US GAO calls upon CISA to evaluate cybersecurity effectiveness within the communications sector

communications sector

The U.S. Government Accountability Office (GAO) directed the Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday to assess the effectiveness of its actions to support the communications sector.

CISA determined that the communications sector depends on other critical infrastructure sectors, including energy, information technology, and transportation systems, and any damage, disruption, or destruction to any one of these sectors could severely impact the operations of the communications sector. In the Department of Homeland Security (DHS)’s 2012 risk assessment report, these sectors are so closely connected and interdependent that damage, disruption, or destruction to one infrastructure element in one sector can cause cascading effects, potentially affecting the continued operation of the sector.

The report also identified that the CISA has also not updated the 2015 Communications Sector-Specific Plan, even though DHS guidance recommends that such plans be updated every four years. As a result, the current 2015 plan lacks information on new and emerging threats to the communications sector, such as security threats to the communications technology supply chain, and disruptions to position, navigation, and timing services. Developing and issuing an updated plan would enable CISA to set goals, objectives, and priorities that address threats and risks to the sector, and help meet its sector risk management agency responsibilities, it added.

The GAO made three recommendations to CISA, including that CISA assesses the effectiveness of its support to the communications sector, and works towards revising its communications sector-specific plan, according to the report.

GAO reviewed the DHS reports, plans, and risk assessments on the communications sector. It also interviewed CISA officials and private sector stakeholders to identify and evaluate CISA’s actions to support the security and resilience of the sector. The communications sector is an integral component of the U.S. economy and faces serious physical, cyber-related, and human threats that could affect the operations of local, regional, and national level networks, according to the CISA and sector stakeholders.

The Department of Commerce and the Federal Communications Commission (FCC) did not provide comments on the draft report, the GAO said.

The CISA primarily supports the communications sector through incident management and information-sharing activities, such as coordinating federal activities to support the sector during severe weather events and managing cybersecurity programs but has not assessed the effectiveness of these actions.

For instance, CISA has not determined which types of infrastructure owners and operators may benefit most from CISA’s cybersecurity programs and services, or maybe underrepresented participants in its information-sharing activities and services, the GAO report said. By assessing the effectiveness of its programs and services, CISA would be better positioned to identify its highest priorities.

The GAO report examines the security threats CISA has identified, CISA’s support of the sector, and the extent to which CISA has assessed its support and emergency preparedness for the sector.

To address its first objective, the agency reviewed DHS reports, plans, and risk assessments on the communications sector. In particular, it reviewed DHS’s 2012 Risk Assessment Report for Communications and the 2015 Communications Sector-Specific Plan, which CISA officials told the GAO described the continuing and relevant threats to the communications sector.

“We also met with CISA officials with roles and responsibilities for supporting Communications Sector security and resilience, including those from the National Risk Management Center and the Stakeholder Engagement Division, to obtain their perspectives on current and relevant threats to the sector,” the report added.

To address the agency’s second and third objectives, it collected and analyzed DHS and CISA reports, strategies, plans, guides, briefings, and assessments on CISA’s related activities in support of communications critical infrastructure security and resilience. In addition, it also interviewed officials from CISA’s cybersecurity division, emergency communications division, infrastructure security division, integrated operations division, national risk management center, and stakeholder engagement division, to discuss services and products offered to the communications sector to support security and resilience efforts.

The GAO also compared the actions that the security agency took to assess its support for the communications sector against guidance from the National Infrastructure Protection Plan, the Communications Sector-Specific Plan, and the DHS Critical Infrastructure Risk Management Framework.

“We also assessed CISA’s preparedness activities to coordinate Communications Sector incident management and restoration efforts against Federal Emergency Management Agency (FEMA) guidance on Emergency Support Function preparedness—key response coordinating structures at the federal level for incidents such as hurricanes and wildfires,” according to the report.

The GAO conducted its performance audit from September last year till this month, in accordance with generally accepted government auditing standards. “Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives,” it added.

The report suggested that the CISA director assess the effectiveness of CISA’s programs and services to support the communications sector, including developing and implementing metrics and analyzing the feedback received from owners and operators, to determine the usefulness and relevance of its activities to support sector security and resilience.

It also called upon the CISA director to complete a capability assessment for Emergency Support Function #2, such as establishing requirements, maintaining a list of current capabilities, and conducting a capability gap analysis to identify if and where other resources may be needed. ESF #2 includes those communications that support the restoration of the communications infrastructure, facilitate the recovery of systems and applications from cyberattacks, and coordinate federal communications support to response efforts during incidents requiring a coordinated federal response.

Finally, the GAO report recommends that the CISA director, in coordination with public and private communications sector stakeholders, should produce a revised sector-specific plan, which will include goals, objectives, and priorities that address new and emerging threats and risks to the communications sector and that are in alignment with sector risk management agency responsibilities.

The DHS has concurred with the GAO recommendations, the report said.