WASHINGTON – Almost all of the federal agencies charged with protecting critical American infrastructure from cyberattacks have not developed effective methods to measure whether industries ranging from the energy sector to financial services have adopted U.S. cybersecurity standards, according to a new government report.
All but two of the federal agencies tasked with overseeing cybersecurity across the nation’s critical infrastructure — including health care, commercial food production and transportation — had failed to effectively monitor the implementation of a voluntary cybersecurity framework established under the Obama administration, said the Government Accountability Office report issued last week.
“The extent to which the 16 critical infrastructure sectors are better protecting their critical infrastructures from threats will be largely unknown,” the report concluded.
Former President Barack Obama issued an executive order in 2013 told the National Institute of Standards and Technology to develop an adaptable framework of standards and practices addressing the risk of cyberattack on critical infrastructure — essentially any industry or public works that, if incapacitated or destroyed, could cripple the U.S. A concurrent presidential directive identified 16 critical infrastructure sectors and gave nine federal agencies oversight.
The agencies, in coordination with the secretary of Homeland Security, were to establish programs to support the adoption of the NIST framework in each sector.
A 2015 GAO report found federal agencies had effectively promoted the framework in their sectors, but that the Department of Homeland Security struggled to measure how effective its efforts to support federal agencies had been in promoting the framework in their sectors. And in a follow-up report in 2018, the GAO found none of the federal agencies had successfully developed a method to measure the level and type of industry adoption of the NIST framework.
Vijay D’Souza, director of information technology and cybersecurity at the GAO, said the lack of data made it difficult for agencies to determine if the steps they’d taken to promote the framework were successful.
“It’s hard to know if what you’re doing is actually working,” he said.
The failure of agencies to collect data made it impossible to know if the adoption of the NIST framework had resulted in significant cybersecurity improvements, D’Souza also said. The GAO surveyed 12 organizations across multiple sectors that had adopted the NIST framework and found varying levels of improvement in cybersecurity.
NIST and DHS have several initiatives to support agencies in collecting data on how many organizations have implemented the framework and any resulting improvements. However, many of the tools NIST and DHS have promised have still not been developed. The report recommended that NIST’s director should establish deadlines to complete these tools.
The new report said only the Defense Department and the General Services Administration, which oversees federal facilities, had developed a means to measure the cybersecurity framework implementation by their sectors, though the GAO did not examine the quality or outcome of their data.
D’Souza said the two agencies were more successful than their counterparts because the critical infrastructure sectors they oversee consist principally of government property or organizations that contract with the military.
Two other federal agencies, Homeland Security and the Department of Transportation, had administered or were planning to administer a survey to assess framework adoption in their sectors.
Jody Westby, a member of the American Bar Association’s cybersecurity task force, said the lack of progress was in part a result of the decision to split cybersecurity oversight into several sectors monitored by multiple agencies.
“The U.S. created a fragmented mess from the beginning,” Westby said. “It was always a ridiculous approach.”
She also argued NIST’s framework was too prescriptive to appeal to companies and pointed to the International Organization for Standardization’s standard as a better alternative.
Tom Stefanick, a visiting fellow at the Brookings Institution think tank, said even if agencies did develop methods to collect data, companies wouldn’t want to participate in the voluntary process without an incentive.
“What’s the upside of going through this exercise if there’s no sanction and no payoff?” Stefanick said.
D’Souza said a broader policy change would be needed to mandate companies to provide their information to the government, but said the agencies would still be able to gather “some data.”