Critical Infrastructure: Better Cybersecurity Metrics NeededGAO Questions Agencies' Abilities to Judge Cyberthreat to Industry's Critical Infrastructure
With the heightened threat of cyber-attacks on America's critical infrastructure, a congressional watchdog says federal agencies need to adopt better metrics to determine the cyber risks specific industries they monitor face.
See Also: Ransomware: The Look at Future Trends
"Until SSAs (sector-specific agencies) develop performance metrics and collect data to report on the progress of their efforts to enhance the sectors' cybersecurity posture, they may be unable to adequately monitor the effectiveness of their cyber risk mitigation activities and document the resulting sector-wide cybersecurity progress," Gregory Wilshusen, director of information security issues at the Government Accountability Office, says in a new report.
In its study, requested by the House Homeland Security Committee, GAO focused on eight of the nine SSAs responsible for monitoring 15 of the 16 critical infrastructure sectors. GAO says the agencies generally took actions to mitigate cyber risks and vulnerabilities for their respective sectors. But it's in the area of performance metrics where most sector-specific agencies fell short. GAO says the departments of Defense, Energy and Health and Human Services established performance metrics evaluating the effectiveness of their sectors' cyber risk mitigation activities, but agencies overseeing 12 other industries hadn't.
Why so? GAO says the agencies rely on their private sector partners to voluntarily share information needed to measure efforts.
Take, for instance, the financial services industry, a sector that includes thousands of banks, security exchanges, insurance providers and other enterprises that operate globally. The Treasury Department faces "exacerbating" challenges to develop metrics for a sector of such size and diversity, says Amias Gerety, Treasury Department assistant secretary of financial institutions. "Due to the highly dynamic environment these factors create and the fact that Treasury does not have authority to require private companies to submit potentially sensitive measure data, measuring the sector's cybersecurity progress will be difficult," he says.
The Department of Homeland Security monitors cybersecurity activities in eight industries, including chemical, commercial facilities, communications, critical manufacturing, dams, emergency services, information technology and nuclear. It shares monitoring activities for transportation systems with the Transportation Department.
Lack of Authority
DHS is guiding various sectors in developing "appropriate metrics and targets to measure progress toward national [and sector-specific cybersecurity] goals and priorities," says Jim Crumpacker, the department's liaison with the GAO. Still, he says, "the department does not maintain the authority to impose metric requirements on the private sector. Even if the department maintained the appropriate authorities, developing a single set of performance metrics across the eight identified sectors would be infeasible given the unique landscape of each sector and the dynamic threat environment."
At the Environmental Protection Agency, EPA deputy administrator Kenneth Kopocis says the agency is working with the water and wastewater sector to develop metrics, measurements he acknowledges should prove valuable. "Metrics could assist the agency with evaluating outreach and training efforts, including identity strengths, weakness and barriers to progress with the sector that could be used to tailor sector programs," Kopocis says.
What's next? For many agencies, despite the challenges to develop metrics, they say they'll work with the industries they monitor to develop meaningful ways to measure the effectiveness of IT security initiatives. As Treasury's Gerety puts it, "As the cybersecurity environment evolves over time, Treasury will continue to work with our partners to improve the sector's ability to assess its progress and develop metrics to help in evaluating the impact of specific cybersecurity programs."