Critical infrastructure regulators need to improve cyber metrics

Despite closer ties and better teamwork between critical infrastructure providers and the federal agencies that help protect their systems from cyberattack, the government lacks a consistent way to gauge threats and security progress, according to a study by the Government Accountability Office.

GAO's IT team examined how agencies mitigate cyber risks to critical infrastructure providers and found that 11 of the 15 sectors it monitored had significant cyber risks, but only a few had processes in place to measure the threat and track efforts to mitigate them.

Critical infrastructure sectors include communications, energy, financial services, emergency services and commercial facilities such as shopping malls and stadiums.

According to the study, 12 of the 15 sectors had not identified incentives to promote cybersecurity as proposed in the National Infrastructure Protection Plan (NIPP). However, the auditors noted that the agencies responsible for those sectors are participating in a working group to determine appropriate incentives.

The report states that agencies for three sectors "had not yet made significant progress in advancing cyber-based research and development within their sectors because it had not been an area of focus for their sector."

GAO said the departments of Defense, Energy, and Health and Human Services had established performance metrics for their three sectors, but agencies covering the other 12 sectors have not developed ways to measure and report on the effectiveness of their cyber risk mitigation activities or their sectors' cybersecurity posture.

Those agencies must instead rely on information voluntarily provided by the private sector to measure cybersecurity efforts. Encouraging companies to share such information with the government has been a hot topic of debate, and legislative efforts have sought to protect companies from liability and shield proprietary information from competitors.

NIPP directs sector-specific agencies and their nongovernmental partners to identify high-level outcomes to facilitate progress toward national goals and priorities. Until agencies develop performance metrics and collect data on the progress of their cybersecurity improvement efforts, GAO said they might be unable to adequately monitor the effectiveness of their cyber risk mitigation activities.

In a podcast accompanying the study, GAO's Director of Information Security Issues Gregory Wilshusen said progress is being made, with coordinating councils and working groups set up to address the security of industrial control systems. However, he noted that additional work needs to be done and cited the lack of appropriate performance metrics for some sector-specific agencies.

Bottom line: The cyberthreat to critical infrastructure is significant, Wilshusen said.