Infrastructure Plans Lack Cybersecurity Measures

US sector-specific infrastructure protection plans fail to incorporate cybersecurity measures to secure the information technology of those sectors to such a degree that congressional investigators questioned Wednesday whether the Department of Homeland Security (DHS) should scrap the sector-specific approach altogether.
"Although DHS reported many efforts under way and planned to improve the cyber content of sector-specific plans, sector-specific agencies have yet to update their respective sector-specific plans to fully address key DHS cybersecurity criteria," the Government Accountability Office (GAO) said in its report, "Critical Infrastructure Protection: Current Cyber Sector-Specific Planning Approach Needs Reassessment."
Only nine of 17 sector-specific agencies updated their plans in response to a DHS request to do so by September 2008, the GAO added. Only three of those nine addressed missing cybersecurity content. And those three plans addressed only three or less of the 30 cybersecurity criteria identified by DHS when requesting the revisions.
DHS asked sector-specific agencies–dealing with critical infrastructure sectors ranging from banking to transportation to agriculture–to revise their plans again in 2010.
House Homeland Security Committee Chairman Bennie Thompson (D-Miss.), who requested the report, voiced his disappointment at its findings Wednesday.
"Comprehensive completion and continual updating of sector-specific plans is vital to the protection of the nation’s critical infrastructure," Thompson said in a statement. "With the recent reports on insecurities in our electric grid and other critical infrastructure we need to address this issue with the urgency that it requires.  The White House, the appropriate departments and agencies and Congress must engage in a dialogue about the future of this approach."
GAO raised the question as to whether the current arrangements for sector-specific plans were truly effective because of the inability of updates to the plans to address the security of critical cyber infrastructure.
"Until the plans are issued, it is not clear whether they will fully address cyber requirements. Accordingly, the continuing lack of plans that fully address key cyber criteria has reduced the effectiveness of the existing sector planning approach and thus increases the risk that the nation’s cyber assets have not been adequately identified, prioritized, and protected," the GAO report said.
DHS acknowledged that delays in updating the plans properly occurred in part because the department id not follow up and work with sector-specific agencies to ensure their plans were fully developed.
GAO accused DHS of not making the sector-specific plans a priority, signaling that DHS perhaps should reconsider the sector-specific approach. Furthermore, the establishment of a White House cyber coordinator could open up new methods of tackling cybersecurity challenges, the report suggested.
New options could include "prioritizing sectors to focus planning efforts on those with the most important cyber assets and streamlining existing sectors to optimize their capacity to identify priorities and develop plans," the report said.

(Visited 15 times, 1 visits today)

The Government Technology & Services Coalition's Homeland Security Today (HSToday) is the premier news and information resource for the homeland security community, dedicated to elevating the discussions and insights that can support a safe and secure nation. A non-profit magazine and media platform, HSToday provides readers with the whole story, placing facts and comments in context to inform debate and drive realistic solutions to some of the nation’s most vexing security challenges.

Leave a Reply