GAO: Infrastructure plans lack cybersecurity strategy

GAO: Infrastructure plans lack cybersecurity strategy
GAO: Infrastructure plans lack cybersecurity strategy

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

Content-Transfer-Encoding: QUOTED-PRINTABLE

By Mary Mosquera
November 1, 2007

With 85 percent of the country=E2=80=99s critical infrastructure in private 
hands, the federal government must make sure that the 17 infrastructure 
sectors include cybersecurity in their plans to protect themselves 
against cyberattacks and disaster, an official of the Government 
Accountability Office has told two House panels. However, none of the 
sectors included in their sector plans all 30 cybersecurity criteria, 
such as key vulnerabilities and measures to reduce them, the official 
also testified.

The critical infrastructure includes sectors such as water, 
transportation and energy, but even those chiefly physical 
infrastructure sectors rely on computerized control systems. Of the 17 
sectors, information technology and communications had the strongest 
cybersecurity plans, said David Powner, director of GAO's information 
technology management issues. The agriculture, food and commercial 
sectors were the least comprehensive, he said.

=E2=80=9CUntil the plans fully address key cyber elements, certain sectors may 
not be prepared to respond to a cyberattack against our nation=E2=80=99s 
critical infrastructure,=E2=80=9D Powner said at a hearing held Oct. 31 by the 
House Homeland Security Committee=E2=80=99s Emerging Threats, Cybersecurity and 
Science and Technology Subcommittee and its Transportation Security and 
Infrastructure Protection Subcommittee.

The Homeland Security Department, which issued a national plan last year 
for the sectors to use as a road map for their individual plans, 
acknowledged the shortcomings that GAO found and explained that these 
sector plans, released in May, represent only early efforts, said Greg 
Garcia, DHS=E2=80=99 assistant secretary for cybersecurity and communications.

Federal agencies lead specific sectors and coordinate the critical 
infrastructure protection effort with the private sector. DHS is the 
sector-specific agency coordinating the communications and IT sectors.

Garcia expects the Cross-Sector Cyber Security Working Group, formed in 
May as a forum to exchange information on common cybersecurity issues, 
will encourage sectors to collaborate to identify systemic cyber risks 
and mitigation strategies and share best practices.

GAO recommended that DHS fully address the cybersecurity criteria by 
September 2008. The private sector needs to not only improve its plans 
but start implementing them, Powner said.

=E2=80=9CWhat=E2=80=99s important is the next annual report -- that there is some 
assurance that the plans are complete and that we are moving to 
implementation,=E2=80=9D he said.

Garcia said sectors are not meant to be uniformly comprehensive in their 
cybersecurity efforts, and they must balance cybersecurity risk against 
other risk management efforts and unique aspects of their 

=E2=80=9CCyber risk varies by sector, based on its dependence on cyber 
elements,=E2=80=9D Garcia said.

Sector annual reports had improved from initial efforts in 2006 to 2007. 
For example, more than half of the sectors identified at least one 
cybersecurity goal and/or priority in their 2007 reports in May. DHS is 
working with sectors to review cybersecurity priorities, assess effects 
of cyberattacks, develop protective programs and evaluate research and 
development initiatives to identify areas where additional capabilities 
are needed, Garcia said.

DHS plans to offer workshops next year with its sector partners to 
consider incentives to encourage voluntary risk assessments, develop 
cross-sector cyber metrics and identify existing cyber research and 
development projects.

Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - 


Site design & layout copyright © 1986-2014 CodeGods