GAO: Critical infrastructure needs more cybersecurity protections

The Homeland Security Department is failing to adequately protect the nation’s critical infrastructure and the information technology that supports it, the Government Accountability Office told the Senate today.

DHS has made strides in improving cybersecurity but has not yet addressed long-standing cybersecurity deficiencies, said David Powner, GAO’s director for IT management issues. He addressed the Senate Homeland Security and Government Affairs Subcommittee on Federal Financial Management, Government Information and International Security.

“Until it effectively confronts and resolves these underlying challenges, DHS will have difficulty achieving significant results in strengthening the cybersecurity of our nation’s critical infrastructures, and our nation will lack the strong cybersecurity focal point envisioned in federal law and policy,” Powner said.

Critical infrastructure includes systems necessary for the nation to function smoothly, including transportation, health care, the power supply and communications.

DHS should act on GAO suggestions, some dating back to 2001, to enhance cybersecurity for critical infrastructure, Powner said in his written testimony submitted to the Senate subcommittee. These include:

* Develop a generally accepted methodology to strategically analyze cyberthreats and warn against them.

* Create a more detailed strategy to better protect the IT-dependent control systems for critical infrastructure with the private sector.

* Establish metrics, policies and procedures to improve information sharing with the private sector.

* Finish threat and vulnerability assessments for each sector of infrastructure.

DHS still has not accomplished several key duties laid out for it in President Bush’s 2002 National Strategy to Secure Cyberspace, Powner wrote. It still has not developed a national cyberthreat assessment, nor has it assessed each sector’s vulnerabilities or identified cross-sector interdependencies as the strategy calls for, he wrote.

The high turnover of personnel in key cybersecurity positions weakens the National Cybersecurity Division’s power to plan and fulfill activities, Powner wrote. In the past year, the NCSD director, the undersecretary for the Information Analysis and Infrastructure Protection directorate and three other senior staff members have left the department, he wrote.

Powner advocated increasing the power of the NCSD's director to improve the agency's ability to form partnerships and share information.

He also noted that DHS’ hiring and contracting practices have led some candidates not to apply for NCSD vacancies, because they have to wait unreasonably long to be considered. Slow payments to contractors have caused NCSD to lose some contracted services, he added. In addition, DHS has done a poor job of making critical infrastructure stakeholders aware of the department’s cybersecurity activities and the value of the information it provides, he testified.

DHS has failed at cultivating private sector relationship, he said. Agency personnel have been too reluctant to share important information, Powner said in his written testimony.

“An official from the water sector noted that when representatives called DHS to inquire about a potential terrorist threat, they were told that DHS could not share any information and that they should ‘watch the news,’” he wrote.

Infrastructure stakeholders in turn don’t openly share their cybersecurity information with DHS, he wrote. Infrastructure representatives are unclear on how DHS will use information, share it and protect it, he wrote.