The Government Accountability Office (GAO) released its third report in a series of four that lay out the main cybersecurity areas the Federal government needs to urgently address.
The primary thrust of the Feb. 7 report calls on Federal agencies to collaborate with state and local governments (SLG), as well as industry, to better protect critical infrastructure from cyberattacks.
While they bring up familiar big-picture themes, the three reports in the series have one overarching theme: GAO wants to see the national cyber strategy ASAP.
The national cyber strategy will come from the White House Office of the National Cyber Director (NCD), and while it is not known what the strategy will contain – or when it will be released – it’s safe to assume GAO hit the nail on the head with recommendations that it include guidance on how agencies can perform better oversight, protect their systems, and defend critical infrastructure.
While we patiently await the forthcoming strategy from soon-to-be-retired NCD Chris Inglis, GAO is prodding agencies to do a more thorough job of protecting the security of the nation’s critical infrastructure – like the electric grid and the communications sector.
“We have made 106 recommendations in public reports since 2010 with respect to protecting cyber critical infrastructure,” the report says, noting that 57 percent of those recommendations remained outstanding. “Until these are fully implemented, federal agencies will be more limited in their ability to protect private and sensitive data entrusted to them.”
GAO’s first quibble comes from the Energy Department (DOE) failing to collaborate closely with states and industry when developing plans to combat threats against the power grid – which are primarily regulated by SLGs.
“DOE’s plans will likely be of limited use in prioritizing federal support to states and industry,” the report says. GAO recommended that, going forward, DOE work with the Department of Homeland Security, SLGs, and industry to implement the national cybersecurity strategy for the power grid.
The report also calls out the Cybersecurity and Infrastructure Security Agency (CISA), detailing that CISA has not assessed the effectiveness of its programs and services supporting the security and resilience of the communications sector.
GAO recommends that CISA collaborate with industry stakeholders in the communications sector to better provide programs and services that support this critical infrastructure.
“The security of these systems and data is also vital to safeguarding individual privacy and protecting the nation’s security, prosperity, and well-being,” the report said. “Agencies and critical infrastructure owners and operators must protect the confidentiality, integrity, and availability of their systems and effectively respond to cyberattacks.”