Network defense of the nation's critical infrastructure is sorely lacking, according to an 82-page report released last week by the Government Accountability Office (GAO), the watchdog government agency that provides financial and performance audits of federal agencies for the U.S. Congress.
The issue is that processes to measure effectiveness of cybersecurity are lacking, leaving systems open to hackers, the report found.
The study examined 15 federal agencies that oversee critical infrastructure – including financial institutions, commercial buildings and energy production and transmission facilities – and determined that cyber risk was significant for most of these sectors.
While the report found that a number of agencies examined have taken steps to mitigate cyber risks and vulnerabilities, as called for by the National Infrastructure Protection Plan – a document from the U.S. Department of Homeland Security that outlines how government and private sector partners in the critical infrastructure community collaborate to manage risks for more effective security – 12 of the 15 sectors had not identified incentives to promote cybersecurity in their areas.
The report also found that while the Departments of Defense, Energy, and Health and Human Services put in place performance metrics for their agencies, the others failed to measure cyber readiness effectively. This was primarily owing to the fact that they rely on private sector partners to voluntarily share information needed to measure efforts, the report found.
"Until SSAs [sector-specific agencies] develop performance metrics and collect data to report on the progress of their efforts to enhance the sectors' cybersecurity posture, they may be unable to adequately monitor the effectiveness of their cyber risk mitigation activities and document the resulting sector-wide cybersecurity progress," the GAO report determined.
In its conclusion, the GAO recommended that SSAs collaborate with sector partners to develop performance metrics and determine how to overcome challenges to reporting the results of their cyber risk mitigation activities. It also recommended that officials be appointed within the agencies to develop performance metrics to better provide data that could help in monitoring activities.