Government, Public, Private Sectors Must Strengthen Partnerships to Improve Cybersecurity, GAO Says
The federal government and the public and private sectors must demonstrate more consistency in meeting expectations to protect critical infrastructure from cyberattacks, said a GAO report released Monday. Federal policy requires a partnership model that includes public and private councils to coordinate policy and information sharing and analysis centers “to gather and disseminate information on threats to physical and cyber-related infrastructure,” it said.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Private interests expect their federal partners to provide alerts and information that are timely and can be acted on, access to sensitive information and a single centralized cybersecurity organization to coordinate government efforts, the report said. “However, according to private sector stakeholders, federal partners are not consistently meeting these expectations, despite improvement efforts, such as developing new information-sharing arrangements and expanding the number of private sector individuals with security clearances.” For the report, the agency collected input from 56 private sector respondents.
Private sector officials and cyberexperts said ensuring a single government source for cyber-related information is necessary to having an authoritative source, communicate a consistent message and “coordinate a national response,” the report said. Federal bodies aren’t completely meeting these expectations in part “because of restrictions on the type of information that can be shared with the private sector.” Under the Department of Homeland Security, the ability of U.S. Computer Emergency Readiness Team (US-CERT) to provide information is “impacted by restrictions that do not allow individualized treatment of one private sector entity over another private sector entity, making it difficult to formally share specific information with entities that are being directly impacted by a cyber threat.” And federal officials lack an adequate understanding of specific private sector information requirements, the report said.
GAO also interviewed five public sector council officials for the study. While four officials said their private partners are “committed to executing plans and recommendations and providing timely and actionable information,” they said “improvements could be made to the partnership, including improving private sector sharing of sensitive information."
DHS responded to GAO’s previous recommendations by improving US-CERT’s cyberanalysis and warning capabilities, GAO said. The Energy Department is working to increase the number of private officials with security clearances. But if the government does not improve its ability to meet the private sector’s expectations, “the partnerships will remain less than optimal, and the private sector stakeholders may not have the appropriate information and mechanisms needed to thwart sophisticated cyber attacks,” the report said.
The GAO recommends that the special assistant to the president, the cybersecurity coordinator and the Homeland Security secretary work with the officials in the critical infrastructure sectors to focus their information-sharing efforts and “bolster the efforts to build out the National Cybersecurity and Communications Integration Center as the central focal point for leveraging and integrating capabilities” of the civilian government, law enforcement and other sectors.