From the U.S. Government Accountability Office, www.gao.gov Transcript for: Protecting Critical Infrastructure against Cyber Risk Description: Audio Interview by GAO staff with Greg Wilshusen, Director, Information Technology Related GAO Work: GAO-16-79 Critical Infrastructure Protection: Sector-Specific Agencies Need to Better Measure Cybersecurity Progress Released: November 2015 [ Background Music ] [ Narrator: ] Welcome to GAO's Watchdog Report, your source for news and information from the U.S. Government Accountability Office. It’s November 2015. Critical infrastructures, the systems that support banking, commerce, energy, and agriculture, are vital to our national economy, security, and public health. They're also vulnerable to cyber attacks, a growing concern in an increasingly connected world. A team led by Greg Wilshusen, a director in GAO's Information Technology team, recently reviewed how federal agencies mitigate cyber risks to critical infrastructures. GAO's Jacques Arsenault sat down with Greg to talk about what they found. [ Jacques Arsenault: ] When I think of infrastructure I tend to think of things like roads or bridges, but your report is looking at much more than that. Can you explain to me what we mean by critical infrastructures and why they're important? [ Greg Wilshusen: ] Sure. Critical infrastructures are those assets and systems that provide essential services such as banking, electricity, water that underpin American society. And the disruption or destruction of those services could have a debilitating effect on our national security, public health and safety, as well as our national economy. [ Jacques Arsenault: ] Now, we hear a lot about data breaches in the news, and in those cases people are often trying to steal information. Are the risks to critical infrastructure similar or are there more kinds of threats involved? [ Greg Wilshusen: ] Well, actually both. They are similar because one of the threats is certainly the theft of business proprietary information or intellectual property. For example, if a hacker was able to steal the manufacturing plans or designs of a critical manufacturing facility, that can have a debilitating effect not only for that company but potentially for the American economy as well because it could diminish American competitiveness. In addition though, the destruction or disruption of services may be another key risk that affects critical infrastructure. And that's probably the biggest one—the threat of not having these services available. For example, if a hacker or a nation or some threat was able to disrupt our electrical grid causing massive black outs, that could have an effect not only on the electricity sector but also all those industries and individuals and entities that rely on electricity. So, it can be quite debilitating. [ Jacques Arsenault: ] Yeah, it doesn't take much imagination to think about what the consequences of something like that would be. So then, what is the federal government doing to protect against these risks? [ Greg Wilshusen: ] Well, the federal government is doing a number of actions. But first of all, much of the critical infrastructure is actually owned by the private sector. So, the government has created a public/private partnership in which it tries to work with the private sector to better protect against these types of cyber threats on critical infrastructure. It has, for example, created and identified actually 16 critical infrastructure sectors, which are those assets that are vitally important to the nation. And it also has identified nine sector-specific agencies, which are federal agencies, which have been charged to work with their counterparts in the industries and critical infrastructure sectors to help manage these cyber risks. The federal government has also established a national cyber security framework which can be used by critical infrastructure owners and operators to better protect their information systems supporting these assets. [ Jacques Arsenault: ] So, do those partnerships between the government and the private sector seem like they're working well and getting us prepared? [ Greg Wilshusen: ] Well, they are working, and they are collaborating on a number of efforts. For example, coordinating councils have been established and working groups to address cyber security and the security of industrial control systems, which are those systems that are used to operate many of the physical assets of the electric grid and critical manufacturing aspects and other systems. And so they are working. However, there is additional work that needs to be done particularly with respect to how well these actions and activities are actually improving security within those sectors. And we found that many of these sector-specific agencies have not identified performance metrics in order to, one, measure or gauge the progress of their actions, and the actual security posture of their sectors. [ Jacques Arsenault: ] So, it sounds like they're working well together, but we don't know how effective they are and they don't necessarily know how effective they are at this point? [ Greg Wilshusen: ] That's exactly right. And so we made recommendations in our recent report to address that particular aspect and have those sector-specific agencies identify these metrics and then monitor the progress against those metrics. [ Jacques Arsenault: ] So, then finally what would you say is the bottom line of this report? [ Greg Wilshusen: ] Well, one is that the cyber risk to critical infrastructure is significant. The federal government and private sector owners and operators of critical infrastructure are working to try to manage and mitigate that risk but until effective measures and monitoring capabilities are established, we don't know the effectiveness of those efforts. [ Background Music ] [ Narrator: ] To learn more, visit GAO.gov and be sure to tune in to the next episode of GAO's Watchdog Report for more from the congressional watchdog, the U.S. Government Accountability Office.