GPS Disruptions: Efforts to Assess Risks to Critical Infrastructure and Coordinate Agency Actions Should Be Enhanced

GAO-14-15 Published: Nov 06, 2013. Publicly Released: Nov 06, 2013.
Jump To:
Skip to Highlights
Highlights

What GAO Found

To assess the risks and potential effects from disruptions in the Global Positioning System (GPS) on critical infrastructure, the Department of Homeland Security (DHS) published the GPS National Risk Estimate (NRE) in 2012. In doing so, DHS conducted a scenario-based risk assessment for four critical infrastructure sectors using subject matter experts from inside and outside of government. Risk assessments involve complex analysis, and conducting a risk assessment across multiple sectors with many unknowns and little data is challenging. DHS's risk management guidance can be used to help address such challenges. However, we found the NRE lacks key characteristics of risk assessments outlined in DHS's risk management guidance and, as a result, is incomplete and has limited usefulness to inform mitigation planning, priorities, and resource allocation. A plan to collect and assess additional data and subsequent efforts to ensure that the risk assessment is consistent with DHS guidance would contribute to more effective GPS risk management.

A 2004 presidential directive requires the Department of Transportation (DOT), in coordination with DHS, to develop backup capabilities to mitigate GPS disruptions, and the agencies have initiated a variety of efforts that contribute to fulfilling the directive. For example, DOT is researching GPS alternatives for aviation, and DHS began efforts on GPS interference detection and mitigation and is researching possibilities for a nationwide backup to GPS timing, which is used widely in critical infrastructure. However, due to resource constraints and other reasons, the agencies have made limited progress in meeting the directive, and many tasks remain incomplete, including identifying GPS backup requirements and determining suitability of backup capabilities. Furthermore, the agencies' efforts have been hampered by a lack of effective collaboration. In particular, DOT and DHS have not clearly defined their respective roles, responsibilities, and authorities or what outcomes would satisfy the presidential directive. Without clearly defining both roles and desired outcomes, DOT and DHS cannot ensure that they will satisfy mutual responsibilities. Implementing key elements of effective collaboration would allow the agencies to address many uncertainties regarding fulfillment of their presidential policy directive.

Selected critical infrastructure sectors employ various strategies to mitigate GPS disruptions. For example, some sectors can rely on timing capabilities from other sources of precise time in the event of GPS signal loss. However, both the NRE and stakeholders we interviewed raised concerns about the sufficiency of the sectors' mitigation strategies. Federal risk management guidance requires DHS to work with federal agencies and critical infrastructure sector partners to measure the nation's ability to reduce risks to critical infrastructure by using a process that includes metrics. We found that DHS has not measured the effectiveness of sector mitigation efforts to GPS disruptions and that, as a result, DHS cannot ensure that the sectors could sustain essential operations during GPS disruptions. The lack of agreed-upon metrics to measure the effectiveness of sector mitigation efforts hinders DHS's ability to objectively assess improvements, track progress, establish accountability, provide feedback mechanisms, or inform decision makers about the appropriateness of the mitigation activities.

Why GAO Did This Study

GPS provides positioning, navigation, and timing data to users worldwide and is used extensively in many of the nation's 16 critical infrastructure sectors, such as communications and transportation. GPS is also a key component in many of the modern conveniences that people rely on or interact with daily. However, sectors' increasing dependency on GPS leaves them potentially vulnerable to disruptions. GAO was asked to review the effects of GPS disruptions on the nation's critical infrastructure. GAO examined (1) the extent to which DHS has assessed the risks and potential effects of GPS disruptions on critical infrastructure, (2) the extent to which DOT and DHS have developed backup strategies to mitigate GPS disruptions, and (3) what strategies, if any, selected critical infrastructure sectors employ to mitigate GPS disruptions and any remaining challenges. GAO reviewed documents, compared them to relevant federal guidance, and interviewed representatives and experts from federal and state governments, industry, and academia. The focus of this review was on civilian GPS uses within four critical infrastructure sectors.

Skip to Recommendations

Recommendations

DHS should ensure that its GPS risk assessment approach is consistent with DHS guidance; develop a plan to measure the effectiveness of mitigation efforts; and DOT and DHS should improve collaboration. DHS concurred with the latter two recommendations but did not concur with the first. GAO continues to believe that improving the risk assessment approach will capitalize on progress DHS has made and will improve future efforts.

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Homeland Security To ensure that the increasing risks of GPS disruptions to the nation's critical infrastructure are effectively managed, the Secretary of Homeland Security should increase the reliability and usefulness of the GPS risk assessment by developing a plan and time frame to collect relevant threat, vulnerability, and consequence data for the various critical infrastructure sectors, and periodically review the readiness of data to conduct a more data-driven risk assessment while ensuring that DHS's assessment approach is more consistent with the National Infrastructure Protection Plan (NIPP).
Closed – Implemented
The Global Positioning System (GPS) provides positioning, navigation, and timing data to users worldwide and is used extensively in many of the nation's critical infrastructure sectors, such as communications and transportation. GPS is also a key component in many of the modern conveniences that people rely on or interact with daily. However, the critical infrastructure sectors' increasing dependency on GPS leaves them potentially vulnerable to disruptions. In 2013, we reported that in assessing the risks and potential effects from disruptions in GPS on critical infrastructure, the Department of Homeland Security (DHS) published the GPS National Risk Estimate (NRE) in 2012. Although aspects of the NRE were consistent with DHS's risk management guidance, the NRE lacked key characteristics of risk assessments outlined in the guidance. As such, we reported that the NRE was limited in its usefulness to inform mitigation planning, priorities, and resource allocation. Furthermore, we noted that the lack of an overall DHS plan designed to address the risk assessment's shortcomings, such as lack of data, could hinder future public and private risk management of GPS. Therefore, we recommended that the Secretary of Homeland Security increase the reliability and usefulness of the GPS risk assessment by developing a plan and timeframe to collect relevant threat, vulnerability, and consequence data for the various critical infrastructure sectors, and periodically review the readiness of data to conduct a more data-driven risk assessment. In 2021, we confirmed that DHS developed a plan to collect relevant GPS threat, vulnerability, and consequence data for the various critical infrastructure sectors, culminating in a risk assessment report consistent with DHS risk management guidance. Furthermore, to periodically review and conduct a data driven assessment, DHS coordinated with the appropriate federal agencies for the critical infrastructure sectors to develop a consolidated Vulnerability Test Plan for the sector agencies. This plan will enable DHS to test GPS vulnerabilities across critical infrastructure systems, networks, and assets, in order to strengthen national resilience through the responsible use of GPS services by critical infrastructure owners and operators. As a result of these efforts, DHS is in a better position to more effectively manage the increasing risks of GPS disruptions to the nation's critical infrastructure, and obtain additional insights into its overall progress for mitigating the impacts of such disruptions and a basis for determining what, if any, next steps need to be taken.
Department of Homeland Security To ensure that the increasing risks of GPS disruptions to the nation's critical infrastructure are effectively managed, the Secretary of Homeland Security should, as part of current critical infrastructure protection planning with Sector-Specific Agencys (SSAs) and sector partners, develop and issue a plan and metrics to measure the effectiveness of GPS risk mitigation efforts on critical infrastructure resiliency.
Closed – Not Implemented
Although DHS officials indicated that they conducted several activities towards fulfilling this recommendation, overall they said they were unable to obtain proprietary information from the owners and operators of the critical infrastructure sectors to measure the effect of GPS risk mitigation efforts on critical infrastructure systems, as we recommended. Therefore, we are closing the recommendation as not implemented.
Department of Homeland Security To improve collaboration and address uncertainties in fulfilling the National Security Presidential Directive 39 (NSPD-39) backup-capabilities requirement, the Secretaries of Transportation and Homeland Security should establish a formal, written agreement that details how the agencies plan to address their shared responsibility. This agreement should address uncertainties, including clarifying and defining DOT's and DHS's respective roles, responsibilities, and authorities; establishing clear, agreed-upon outcomes; establishing how the agencies will monitor and report on progress toward those outcomes; and setting forth the agencies' plans for examining relevant issues, such as the roles of SSAs and industry, how NSPD-39 fits into the NIPP risk management framework, whether an update to the NSPD-39 is needed, or other issues as deemed necessary by the agencies.
Closed – Not Implemented
DHS and DOT did not establish the formal agreement called for in our recommendation. While DHS formed an inter-agency team in 2015 to develop a work plan to address GPS vulnerability, DHS and DOT did not execute a formal, written agreement to address their shared responsibility to develop and maintain backup position, navigation, and timing capabilities, as directed in NSPD-39. Therefore, we are closing the recommendation as not implemented.
Department of Transportation To improve collaboration and address uncertainties in fulfilling the National Security Presidential Directive 39 (NSPD-39) backup-capabilities requirement, the Secretaries of Transportation and Homeland Security should establish a formal, written agreement that details how the agencies plan to address their shared responsibility. This agreement should address uncertainties, including clarifying and defining DOT's and DHS's respective roles, responsibilities, and authorities; establishing clear, agreed-upon outcomes; establishing how the agencies will monitor and report on progress toward those outcomes; and setting forth the agencies' plans for examining relevant issues, such as the roles of SSAs and industry, how NSPD-39 fits into the NIPP risk management framework, whether an update to the NSPD-39 is needed, or other issues as deemed necessary by the agencies.
Closed – Not Implemented
DHS and DOT did not establish the formal agreement called for in our recommendation. While DHS formed an inter-agency team in 2015 to develop a work plan to address GPS vulnerability, DHS and DOT did not execute a formal, written agreement to address their shared responsibility to develop and maintain backup position, navigation, and timing capabilities, as directed in NSPD-39. Therefore, we are closing the recommendation as not implemented.

Full Report

GAO Contacts