Spotty coordination on cyber threats is recipe for disaster: GAO study

Unless government and industry improve information sharing to thwart cyber threats, the consequences could be disastrous for telecommunications, power grids and critical businesses such as banking, according to a report from the Government Accountability Office.

GAO surveyed 56 private sector representatives on whether public-private cybersecurity partnerships were meeting their expectations. The report, released on Monday, found that despite their efforts to coordinate cybersecurity activities, the government is failing to consistently meet their expectations for usable, timely and actionable cyber threat information and alerts to their private sector partners. Businesses also said when information is provided it often is not specific enough to be useful.

One roadblock to better communication, GAO found, is restrictions on the type of information that can be shared with the private sector. The Homeland Security Department's U.S. Computer Emergency Readiness Team, which serves as the nation's cyber analysis and warning center, cannot tailor alerts to one specific entity facing a threat, making it difficult to share details, the report said.

Auditors also noted to ensure warnings are accurate, US-CERT's products are subject to a stringent review and revision process that can potentially add days to the release of information.

Without improvement, the report said, "owners of critical infrastructure will not have the information necessary to thwart cyberattacks that could have catastrophic effects on our nation's cyber-reliant critical infrastructure."

Auditors pointed to recent reports of cyberattacks -- such as a denial-of-service attack in Estonia in May 2007, which created mass outages of government and commercial websites in that country, as well as breaches at technology companies, many in California, in January -- as examples of the debilitating impact a cybersecurity breach could have on national and economic security.

GAO said Homeland Security officials should focus information-sharing initiatives on timely and actionable threat and alert information.

The report also recommended DHS bolster efforts to build out the National Cybersecurity and Communications Integration Center as the focal point for leveraging and integrating capabilities among the private sector, government, law enforcement, the military and intelligence communities. The center, launched in October, is still in development and lacks representation from all sectors.

DHS officials concurred with GAO's recommendations in written comments. But Jerald E. Levine, director of Homeland Security's GAO/OIG Liaison Office, said the report makes "generalizations ... which presumes the view is held across the entire cross-sector community."

Levine also noted the report focuses on surveyed participants' expectations while the survey focused on needs. "The two terms are not interchangeable for the concept of information sharing," he said.