Outcome-Based Measures Would Assist DHS in Assessing Effectiveness of Cybersecurity Efforts

Members of Congress asked the Government Accountability Office to (1) identify the roles of and actions taken by key federal entities to help protect the communications networks from cyber-based threats, (2) assess what is known about the extent to which cyber-incidents affecting the communications networks have been reported to the Federal Communications Commission (FCC) and the Department of Homeland Security (DHS), and (3) determine if the Department of Defense’s (DOD) pilot programs to promote cybersecurity in the defense industrial base can be used in the communications sector.

Within the roles prescribed for them by federal law and policy, the Federal Communications Commission and the Departments of Homeland Security, Defense, and Commerce have taken actions to support the communications and information technology sectors’ efforts to secure the nation’s communications networks from cyber attacks. However, until DHS and its sector partners develop appropriate outcome-oriented metrics, it will be difficult to gauge the effectiveness of efforts to protect the nation’s core and access communications networks and critical support components of the Internet from cyber incidents. While no cyber incidents have been reported affecting the nation’s core and access networks, communications networks operators can use reporting mechanisms established by FCC and DHS to share information on outages and incidents. The pilot programs undertaken by DOD with its defense industrial base partners exhibit several attributes that could apply to the communications sector and help private sector entities more effectively secure the communications infrastructure they own and operate. As DHS develops procedures for expanding this program, considering these attributes could inform DHS’s efforts. To help assess efforts to secure communications networks and inform future investment and resource decisions, we recommend that the Secretary of Homeland Security direct the appropriate officials within DHS to collaborate with its public and private sector partners to develop, implement, and track sector outcome-oriented performance measures for cyber protection activities related to the nation’s communications networks.

[GAO-13-275]