The Department of Homeland security has responded so enthusiastically and uncritically to Presidential orders that it keep companies in the "critical infrastructure" informed of cybersecurity threats and techniques that it is, instead, drowning those companies in information that is often repetitive or misdirected, according to a new report from Government Accountability Office (GAO). (PDF)
Cybersecurity became a big deal in government after the Stuxnet virus successfully attacked nuclear-development facilities in Iran (possibly with the help of the U.S.) and Iran, among other angry non-Americans, threatened to retaliate.
DHS, like other government and military security agencies, had never had to respond to a large-scale cybersecurity threat before,* so it may have overreacted to the order, simply out of excitement.
(*That's not to say there were no large-scale cybersecurity threats. For a decade Chinese and Russian hackers have been convoying data out of U.S. military and civilian government agency computers so steadily and with so little opposition that they look more like a bucket brigade trying to bail out a sinking boat than hackers stealing classified data. Neither the .mil or .govs have even really acknowledged the losses, let alone dealt with the attackers, so it's understandable if the DHS was a little out of practice, too.)
The intent, according to GAO, was that DHS should gather, evaluate and package all the best recommendations, training, warnings and techniques to identify and defend against cyberattacks, then distribute all that useful information to companies in seven industries critical to "our nation's cyber-reliant critical infrastructure:" banking and finance; communications; energy; healthcare and public health; information technology; nuclear reactors, material and waste; and water.
DHS wasn't supposed to create new regulations or emergency response plans the companies that received the guidance would have learn by heart and practice like fire drills, but it wasn't just handing out brochures, either.
"Guidance" from DHS about serious cybersecurity threats should have become de facto benchmarks for preparedness amongst critical-infrastructure companies.
Following DHS guidance would be voluntary, but companies that didn't follow the guidelines, and were later hit with major cyberattacks, would almost inevitably find themselves in court explaining to angry stockholders or customers why ignoring DHS advice didn't constitute negligence.
Guidance solid enough to be held up as a de facto benchmark would have to be pretty high quality, though.
It would also have to be tailored to the individual requirements, regulations and level of federal oversight to which each of the seven industries was subject.
Except, the guidance DHS handed out didn't identify any of the unique conditions, regulations or threats to individual market segments, or tailor its cybersecurity advice to apply to those specific conditions, GAO's report complained.
Critical as each is to the smooth function of the economy, a nuclear power plant, CitiBank and a local water utility aren't really starting from the same place or even heading in the same direction when they have to tighten up their cybersecurity.
DHS and the other agencies involved in fulfilling the Presidential order to disseminate security guidance did tailor their information about general security, general threats and regulatory environment to each of the seven market segments.
It passed those specific guidelines out separately, not as part of the cybersecurity guideline development effort.
And, while the industry-specific guidelines did take local conditions into account and did include some material about online threats, they didn't call out any of the advice as being specific to cybersecurity as opposed to the other kind.
Instead DHS put together a single set of generic guidelines and sent those to companies in all seven market segments.
Then it sent out the non-cybersecurity-specific security guidance to all seven segments.
Then it sent even more non-specific cybersecurity guidance out.
So, in none of the seven vertical-market segments did DHS put together cybersecurity guidance specific enough to be useful to people in that industry, nor did it make its generic cybersecurtiy guidance useful enough to be adopted by industries whose risk and regulatory profiles were more generic, according to the GAO report.
The result was a mess of information that made it difficult for the security staffs who should have been able to use the guidance to even find the parts that were relevant to them.
The unspecific download swamped both the IT and non-IT security staffs in information that came from an agency important enough companies felt they had to deal with it, but useless enough that few companies could figure out a way the guidance could actually be useful.
"Given the plethora of guidance available, individual entities within the sectors may be challenged in identifying the guidance that is most applicable and effective in improving their security posture. Improved knowledge of the guidance that is available could help both federal and private sector decision makers better coordinate their efforts to protect critical cyber-reliant assets." – "Critical Infrastructure Protection: Cybersecurity Guidance Is Available,but More Can Be Done to Promote Its Use" Government Accountability Office, Jan. 9, 2012