The Cybersecurity and Infrastructure Security Agency lacks the ability to assess whether cybersecurity programs for the communications sector are effective and should update its plans to account for threats to the supply chain and GPS network, according to government auditors.
The communications sector spans everything from broadcast media networks, satellite systems, cable, and wireline, and helps underpin much of the infrastructure relied on by telecommunications and internet services. The agency has already scoped out a range of potential threat vectors, both from malicious actors and hacking groups, as well as insider threats and human error. It also stood up a task force focused on supply chain risk management in the information and communications technology sectors in 2018, rolled out a number of programs to protect 5G telecommunications infrastructure and push back against disinformation online.
But an audit this month from the Government Accountability Office found that while the agency has built up a variety of programs and resources to support the sector’s cybersecurity needs, it has little insight into whether they’re actually having an impact.
“Specifically, CISA has not assessed the effectiveness of its programs and activities used by sector owners and operators, including developing metrics and analyzing feedback received from owners and operators,” the GAO found.
They also pressed the agency to better incorporate feedback from stakeholders in the communications sector to better flesh out their needs and where their resources and support services might have the greatest impact.
“For example, CISA has not determined which types of infrastructure owners and operators (e.g., large or small telecommunications service providers) may benefit most from CISA’s cybersecurity programs and services or may be underrepresented participants in its information-sharing activities and services,” auditors noted.
In interviews with auditors, CISA officials cited a number of challenges to developing such metrics, including difficulties getting owners and operators in the communications sector to voluntarily report information to the government. The work to develop new metrics is being undertaken by the agency’s Stakeholder Engagement Division as part of a larger refresh of the National Infrastructure Protection Plan for all 16 sectors.
In a reply attached to the report, DHS liaison Jim Crumpacker said CISA will "incorporate Communications Sector performance metrics and data collection and reporting processes and timelines, including approaches for collecting sector stakeholder feedback, in an updated Communications Sector-Specific Plan" by Sept. 30, 2022. The plan was last updated in 2013.
Auditors are also concerned that CISA hasn’t completed a capability assessment for its role as the federal government’s emergency coordinator for the communications sector, something officials attributed to challenges related to the agency’s recent reorganization. Crumpacker said the agency expects to do so by June 2022.
The three-year-old agency (as well as its predecessor, the National Protection and Programs Directorate) has built much of its core cybersecurity mission around protecting critical infrastructure and preventing the kind of debilitating, widespread and cross-sectoral impacts of cyber attacks.
But the surface area is massive, composed of thousands of companies across 16 major industrial sectors, and policymakers in the federal government and Congress have steadily worked to find ways to winnow that list down to the companies and organizations that are most in need.
CISA created a National Risk Management Center and a list of more than 100 national critical functions that could have cascading effects on American society if disrupted through a cyberattack to guide larger cybersecurity operations across critical infrastructure.
Additionally, Rep. John Katko, the ranking Republican on the House Homeland Security Committee, has sponsored legislation that would empower the agency to identify “systemically important” critical infrastructure entities and prioritize them for technical assistance and voluntary continuous monitoring programs. It would also speed up their security clearance processing and give them “prioritized representation” on the Joint Cyber Defense Collaborative.