Protection site

Protection of critical infrastructure: CISA should assess the effectiveness of its actions to support the communications sector

What GAO found

The communications industry is an integral part of the U.S. economy and faces serious physical, cybernetic and human threats that could affect the operations of local, regional and national networks, according to the Department of Homeland Security (DHS) Cybersecurity and Agency infrastructure security (CISA) and industry players.

Examples of potential threats to the security of the communications sector

In addition, CISA has determined that the communications sector is dependent on other critical infrastructure sectors, particularly the energy, information technology and transportation systems sectors, and that damage, disruption or the destruction of any of these sectors could have serious consequences for the operations of the communications sector.

CISA primarily supports the communications sector through incident management and information sharing activities, such as coordinating federal activities to support the sector during severe weather events and managing cybersecurity programs, but did not assess the effectiveness of these actions. For example, CISA has not determined what types of infrastructure owners and operators (e.g. large or small telecommunications service providers) can benefit the most from CISA cybersecurity programs and services or can be participants under-represented in its information-sharing activities and services. By evaluating the effectiveness of its programs and services, CISA would be in a better position to identify its highest priorities.

CISA also did not update the 2015 Communications sector plan, although DHS guidelines recommend that these plans be updated every 4 years. As a result, the current 2015 plan lacks information on new and emerging threats to the communications industry, such as communications technology supply chain security threats and disruptions to positioning, navigation services. and synchronization. The development and publication of an updated plan would enable the CISA to establish goals, objectives and priorities that address threats and risks to the sector, and would help fulfill its responsibilities as sector risk management agency.

Why GAO did this study

The communications sector, one of the 16 critical infrastructure sectors, is vital to the United States. Its inability or destruction could have a debilitating impact on the safety and security of our nation. The private sector owns and operates the majority of communications infrastructure, including broadcast, cable, satellite, wireless and wireline systems and networks. DHS’s CISA is the primary federal agency responsible for supporting the security and resilience of the sector.

The GAO examined (1) the security threats that CISA has identified for the sector, (2) how the CISA supports the sector, and (3) the extent to which the CISA has assessed its support and preparedness for the sector. emergency situations for the sector. GAO reviewed DHS sector reports, plans and risk assessments and interviewed CISA officials and private sector stakeholders to identify and assess CISA actions to support safety and resilience of the communications sector.