolidated or retired. This could help agencies target funding and resources better.
Learn more about our recommendations to improve federal information sharing about critical infrastructure cybersecurity by checking out our new report.
- Comments on GAO’s WatchBlog? Contact email@example.com.