As previously observed, there is a deficiency in the most basic capabilities to understand (let alone protect) the national information infrastructure. The GAO report concluded:
"In seeking to counter the growing cyber threats to the nation’s critical infrastructures, DHS has established a range of cyber analysis and warning capabilities, such as monitoring federal Internet traffic and the issuance of routine warnings to federal and nonfederal customers. However, while DHS has actions under way aimed at helping US-CERT better fulfill attributes identified as critical to demonstrating a capability, US-CERT still does not exhibit aspects of the attributes essential to having a truly national capability. It lacks a comprehensive baseline understanding of the nation’s critical information infrastructure operations, does not monitor all critical infrastructure information systems, does not consistently provide actionable and timely warnings, and lacks the capacity to assist in mitigation and recovery in the event of multiple, simultaneous incidents of national significance [emphasis added]."
This lack of a "comprehensive baseline understanding" is not confined to the U.S. Government; it is also rampant in the private sector where risk and threat assessments are too often a simple compliance check-off with little regard to the quality of analysis. In both the public and private sectors, engineers and other technicians tasked with managing information security are not trained as security professionals who can analyze risks and threats across a single organization let alone across entire information infrastructures and global networks.
This lack of professional competence in the information security industry is one of the key factors driving the continued increase in vulnerabilities, attacks and data and monetary losses despite record investment and spending.
The full GAO report is available online:
CYBER ANALYSIS AND WARNING: DHS Faces Challenges in Establishing a Comprehensive National Capability