GAO: Critical infrastructure threats require a national cyber strategy

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The Cybersecurity and Infrastructure Security Agency keeps expanding. The federal cyber advisor, a Senate confirmed position, has been in place for months. So why is the Government Accountability Office testifying on the need for a national cyber strategy aimed at protecting critical infrastructure?  The Federal Drive with Tom Temin  got an answer from the GAO’s director of information...

READ MORE

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The Cybersecurity and Infrastructure Security Agency keeps expanding. The federal cyber advisor, a Senate confirmed position, has been in place for months. So why is the Government Accountability Office testifying on the need for a national cyber strategy aimed at protecting critical infrastructure?  The Federal Drive with Tom Temin  got an answer from the GAO’s director of information technology and cybersecurity issues, Nick Marinos.

Interview transcript:

Tom Temin: Nick, good to have you back.

Nick Marinos:  Thanks a lot. Thanks for having me, Tom.

Tom Temin: So why are you testifying? It seems like the only thing anyone in the administration talks about is cybersecurity. And yet you guys are telling Congress, we need a more comprehensive strategy. Tell us about your testimony and your findings here.

Nick Marinos: Absolutely, Tom. Well, you can’t talk too much about cybersecurity, because it is probably one of the greatest challenges that our nation is facing at the moment. And so, you know, when the House Transportation Infrastructure Committee invited us to come and speak specifically on critical infrastructure cybersecurity, we felt it important to reiterate our feeling that, despite many steps that we think are encouraging that the administration is taking, that we think that a greater sense of urgency needs to apply to establishing a very comprehensive national strategy,

Tom Temin: Because really, this question for the federal government, in some ways, goes back to 1995, when the Oklahoma City bombings occurred. But then reinforced obviously, in 2001, when not just buildings, but electrical systems, transportation, several pieces of critical infrastructure were bombed out for quite a while. So what’s taking so long, or what have you viewed over the years that seems to be stopping this from gelling in some manner?

Nick Marinos: But I think you have made a very important point, which is that this is not something new. In fact, it has probably been since the Clinton administration that we saw the executive branch start to coalesce and think, hey, we need a broader approach to how we’re going to protect the important computer systems that we rely on. Back in the 90s, GAO was already doing work showing folks that they were more vulnerable than they may think. Folks like the Department of Defense and Nuclear Regulatory Commission, among others. And in 1997, we actually made cybersecurity the first ever government-wide high risk area that GAO talked about. And you pointed out some very important events as well, when it came to critical infrastructure. Following the events of 9/11, we expanded that scope of sort of the high risk area to include critical infrastructure because of exactly what you described, which is that there are ways, you know, multiple ways by which an attacker can disrupt our normal lives, you know, not just obviously the tragedy that occurred that day, but the effects of it on things like the financial services sector, among other key sectors that we rely on. And so when you start to look at sort of the efforts across the administrations since that time, we’ve seen really important steps take place, but unfortunately, never quite get, you know, across the goal line, if you will. And that’s the same case when it comes to the previous administration, which had put out a national cyber strategy that had what we viewed to be some good bones to it. But ultimately, we never got to see them execute it. We never got to get a sense of how they’re actually going to make sure that the important activities they were laying out are actually going to be performed.

Tom Temin: Yes, the Trump administration had won in the Obama administration had a very long multiple page cybersecurity strategy. So you have laid out some steps here for establishing a comprehensive cybersecurity strategy and performing effective oversight. What should that look like to take all these disparate pieces that are going on? And how would it look if they were in a cohesive strategy in some manner?

Nick Marinos: Yeah, it’ll be the equivalent of a roadmap for the entire federal government to be able to follow. And for that roadmap to work, it needs to have not only the, you know, to not extend too far on the analogy, but it needs to have all the markers, you know, point A to point B, what are we trying to achieve? We actually have put out a series of publications that have talked to what are the comprehensive characteristics of a national strategy, not even just cyber, but across the board. And you know, several of those things include goals and timeframes. You have to know what you’re trying to accomplish, even at the activity level, so that you can keep track of the progress that’s being made. You need to lay out resources. You know, we obviously are seeing an increase in funding across federal agencies when it comes to cybersecurity. How do we know that that’s enough? How do we know that the money is going to the right place? And then ultimately, we need to have somebody in place that’s actually going to monitor this. And you pointed out in the introduction, Tom, a very important accomplishment, which was Congress passing a law last year that established the position of the national cyber director. And we saw the National Cyber director get confirmed in the summer. They’re starting to form up and build the office. We’ve seen documents like a strategic intent document come out that shows very much the consistencies and the steps that one would think are needed. But ultimately, we need to see a strategic plan that articulates how we’re not only going to protect federal agencies from cyber attack, but the entire nation itself.

Tom Temin: We’re speaking with Nick Marinos, director of information technology and cybersecurity issues at the Government Accountability Office. And you’ve also laid out a pretty comprehensive list of considerable challenges here, including inconsistent distribution of information, and that seems to get to the heart of so many cyber issues and that is information sharing. Again, something the government is been pursuing for so many years. Tell us about that and a couple of the other key challenges to making this into a strategy.

Nick Marinos: Yea, for quite a few years, not only GAO but key inspectors general from DHS, from the the Office of the Director of National Intelligence, have emphasized the need for us to be really careful about how much sort of success we express when it comes to that sharing, the two-ways sharing of information. There are mechanisms out there, and we are seeing improvements when it comes to sharing information like threats that the federal government may be identifying specific to a critical infrastructure. And there are mechanisms in place for the federal government, and key folks within those private sector organizations to communicate. But we’ve also seen challenges. Challenges may include a lack of appropriate clearances from private sector critical infrastructure operators to be able to actually receive the information. We’ve also seen a lack of the ability to actually take more technical data and do something with it in a timely manner. And then on the other side, we’ve also seen some reluctance when it comes to sharing information back to the federal government, whether it be because of concerns of liability protections that the private companies may feel aren’t there, or, to be perfectly honest, capability. Having staff on-site to be able to not only identify, you know, what may be a threat or an incident and then share that information in a timely manner. Other challenges that we’ve talked about that I think are really important to critical infrastructure are the security of emerging technology. Obviously, we’ve seen that technology create great benefits to the efficiencies, the effectiveness, of critical infrastructure, thinking of like the electricity grid, and other places where the ability to remote in and handle a situation can be very beneficial to ensuring that the resiliency is there. But on the other side it presents cyber threats as well. Connecting things that are operational, those things that control the specific, you know, sort of activities of that critical infrastructure, can create the possibility that cyber attack can disrupt or even cripple. We’ve obviously seen with the pipeline attack earlier this year an example of that, where it wasn’t only taking down a very major pipeline system, you know, on the east coast, but also the effects the residual effects when it came to gas shortages that were in many ways just a reaction from the populace, when it came to seeing that this potential disruption could lead to their disruption in being able to get from where they need to go in the cars.

Tom Temin: And could the government be more consistent in how it treats industries? And I’m thinking of say, suppose you report a pipeline problem to CISA, or you report a transportation issue or whatever it might be, a financial problem caused by a cybersecurity issue to CISA. And that’s great. You share the information with the federal government and they promulgate what can be done to prevent this from reoccurring. And yet, you’d have the Federal Trade Commission or the comptroller of the currency or the Interior Department, you name it, coming down on the like a ton of bricks as a liability issue. And so, you know, what is the incentive for anyone to share anything with CISA if some other agency is going to try to get you?

Nick Marinos: Well, I think an important point there is just how vastly different each of those industries are. So we’re talking about 16 sectors that are broken up into sub-sectors, anywhere from financial services to education, you know, is covered within that realm of quote unquote, critical infrastructure. So I think actually Congress has done something really important this year as well, in passing legislation that has mandated, has actually established statutory responsibilities for about nine different federal agencies to serve as what’s called sector risk management agencies. Now, this has been around for about a decade in other capacities. What it means is that, you know, for example, the Department of the Treasury is the sector risk management agency for the financial services sector. Its expectations set on it are things like being the day-to-day communicator, when it comes to the private sector, thinking about the risks related to that specific financial service sector, and then making sure that they can create the information sharing between them and others. And that has nothing to do with regulatory, you know, makeup. And in fact, they see a lot of cooperation from the critical infrastructure operators. They do want this help, it’s just about how, like you pointed out, how we can get to a level of information sharing that is effective, depending on which sector we’re talking about.

Tom Temin: And there are lots of laws and statutes that Congress has responded with over the years, having to do with data sharing, having to do with cybersecurity. Anything else that you recommend that Congress do here to foster this idea of a strategy?

Nick Marinos: Well, I think that it will be important to continue its oversight of the Office of National Cyber Director. So the NCD was confirmed in July, and Mr. Inglis has been forming his office within the Executive Office of the President. Obviously, that’s going to take a little bit of time. But here we have specific statutory responsibilities for that office as well, which includes managing a national cyber strategy, reviewing the budgets of federal agencies to make sure how that stacks up. So in order for that office to actually be able to perform its work, it needs that roadmap, Congress can do its part to check up, make sure that there’s progress and actually creating that roadmap, and that it’s actually being followed. The other thing that I think Congress needs to do is continue its oversight of CISA. They put a lot on CISA’s shoulders, and rightfully so because we see this important element within the Department of Homeland Security forming up. We issued a report earlier this year, I think that you and I spoke about in March, about the need for CISA to really get to its full transformation. You know, it was a law passed in 2018. They set some goals to try to get themselves to full sort of operational ability at the end of 2020 and weren’t able to get there. We think it’s important for CISA to complete those very important activities related to things like workforce planning, incident response, you know, the things that are gonna make them the strongest agency not only for the federal government, but also for state and local and other critical infrastructure elements out there as well.

Tom Temin: Nick Marinos is director of information technology and cybersecurity issues at the GAO. As always, thanks so much for joining me.

Nick Marinos: Thanks again, Tom.

Related Stories

    (AP Photo/Carolyn Kaster)FILE - In this June 28, 2019, file photo the Department of Homeland Security (DHS) seal is seen during a news conference in Washington. An official at the Department of Homeland Security says he was pressured by agency leaders to suppress details in his intelligence reports that President Donald Trump might find objectionable, including intelligence on Russian interference in the election and the threat posed by white supremacists. (AP Photo/Carolyn Kaster, File)

    Aside from guiding industry about resilience from cyber attacks, GAO suggests CISA take its own advice

    Read more