Aside from guiding industry about resilience from cyber attacks, GAO suggests CISA take its own advice

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The nation’s communications infrastructure is one of those critical elements that need protection. The Cybersecurity and Infrastructure Security Agency, part of the Department of Homeland Security, has the task of helping the industry ensure resilience. But the Government Accountability Office said the agency should do a little more navel-gazing. GAO’s Acting Director Leslie Gordon had more on Federal Drive with Tom Temin.

Interview transcript:

Tom Temin: Ms. Gordon, good to have you on.

Leslie Gordon: Thank you for having me.

Tom Temin: And let’s begin with the threats that CISA has identified. You looked at what it is they’re looking at, to some degree, in the communication sector. And that means radio and wireless communications and all of those things.

Leslie Gordon: Right. The communication sector involves broadcast, it involves satellites and involves a wireless and wired communication and cable, of course. The threats that CISA has identified include physical threats, cyber threats, and human threats. The physical threats are your natural disasters, including wildfires, hurricanes, they also include chemical and biological attacks, even electromagnetic pulse attacks. Cyber threats involve things that malicious actors might do, hackers and whatnot, who would overwhelm systems through resource exhaustion, or by intruding into systems to take control of them. They’re also cyber threats related to non-malicious actors. So inadvertent employees or operators who might let in cyber problems. Then there are human threats, the failure to plan for security incidents, or the lack of employee security awareness.

Tom Temin: Sure. And did they also look at the physical infrastructure that supports all of communications? I mean, towers are out there sometimes in the middle of nowhere, and somebody could cut the cables holding them up or blow them up, that type of thing. Is that part of their purview on the infrastructure side?

Leslie Gordon: Yes, it is. So systems that are responsible for securing towers and antennas and buildings, right, it has to work through private sector owner operators that own and operate these towers, antennas. They also include the systems and networks that we can’t see that transmit aggregated data, voice data, video over long distances. So the infrastructure when we talk about the communication sector includes access networks, those are the sort of regional local networks where you’re making a phone call to a friend in a local city. Then there’s the core networks that transmit large volumes of data, voice orvideo, all aggregated multimedia across the world. And the service applications are your mobile phones, your computers, or file transfer protocols, and cloud services GPS. All those things are in need of securing/

Tom Temin: Sure. So it embodies all that is in the name of that agency, cybersecurity, and infrastructure. And what do they do to actually support resiliency and recovery? As you pointed out, they don’t physically do the work themselves, but they offer advice and so forth. So what is it they’re doing in support of the comms industry, in all its manifestations?

Leslie Gordon: Right. CISA is the lead Federal Agency for the security and resilience of the communication sector, also known as a sector risk management agency. So in that responsibility, it’s responsible for identifying threats, assessing risks, sharing information with the private sector, owner operators, and supporting incident management and restoration. Specifically, when we looked at what they were doing, they really had a foothold in and a strong effort in incident management. So restoring critical communications during an incident coordinated across all the federal agencies that get involved, multi-year training and planning exercises, etc. For information sharing, this is where they take the accumulation of the known threats and the risks that they’ve assessed and they share them broadly. They can share threat information that’s open source protected or classified, and they put out cyber advisories. In addition, the impact of hurricanes or other natural disasters in order to improve situational awareness.

Tom Temin: We’re speaking with Leslie Gordon, she’s an acting director at the Government Accountability Office. So your recommendation for CISA was to review the effectiveness of its support, and tell us what you meant by that.

Leslie Gordon: Sure. That was one of our three recommendations, Tom. What we found was in DHS’ own playbook, their critical infrastructure risk management framework, they say we’re gonna set metrics, we’re gonna set targets and evaluate the effectiveness of our programs. This risk management framework is several years old, and yet CISA has not identified any metrics or evaluated the effectiveness of its programs. As you know, from good government management, we want to set targets to determine how well our government programs are working. So how well it says that engaging the private sector, and how does it promote security and reduce risks in the comp sector.

Tom Temin: And you mentioned there were two other recommendations.

Leslie Gordon: Yeah. One was about the incident management support that CISA provides to the sector. It provides support, as I described earlier, but it hasn’t done a capabilities assessment for one of its emergency support functions. And really, what we want to see is that CISA goes back and looks at all the resources there to support and help restore function after an incident. So we want them to identify what their resources are, what the existing capabilities are in the federal government and through the private sector owner operators. Look at where the gaps are, so they can identify where mutual aid or other resources are needed. Our third recommendation is to update its sector specific plan. The sector specific plan flows from the National Infrastructure Protection Plan, and it’s just focused on the communication sector. The current plan is from 2015. And DHS set a standard for itself to update the sector specific plan every four years. So you can see it’s out of date. It’s important to update the sector specific plan to capture new and emerging threats, cyber threats are ever changing. And also to capture the new responsibilities it has a sector risk management agency.

Tom Temin: And getting back to that first recommendation that they review the effectiveness of their support, do they have metrics that would be able to allow them to measure it?

Leslie Gordon: No. CISA hasn’t developed any metrics. As I said, it’s important to have metrics to set targets and determine how well the programs are working. Metrics could include something like the level of participation of large and small telecom, private sector owner operators. We heard from an association of the smaller telecom owner operators that they’re not always well represented in the programs and trainings. So really measuring how the breadth of engagement across the private sector. Another metric could look at best practices that have been implemented, or who’s participating in the trainings that are being offered. And ultimately, we’d like to see a metric that measures whether there’s been an increase or decrease in security breaches, for example.

Tom Temin: And were you able to get any sense of what actually goes on with respect to interruptions or dangers in the communication sector? It seems like the most common occurrence is bad weather knocks out power to have distribution center or physical destruction as opposed to cyber.

Leslie Gordon: So there are a number of incidents that have happened recently. In 2017, Hurricane Maria knocked out 96% of cell sites and equipment for voice and data in Puerto Rico. But we’ve also seen things that happen like the December 2020 bombing in Nashville, that destroyed power infrastructure. CISA did step in and work with law enforcement to support recovery and restoration in that case.

Tom Temin: Yes, so the threats are real then, aren’t they?

Leslie Gordon: Absolutely. The threats are physical, they are cyber related. And those cyber related threats are ever changing. In 2021, DHS and FBI put out an advisory about the trick bot, and this is where hackers take over devices in order to get them to spread malicious malware or spyware into systems. And that would just be devastating if it was generalized in a region or even with a large private sector owner operator.

Tom Temin: Yeah, imagine the junk calls we’d get if that was the case. And did you find that CISA generally agreed with your recommendations?

Leslie Gordon: CISA concurred with all of our recommendations. And in the case of updating the sector specific plan and developing matrix, I think there are steps underway to do this. They told us they’d be finishing up and addressing these recommendations in the calendar year 2022.

Tom Temin: Leslie Gordon is an acting director at the Government Accountability Office. Thanks so much for joining me.

Leslie Gordon: Thank you so much.

Related Stories

    FILE - In this Feb. 25, 2015 file photo, the Homeland Security Department headquarters in northwest Washington. An advisory issued by officials in the United States, United Kingdom and Australia warns that hackers linked to the Iranian government have been targeting a “broad range of victims” inside the U.S. with ransomware and other malicious cyber activity.  (AP Photo/Manuel Balce Ceneta, File)

    Why the new DHS cyber talent management system was nearly 7 years in the making

    Read more
    (AP Photo/Lynne Sladky)FILE - In this Nov. 20, 2020, file photo a U.S. Department of Homeland Security plaque is displayed a podium as international passengers arrive at Miami international Airport where they are screened by U.S. Customs and Border Protection in Miami. The damned-if-you-pay-damned-if-you-don’t dilemma on ransomware payments has left U.S. officials fumbling about how to respond. While the Biden administration “strongly discourages” paying, it recognizes that failing to pay would be suicidal for some victims. (AP Photo/Lynne Sladky, File)

    DHS continues rolling out new cyber requirements to transportation sector

    Read more

Comments