January 12, 2012, 5:58 PM — The Department of Homeland security has responded so enthusiastically and uncritically to Presidential orders that it keep companies in the "critical infrastructure" informed of cybersecurity threats and techniques that it is, instead, drowning those companies in information that is often repetitive or misdirected, according to a new report from Government Accountability Office (GAO). (PDF)
Cybersecurity became a big deal in government after the Stuxnet virus successfully attacked nuclear-development facilities in Iran (possibly with the help of the U.S.) and Iran, among other angry non-Americans, threatened to retaliate.
DHS, like other government and military security agencies, had never had to respond to a large-scale cybersecurity threat before,* so it may have overreacted to the order, simply out of excitement.
(*That's not to say there were no large-scale cybersecurity threats. For a decade Chinese and Russian hackers have been convoying data out of U.S. military and civilian government agency computers so steadily and with so little opposition that they look more like a bucket brigade trying to bail out a sinking boat than hackers stealing classified data. Neither the .mil or .govs have even really acknowledged the losses, let alone dealt with the attackers, so it's understandable if the DHS was a little out of practice, too.)
The intent, according to GAO, was that DHS should gather, evaluate and package all the best recommendations, training, warnings and techniques to identify and defend against cyberattacks, then distribute all that useful information to companies in seven industries critical to "our nation's cyber-reliant critical infrastructure:" banking and finance; communications; energy; healthcare and public health; information technology; nuclear reactors, material and waste; and water.
DHS wasn't supposed to create new regulations or emergency response plans the companies that received the guidance would have learn by heart and practice like fire drills, but it wasn't just handing out brochures, either.
"Guidance" from DHS about serious cybersecurity threats should have become de facto benchmarks for preparedness amongst critical-infrastructure companies.