Critical Infrastructure Protection:

Key Private and Public Cyber Expectations Need to Be Consistently Addressed

GAO-10-628: Published: Jul 15, 2010. Publicly Released: Aug 16, 2010.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Pervasive and sustained computer-based attacks pose a potentially devastating impact to systems and operations and the critical infrastructures they support. Addressing these threats depends on effective partnerships between the government and private sector owners and operators of critical infrastructure. Federal policy, including the Department of Homeland Security's (DHS) National Infrastructure Protection Plan, calls for a partnership model that includes public and private councils to coordinate policy and information sharing and analysis centers to gather and disseminate information on threats to physical and cyber-related infrastructure. GAO was asked to determine (1) private sector stakeholders' expectations for cyber-related, public-private partnerships and to what extent these expectations are being met and (2) public sector stakeholders' expectations for cyber-related, public-private partnerships and to what extent these expectations are being met. To do this, GAO conducted surveys and interviews of public and private sector officials and analyzed relevant policies and other documents.

Private sector stakeholders reported that they expect their federal partners to provide usable, timely, and actionable cyber threat information and alerts; access to sensitive or classified information; a secure mechanism for sharing information; security clearances; and a single centralized government cybersecurity organization to coordinate government efforts. However, according to private sector stakeholders, federal partners are not consistently meeting these expectations. For example, less than one-third of private sector respondents reported that they were receiving actionable cyber threat information and alerts to a great or moderate extent. Federal partners are taking steps that may address the key expectations of the private sector, including developing new information-sharing arrangements. However, while the ongoing efforts may address the public sector's ability to meet the private sector's expectations, much work remains to fully implement improved information sharing. Public sector stakeholders reported that they expect the private sector to provide a commitment to execute plans and recommendations, timely and actionable cyber threat information and alerts, and appropriate staff and resources. Four of the five public sector councils that GAO held structured interviews with reported that their respective private sector partners are committed to executing plans and recommendations and providing timely and actionable information. However, public sector council officials stated that improvements could be made to the partnership, including improving private sector sharing of sensitive information. Some private sector stakeholders do not want to share their proprietary information with the federal government for fear of public disclosure and potential loss of market share, among other reasons. Without improvements in meeting private and public sector expectations, the partnerships will remain less than optimal, and there is a risk that owners of critical infrastructure will not have the information necessary to thwart cyber attacks that could have catastrophic effects on our nation's cyber-reliant critical infrastructure. GAO recommends that the national Cybersecurity Coordinator and DHS work with their federal and private sector partners to enhance information-sharing efforts. The national Cybersecurity Coordinator provided no comments on a draft of this report. DHS concurred with GAO's recommendations.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: The Special Assistant to the President and Cybersecurity Coordinator and the Secretary of Homeland Security, in collaboration with the sector lead agencies, coordinating councils, and the owners and operators of the associated five critical infrastructure sectors, should take two actions: (1) use the results of this report to focus their information-sharing efforts, including their relevant pilot projects, on the most desired services, including providing timely and actionable threat and alert information, access to sensitive or classified information, a secure mechanism for sharing information, and providing security clearance and (2) bolster the efforts to build out the National Cybersecurity and Communications Integration Center as the central focal point for leveraging and integrating the capabilities of the private sector, civilian government, law enforcement, the military, and the intelligence community.

    Agency Affected: Department of Homeland Security

    Status: Open

    Comments: DHS agreed with our recommendation and has taken numerous steps to focus its information sharing efforts on all of the desired services and bolstered the National Cybersecurity and Communications Integration Center (NCCIC). For example, DHS expanded a program that allows partners to share cyber threat, incident, and vulnerability information, in near-real time, to enhance collaboration to better understand the threat and improve network defense for the entire community. In addition, to improve access to sensitive or classified information and a secure mechanism for sharing that information, DHS implemented a capability to allow security-cleared owners and operators of CIKR, as well as state technology officials and law enforcement officials, to access secret-level cybersecurity information and video teleconference calls through state and major urban area fusion centers. Moreover, DHS has, on occasion, provided Chief Information Officer's (CIO) from selected critical infrastructure sector entities temporary clearances to share sensitive and classified threat information to better facilitate their strategic decision making. Also, DHS has processed hundreds of security clearances for their private sector partners to receive cyber threat information, including over 1300 clearances at the secret level, 13 at the top-secret level and 49 at the top-secret sensitive compartmentalized information (TS/SCI) level. The NCCIC serves as DHS' 24 hour cyber and communications watch and warning center. It facilitates situational awareness among all partner organizations and serves as a constantly available cyber incident response and management center. As of May 2012, there were 16 organizations integrated into NCCIC operations in a full-time or part-time capacity and represent defense, law enforcement, intelligence, and private sector entities. Despite progress, DHS needs to further expand participation in the NCCIC and improve the analytical and warning capabilities. We are continuing to work with DHS to gather evidence on their ongoing efforts to build out the NCCIC.

    Recommendation: The Special Assistant to the President and Cybersecurity Coordinator and the Secretary of Homeland Security, in collaboration with the sector lead agencies, coordinating councils, and the owners and operators of the associated five critical infrastructure sectors, should take two actions: (1) use the results of this report to focus their information-sharing efforts, including their relevant pilot projects, on the most desired services, including providing timely and actionable threat and alert information, access to sensitive or classified information, a secure mechanism for sharing information, and providing security clearance and (2) bolster the efforts to build out the National Cybersecurity and Communications Integration Center as the central focal point for leveraging and integrating the capabilities of the private sector, civilian government, law enforcement, the military, and the intelligence community.

    Agency Affected: Executive Office of the President: Office of the Chief of Staff: Office of the National Security Advisor: Office of the Chief of Staff: Cybersecurity

    Status: Open

    Comments: The Cybersecurity Coordinator provided no comments on the report. According to DHS officials, the cybersecurity coordinator relied on DHS, as the action agency in regard to cyber-related information sharing and public private partnerships, to implement this recommendation. DHS officials stated that the cybersecurity coordinator had taken no action and planned to take no action because of DHS's responsibility.

    Apr 7, 2014

    Mar 31, 2014

    Mar 28, 2014

    Mar 26, 2014

    Mar 12, 2014

    Mar 7, 2014

    Feb 27, 2014

    Feb 13, 2014

    Looking for more? Browse all our products here