[ISN] GAO: Infrastructure plans lack cybersecurity strategy

From: InfoSec News (alerts@private)
Date: Fri Nov 02 2007 - 00:23:11 PST


http://www.fcw.com/online/news/150679-1.html

By Mary Mosquera
FCW.com
November 1, 2007

With 85 percent of the country’s critical infrastructure in private 
hands, the federal government must make sure that the 17 infrastructure 
sectors include cybersecurity in their plans to protect themselves 
against cyberattacks and disaster, an official of the Government 
Accountability Office has told two House panels. However, none of the 
sectors included in their sector plans all 30 cybersecurity criteria, 
such as key vulnerabilities and measures to reduce them, the official 
also testified.

The critical infrastructure includes sectors such as water, 
transportation and energy, but even those chiefly physical 
infrastructure sectors rely on computerized control systems. Of the 17 
sectors, information technology and communications had the strongest 
cybersecurity plans, said David Powner, director of GAO's information 
technology management issues. The agriculture, food and commercial 
sectors were the least comprehensive, he said.

“Until the plans fully address key cyber elements, certain sectors may 
not be prepared to respond to a cyberattack against our nation’s 
critical infrastructure,” Powner said at a hearing held Oct. 31 by the 
House Homeland Security Committee’s Emerging Threats, Cybersecurity and 
Science and Technology Subcommittee and its Transportation Security and 
Infrastructure Protection Subcommittee.

The Homeland Security Department, which issued a national plan last year 
for the sectors to use as a road map for their individual plans, 
acknowledged the shortcomings that GAO found and explained that these 
sector plans, released in May, represent only early efforts, said Greg 
Garcia, DHS’ assistant secretary for cybersecurity and communications.

Federal agencies lead specific sectors and coordinate the critical 
infrastructure protection effort with the private sector. DHS is the 
sector-specific agency coordinating the communications and IT sectors.

Garcia expects the Cross-Sector Cyber Security Working Group, formed in 
May as a forum to exchange information on common cybersecurity issues, 
will encourage sectors to collaborate to identify systemic cyber risks 
and mitigation strategies and share best practices.

GAO recommended that DHS fully address the cybersecurity criteria by 
September 2008. The private sector needs to not only improve its plans 
but start implementing them, Powner said.

“What’s important is the next annual report -- that there is some 
assurance that the plans are complete and that we are moving to 
implementation,” he said.

Garcia said sectors are not meant to be uniformly comprehensive in their 
cybersecurity efforts, and they must balance cybersecurity risk against 
other risk management efforts and unique aspects of their 
infrastructure.

“Cyber risk varies by sector, based on its dependence on cyber 
elements,” Garcia said.

Sector annual reports had improved from initial efforts in 2006 to 2007. 
For example, more than half of the sectors identified at least one 
cybersecurity goal and/or priority in their 2007 reports in May. DHS is 
working with sectors to review cybersecurity priorities, assess effects 
of cyberattacks, develop protective programs and evaluate research and 
development initiatives to identify areas where additional capabilities 
are needed, Garcia said.

DHS plans to offer workshops next year with its sector partners to 
consider incentives to encourage voluntary risk assessments, develop 
cross-sector cyber metrics and identify existing cyber research and 
development projects.



__________________________________________________________________      
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com



This archive was generated by hypermail 2.1.3 : Fri Nov 02 2007 - 00:39:18 PST