Feds lack method to grade critical infrastructure cybersecurity

Most federal agencies overseeing the security of America’s critical infrastructure still lack formal methods for determining whether those essential networks are protected from hackers, according to a new government report.

Of the 15 critical infrastructure industries examined in the Government Accountability Office (GAO) report — including banking, finance energy and telecommunications — 12 were overseen by agencies that didn’t have proper cybersecurity metrics.


These so-called “sector-specific” agencies “had not developed metrics to measure and report on the effectiveness of all of their cyber risk mitigation activities or their sectors’ cybersecurity posture," the report concluded.

The watchdog pointed the finger at the private sector, noting the agencies have to “rely on their private sector partners to voluntarily share information needed to measure efforts.”

In the meantime, infrastructure necessary to maintain a functioning economy and power grid will remain vulnerable to hackers.

“Until [sector-specific agencies] develop performance metrics and collect data to report on the progress of their efforts to enhance the sectors’ cybersecurity posture, they may be unable to adequately monitor the effectiveness of their cyber risk mitigation activities and document the resulting sector-wide cybersecurity progress,” the GAO said.

The findings may add fuel to an argument a number of lawmakers have been making that critical infrastructure industries should be required to report more cybersecurity data to the government.

Sen. Susan CollinsSusan Margaret CollinsSunday shows preview: Delta concerns prompt CDC mask update; bipartisan infrastructure bill to face challenges in Senate Top Democrat: 'A lot of spin' coming from White House on infrastructure Bill would honor Ginsburg, O'Connor with statues at Capitol MORE (R-Maine) even tried to attach an amendment that would have mandated this type of reporting to a recent cybersecurity bill, the Cybersecurity Information Sharing Act.

The bill, which passed the Senate in October, encourages the voluntary exchange of data on hacking threats between businesses and the government. Lawmakers will reconcile the measure with two complementary House bills in conference committee soon. The final version is expected to head to the president's desk in the coming months. 

Collins’ amendment, which was not adopted, would have compelled critical infrastructure industries to participate in the exchange.

“In the vast majority of cases, I believe that information sharing should be voluntary,” Collins told The Hill earlier this year. “But when it comes to critical sectors of our economy, I believe it should be mandatory.”

The GAO said the Defense, Energy and Health and Human Services Departments were the outliers. All three had developed useful metrics to track the progress each sector is making in bolstering its digital defenses, according to the report.

House Homeland Security Committee Chairman Michael McCaul (R-Texas) and ranking member Bennie Thompson (D-Miss.) asked the GAO to conduct the report.