DHS not working closely enough with private sector
The Department of Homeland Security should work to increase use of sensitive information it receives from private companies about vulnerable assets like utilities, private IT networks, energy facilities and transportation assets, the Government Accountability Office says in a report.
The report, titled “DHS Should Take Steps to Encourage More Widespread Use of its Program to Protect and Share Critical Infrastructure Information,” describes why information related to threats, vulnerabilities, incidents and security techniques is instrumental to guarding critical infrastructures against attacks.
“The ability to share security-related information can unify the efforts of federal, state, and local government as well as the private sector, as appropriate, in preventing and minimizing terrorist attacks,” the report says.
The Critical Infrastructure Information Act of 2002 was enacted to encourage nonfederal entities to voluntarily share critical infrastructure information and established protections for it.
The law forbids release of the information under the federal Freedom of Information Act.
Once the information is gathered and protected, the department is responsible for sharing it with appropriate agencies so they can help protect the assets from terrorist attacks.
GAO reported that the department has set up a program office to establish requirements for gathering, protecting, sharing and using the infrastructure information.
However, according to the report, DHS must overcome challenges in defining government needs for the information, deciding how it will be used, protecting the information and controlling access to it as well as convincing the private companies that they will gain by submitting the information.
“If DHS were able to surmount these challenges, it and other government users may begin to overcome the lack of trust that critical infrastructure owners have in the government’s ability to use and protect their sensitive information,” the report says.
GAO is recommending that the Secretary of Homeland Security, among other things, better define DHS’s and other federal agencies’ critical infrastructure information needs, and explain how DHS and the other agencies will use the information received from the private sector.
DHS concurred with GAO’s findings and recommendations.