Tag: criticalinfrastructureprotection

EC adopts Contingency Plan for Transport

Agency News, Power/Energy/Oil & Gas sector, Telecomms sector

The European Commission adopted a Contingency Plan for Transport to strengthen the resilience of EU transport in times of crisis. The plan draws lessons from the COVID-19 pandemic as well as taking into account the challenges the EU transport sector has been facing since the beginning of Russia's military aggression against Ukraine. Both crises have severely affected the transport of goods and people, but the resilience of this sector and the improved coordination between member states were key to the EU's response to these challenges.

Commissioner for Transport Adina Vălean said: “These challenging and difficult times remind us of the importance of our EU transport sector and the need to work on our preparedness and resilience. The COVID-19 pandemic was not the first crisis with consequences for the transport sector, and Russia's illegal invasion of Ukraine shows us that it will definitely not be the last. This is why we need to be ready. Today's Contingency Plan, notably based on lessons learnt and initiatives taken during the COVID-19 pandemic, creates a strong framework for a crisis-proof and resilient EU transport sector. I firmly believe that this plan will be a key driver for transport resilience since many of its tools have already proven essential when supporting Ukraine – including the EU-Ukraine Solidarity Lanes, which are now helping Ukraine export its grain.”

10 actions to draw lessons from recent crises

The plan proposes a toolbox of 10 actions to guide the EU and its Member States when introducing such emergency crisis-response measures. Among other actions, it highlights the importance of ensuring minimum connectivity and passenger protection, building resilience to cyberattacks, and resilience testing. It also stresses the relevance of the Green Lanes principles, which ensure that land freight can cross borders in less than 15 minutes, and reinforces the role of the Network of Contact Points in national transport authoritiesBoth have proved crucial during the COVID-19 pandemic, as well as in the current crisis caused by Russian aggression against Ukraine.

The 10 areas of action are:

1 Making EU transport laws fit for crisis situations
2 Ensuring adequate support for the transport sector
3 Ensuring free movement of goods, services and people
4 Managing refugee flows and repatriating stranded passengers and transport workers
5 Ensuring minimum connectivity and passenger protection
6 Sharing transport information
7 Strengthening transport policy coordination
8 Strengthening cybersecurity
9 Testing transport contingency
10 Cooperation with international partners

One key lesson from the pandemic is the importance of coordinating crisis response measures – to avoid, for example, situations where lorries, their drivers and essential goods are stuck at borders, as observed during the early days of the pandemic. The Contingency Plan for Transport introduces guiding principles that ensure crisis response measures are proportionate, transparent, non-discriminatory, in line with the EU Treaties, and able to ensure the Single Market continues to function as it should.

Next steps

The Commission and the Member States will use this Contingency Plan to respond to current challenges affecting the transport sector. The Commission will support Member States and steer the process of building crisis preparedness in cooperation with the EU agencies, by coordinating the Network of National Transport Contact Points and maintaining regular discussions with international partners and stakeholders. To respond to immediate challenges and ensure Ukraine can export grain, but also import the goods it needs, from humanitarian aid, to animal feed and fertilisers, the Commission will coordinate the Solidarity Lanes contact points network and the Solidarity Lanes matchmaking platform.

Leave a comment , , , , ,

Australia releases Critical Infrastructure Protection Act 2022

Agency News, Cyber Security CII sector

The Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP Act) came into effect on 2 April 2022.

The SLACIP Act amends the Security of Critical Infrastructure Act 2018 (SOCI Act) to introduce the following key measures

- A new obligation for responsible entities to create and maintain a critical infrastructure risk management program, and
- A new framework for enhanced cyber security obligations required for operators of systems of national significance (Australia’s most important critical infrastructure assets – SoNS)

The reforms in the SLACIP Act seek to make risk management, preparedness, prevention and resilience, business as usual for the owners and operators of critical infrastructure assets and to improve information exchange between industry and government to build a more comprehensive understanding of threats. These reforms will give Australians reassurance that our essential services are resilient and protected.

The Department recognises that engagement and education will be crucial to the success of these reforms and is committed to working with entities to ensure these reforms are understood and can be practically implemented.

 

Leave a comment

US to Strengthen Public and Private Sector Cybersecurity

Agency News, Cyber Security CII sector

Package Includes His Bipartisan Bills to Protect Critical Infrastructure and Federal Networks, and Ensure Government Can Safely Adopt Cloud Technology

U.S. Senator Gary Peters (MI), Chairman of the Senate Homeland Security and Governmental Affairs Committee, introduced a landmark legislative package that would significantly enhance our nation’s ability to combat ongoing cybersecurity threats against our critical infrastructure and the federal government – particularly in the face of potential cyber-attacks sponsored by the Russian government in retaliation for U.S. support in Ukraine. The legislation combines language from three bills Peters authored and advanced out of his committee – the Cyber Incident Reporting Act, the Federal Information Security Modernization Act of 2021, and the Federal Secure Cloud Improvement and Jobs Act. The combined bill, known as the Strengthening American Cybersecurity Act, would require critical infrastructure owners and operators and civilian federal agencies to report to the Cybersecurity and Infrastructure Security Agency (CISA) if they experience a substantial cyber-attack. It would also require critical infrastructure owners and operators to report ransomware payments to CISA, modernize the government’s cybersecurity posture, and authorize the Federal Risk and Authorization Management Program (FedRAMP) to ensure federal agencies can quickly and securely adopt cloud-based technologies that improve government operations and efficiency.

“Cyber-attacks against federal networks and critical infrastructure companies – including oil pipelines, meatpacking centers, and wastewater treatment plants – have disrupted lives and livelihoods across the country. That is why, for months, I have been leading efforts to fight back against cybercriminals and foreign adversaries who launch these incessant attacks,” said Senator Peters. “It is clear that, as our nation continues to counter cyber threats and support Ukraine, we need to pass this legislation to provide additional tools to address possible cyber-attacks from adversaries, including the Russian government. This landmark, bipartisan legislative package will provide our lead cybersecurity agency, CISA, with the information and tools needed to warn of potential cybersecurity threats to critical infrastructure, prepare for widespread impacts, coordinate the government’s efforts, and help victims respond to and recover from online breaches. Our efforts will significantly bolster and modernize federal cybersecurity as new, serious software vulnerabilities continue to be discovered, such as the one in log4j. This combined bill will also ensure that agencies can procure cloud-based technology quickly, while ensuring these systems, and the information they store, are secure.”

Last year, hackers breached the network of a major oil pipeline forcing the company to shut down over 5,500 miles of pipeline – leading to increased prices and gas shortages for communities across the East Coast. Last summer, the world’s largest beef supplier was hit by a cyber-attack, prompting shutdowns at company plants and threatening meat supplies all across the nation. As these kinds of attacks continue to rise, Peters’ legislation would help ensure critical infrastructure entities such as banks, electric grids, water networks, and transportation systems are able to quickly recover and provide essential services to the American people in the event of network breaches.

The Strengthening American Cybersecurity Act would require critical infrastructure owners and operators to report to CISA within 72 hours if they are experiencing a substantial cyber-attack, and within 24 hours if they make a ransomware payment. Additionally, the package would update current federal government cybersecurity laws to improve coordination between federal agencies, require the government to take a risk-based approach to cybersecurity, as well as require all civilian agencies to report all cyber-attacks to CISA, and update the threshold for agencies to report cyber incidents to Congress. It also provides additional authorities to CISA to ensure they are the lead federal agency in charge of responding to cybersecurity incidents on federal civilian networks. Finally, the package would authorize FedRAMP for five years to ensure federal agencies are able to quickly and securely adopt cloud-based technologies that improve government efficiency and save taxpayer dollars.

Leave a comment ,

CISA, FBI and Treasury Release Advisory on North Korean State-Sponsored Cyber Actors Use of Maui Ransomware

Agency News, Cyber Security CII sector

Healthcare and Other Sectors Provided with Proactive Steps to Detect and Reduce Risk

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Department of the Treasury (Treasury) today released a joint Cybersecurity Advisory (CSA) that provides information on Maui ransomware, which has been used by North Korean state-sponsored cyber actors since at least May 2021 to target Healthcare and Public Health (HPH) Sector organizations.

The CSA titled, “North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector,” provides technical details and indicators of compromise (IOC) observed during multiple FBI incident response activities over a period of more than a year and obtained from industry analysis of Maui samples. North Korean state-sponsored actors were observed using Maui ransomware to encrypt HPH servers responsible for providing healthcare services. In some cases, the malicious activity disrupted the services provided by the victim for prolonged periods.

“As the nation’s cyber defense agency, our team works tirelessly in collaboration with partners to publish timely information that can help organizations prevent and build resilience against all cyber threats,” said CISA's Executive Assistant Director for Cybersecurity, Eric Goldstein. “Today’s advisory comes out of our strong partnership with the FBI and Treasury. This malicious activity by North Korean state-sponsored cyber actors against the healthcare and public health sector poses a significant risk to organizations of all sizes.”

"The FBI, along with our federal partners, remains vigilant in the fight against North Korea's malicious cyber threats to our healthcare sector," said FBI Cyber Division Assistant Director Bryan Vorndran. "We are committed to sharing information and mitigation tactics with our private sector partners to assist them in shoring up their defenses and protecting their systems."

“Ransomware victimizes people and businesses, large and small, across America. Treasury has worked closely with CISA and FBI to counter ransomware and protect financial sector critical infrastructure,” said Rahul Prabhakar, Treasury Deputy Assistant Secretary for Cybersecurity and Critical Infrastructure Protection. “This joint advisory on Maui ransomware provides guidance that organizations of all sizes across the country can use to help defend themselves. We will continue to work closely with our partners to push out actionable information on ransomware and other malicious activity as quickly as possible to help individuals and businesses guard against ever-evolving cyber threats.”

The HPH Sector, as well as other critical infrastructure organizations, are urged to review this joint CSA and apply the recommended mitigations to reduce the likelihood of compromise from ransomware operations. The FBI, CISA, and Treasury assess that North Korean state-sponsored actors are likely to continue targeting HPH Sector organizations, because of the assumption that these organizations are willing to pay ransoms to avoid disruption of the critical life and health services they provide. For more information on state-sponsored North Korean malicious cyber activity, see CISA’s North Korea Cyber Threat Overview and Advisories webpage.

The FBI, CISA, and Treasury strongly discourage paying ransoms as doing so does not guarantee files and records will be recovered and may pose sanctions risks. In September 2021, Treasury issued an advisory highlighting the sanctions risk associated with ransomware payments and providing steps that can be taken by companies to mitigate the risk of being a victim of ransomware.

Leave a comment , , ,

CISA Releases Second Version of Guidance for Secure Migration to the Cloud

Agency News, Cyber Security CII sector

The Cybersecurity and Infrastructure Security Agency (CISA) published the second version of “Cloud Security Technical Reference Architecture (TRA)” today, which strengthens guidance to fulfill a key mandate under President Biden’s Executive Order (EO) 14028 - "Improving the Nation's Cybersecurity." The Cloud Services TRA is designed to guide agencies’ secure migration to the cloud by defining and clarifying considerations for shared services, cloud migration, and cloud security posture management.

As the Federal Government, along with organizations across sectors, continues to migrate to the cloud, it is paramount that agencies implement measures to protect it. The Cloud Security TRA, co-authored by CISA, the United States Digital Service (USDS), and the Federal Risk and Authorization Management Program (FedRAMP), provides foundational guidance for organization to use public cloud more security and improve the ability of the federal government to identify, detect, protect, respond, and recover from cyber incidents.

“As the nation’s cyber defense agency, CISA works collaboratively with our interagency partners to implement improvements that make our federal civilian agencies more resilient to cyber threats,” said Eric Goldstein, Executive Assistant Director for Cybersecurity, CISA. “The updated Cloud Security TRA is a key step forward for each agency’s transition to the cloud environment. CISA and our partners will continue to provide expert, coherent, and timely guidance to help agencies modernize their networks with sound cybersecurity and resilience to protect against evolving cyber adversaries. While the TRA was developed for federal agencies, all organizations using or migrating to cloud environments should review this document and adopt the practices therein as applicable to most effectively manage organizational risk.”

In consultation with the Office of Management and Budget, the three agencies adjudicated more than 300 public comments received in September 2021. This feedback helped to further strengthen the Cloud Security TRA and fully address a host of considerations for secure cloud migration. A summary of the feedback received, as well as a Response to Comments (RTC), is available in the Response to Comments for Cloud Security Technical Reference Architecture.

Leave a comment , , ,

How to map the Cybersecurity Threat Landscape? Follow the ENISA 6-step Methodology

Agency News, Cyber Security CII sector, Industry News

The cybersecurity threat landscape methodology developed by the European Union Agency for Cybersecurity (ENISA) aims at promoting consistent and transparent threat intelligence sharing across the European Union.

With a cyber threat landscape in constant evolution, the need for updated and accurate information on the current situation is growing and this a key element for assessing relevant risks.

This is why ENISA releases today an open and transparent framework to support the development of threat landscapes.

The ENISA methodology aims to provide a baseline for the transparent and systematic delivery of horizontal, thematic and sectorial cybersecurity threat landscapes (CTL) thanks to a systematic and transparent process for data collection and analysis.

Who can benefit from this new methodology?

This new methodology is made available to ENISA’s stakeholders and to other interested parties who wish to generate their own cyber threat landscapes. Adopting and/or adapting the proposed new CTL framework will enhance their ability to build situational awareness, to monitor and to tackle existing and potential threats.

ENISA will also be using this new methodology to deliver an enhanced annual ENISA Threat Landscape (ETL). It will also be used to generate technical or sectorial threat landscapes.

How does the methodology work?

The framework is based on the different elements considered in the performance of the cybersecurity threat landscape analysis. It therefore includes the identification and definition of the process, methods and tools used as well as the stakeholders involved.

Building on the existing modus operandi, this methodology provides directions on the following:

- defining components and contents of each of the different types of CTL;
- assessing the target audience for each type of CTL to be performed;
- how data sources are collected;
- how data is analysed;
- how data is to be disseminated;
- how feedback is to be collected and analysed.

The ENISA methodology consists of six main steps with feedback foreseen and associated to each of these steps:

1. Direction;
2. Collection;
3. Processing;
4. Analysis and production;
5. Dissemination;
6. Feedback

This CTL methodology has been validated by the ENISA ad-hoc working group on the Cybersecurity Threat Landscape (CTL WG). The group consists of European and international experts from both public and private sector entities.

Leave a comment , , , ,

Defense Industrial Base: DOD Should Take Actions to Strengthen Its Risk Mitigation Approach

Agency News, Industry News

A healthy defense industrial base that provides the capacity and capability to produce advanced weapon systems is critical to maintaining U.S. national security objectives. The U.S. industrial base currently consists of over 200,000 companies. Mitigating risks—such as reliance on foreign and single-source suppliers—is essential for DOD to avoid supply disruptions and ensure that the industrial base can meet current and future needs.

Since 2017, the White House has issued executive orders directing DOD and other agencies to assess risks to the defense industrial base and high priority supply chains such as semiconductors.

Congress also directed DOD to develop an analytical framework for mitigating risks and included a provision for GAO to review DOD's efforts. This report assesses (1) DOD's strategy for mitigating industrial base risks, and (2) the extent to which DOD is monitoring and reporting on its progress in mitigating risks. GAO analyzed DOD policies and reports and interviewed DOD officials.

More than 200,000 companies provide supplies, parts, and manufacturing for DOD's weapon systems. Risks to this defense industrial base include materials shortages, reliance on foreign suppliers, and more.

Various DOD offices and the military services monitor such risks and work to mitigate them. However, DOD doesn't have a robust strategy to mitigate risks or track progress department-wide.

Visibility over its department-wide efforts could help DOD determine whether the billions of dollars being spent are paying off. We recommended developing a robust strategy and measuring and reporting on DOD-wide industrial base risk mitigation efforts.

The Department of Defense's (DOD) Industrial Base Policy office does not yet have a consolidated and comprehensive strategy to mitigate risks to the industrial base—the companies that develop and manufacture technologies and weapon systems for DOD. The office is using a combination of four previously issued reports that were created for other requirements because it devoted its resources to completing other priorities. Collectively, the reports do not include several elements GAO has previously identified that would help DOD achieve results, evaluate progress, and ensure accountability.

DOD must update its industrial base strategy following the submission of the next National Security Strategy Report, which is expected to be issued later in 2022. By including all elements in a consolidated strategy, DOD could better ensure that all appropriate organizations are working toward the same priorities, promoting supply chain resiliency, and supporting national security objectives.

DOD is carrying out numerous efforts to mitigate risks to the industrial base. This includes more than $1 billion in reported efforts under Navy submarine and destroyer programs and $125 million to sustain a domestic microelectronics manufacturer. However, DOD has limited insight into the effectiveness of these efforts and how much progress it has made addressing risks. For example:

- The Industrial Base Policy office and military services have not established enterprise-wide performance measures to monitor the aggregate effectiveness of DOD's mitigation efforts.
- DOD's annual Industrial Capabilities Reports do not include information about the progress the department has made in mitigating risks.

GAO's prior work on enterprise risk management establishes that agencies should monitor and report on the status and effectiveness of their risk mitigation efforts. Without key monitoring and reporting information, DOD and Congress do not have sufficient information to help determine whether industrial base risks have been mitigated and what additional resources or actions may be needed.

GAO is making six recommendations, including that DOD develop a consolidated and comprehensive strategy to mitigate industrial base risks; develop and use enterprise-wide performance measures to monitor the aggregate effectiveness of its efforts; and report on its progress in mitigating risks. DOD generally concurred with the recommendations and identified some actions to address them.

Leave a comment , , ,

Coastal Navigation: Authorized Purposes of Marine Structures Can Impact Corps' Maintenance and Repair

Agency News, Industry News, Transport sector, Water sector

The movement of commerce involves the ability of the Corps to provide safe, reliable, efficient, and environmentally sustainable waterborne transportation systems. The agency is tasked with maintaining and repairing coastal navigation structures that are part of harbors and ports. The Corps' activities, including the type and scope of coastal navigation structures that the Corps may construct and maintain, are authorized by Congress. The authorization usually refers to the document or report recommending the project to Congress, which Congress then references in the legislation authorizing the project.

A number of the coastal navigation structures maintained by the Corps were built over a century ago and may no longer be sufficient to meet current conditions and changes in the climate. For example, increased wave and storm intensity in coastal areas threaten the integrity of jetties that shelter harbor basins and entrances from waves. This potentially jeopardizes lives and communities, disrupts commercial navigation traffic, and increases the frequency and cost of needed repairs.

A report accompanying the 2020 Energy and Water Development and Related Agencies Appropriations Bill includes a provision for GAO to review how to increase the Corps' capacity to repair and maintain existing projects before they deteriorate to the point of failure. This report describes what factors, if any, affect the Corps' ability to consider impacts not directly related to navigation when determining which existing coastal navigation structures to maintain and repair.

To address this objective, GAO selected coastal navigation structures at four projects for use as illustrative examples based on input from Corps officials. GAO reviewed legislation and Corps documents to verify statements about the Corps' oversight of the structures, as appropriate. GAO interviewed officials from Corps headquarters, all eight divisions based in the United States, and at least one district from each division (16 districts total). GAO also interviewed nonfederal partners, such as officials from state and local government and organizations representing the navigation industry.

The authorized purpose of coastal navigation structures can impact the U.S. Army Corps of Engineers' (Corps) maintenance and repair decisions. According to Corps officials in headquarters, divisions, and selected districts, the authorizing language for coastal navigation structures in some instances (1) designates navigation as the structures' authorized purpose and (2) can restrict flexibility or adaptive management.

Specifically, the authorizing language directs the Corps to consider navigation benefits and impacts for coastal navigation structures when making repair decisions. Corps officials said that because there is not enough funding to cover all the maintenance and repair needs for these structures in a given year, the agency prioritizes the structures based on navigation-focused criteria—primarily the amount of commercial tonnage. Yet some structures provide economic value even though they may not have the highest commercial tonnage, according to Corps officials. These officials said that they cannot incorporate nonnavigation benefits of structures, such as protection of coastal areas, when making decisions, absent a change to the authorizing language or an additional authorization.

The authorizing language can also restrict the Corps' ability to adapt structures to current conditions. The language can include or reference structure specifications—specific length or height—that do not allow the Corps to make updates to the structures that could better address current or changing conditions, according to Corps officials. The officials told GAO that although the authorizing language for structures varies in terms of the levels of specificity, the language for some structures requires the Corps to use original design specifications that can date back decades when repairing damaged structures when the authorizing language is restrictive. The Corps views repairs that do not adhere to the original specifications as unauthorized. However, these specifications may not reflect current design standards or changes in the conditions affecting the structures since the structures were built. For example, the structures' designs may not be able to address more frequent severe storms and wave action and sea level rise. Flexibility in making decisions on how to maintain and repair coastal navigation structures could better position the Corps to address these changing conditions, according to Corps officials.

Leave a comment , ,

EU-funded project supports stress testing of Tajikistan’s disaster risk management system

Agency News, Health & Social Care, Industry News, Water sector

Experts from the National Platform for Disaster Risk Reduction of Tajikistan, international and local organizations, and representatives of business and academia participated in a stress testing workshop of Tajikistan’s disaster risk management (DRM) system against the most impactful disaster scenarios in the country. The workshop was funded by the European Union (EU) and organized by the United Nations Office for Disaster Risk Reduction (UNDRR) within the joint project on disaster risk reduction in Central Asia.

Tajikistan’s Committee of Emergency Situations & Civil Defense and UNDRR concluded a comprehensive DRM system capacity assessment and planning exercise, which revealed major needs and challenges in the system and suggested a targeted plan of action to strengthen the disaster risk reduction (DRR) policy implementation in the country.

As the next step of the process, the EU-UNDRR project supported the National Platform to conduct a stress test analysis - a scenario-based multi-stakeholder assessment process to evaluate the state of national capabilities to reduce, absorb and transfer disaster risk and develop a targeted action plan to further support the strengthening of the DRM system. During the meeting, participants developed disaster scenarios for Tajikistan based on relevant sources, and prioritized required DRM system capacities against the disaster scenarios.

Over the past years, Tajikistan has made significant progress in increasing its capacity in DRM and in the implementation of the Sendai Framework for Disaster Risk Reduction 2015-2030. As part of the work towards reducing disaster risks, Tajikistan has developed and adopted the National Strategy for Disaster Risk Reduction in 2019, its implementation is guided by the National Platform for DRR. However, the increasing challenges posed by climate change and the rapid change of the global hazard trends may create strong stress for the DRM system of the country.

Leave a comment , ,

Cyber Insurance: Action Needed to Assess Potential Federal Response to Catastrophic Attacks

Agency News, Cyber Security CII sector, Industry News

U.S. critical infrastructure (such as utilities, financial services, and pipelines) faces increasing cybersecurity risks. Understanding these risks and associated vulnerabilities, threats, and impacts is essential to protecting critical infrastructure.

Cybersecurity Vulnerabilities, Threats, and Impacts

Vulnerabilities. Critical infrastructure has become more vulnerable to cyberattacks for reasons that include greater use of interconnected electronic systems.

Threats. Threat actors—such as nation-states, criminal groups, and terrorists—have become increasingly capable of carrying out cyberattacks on critical infrastructure.

Impacts. Federal and industry data indicate that cyberattacks—including those affecting critical infrastructure—generally have increased in frequency and cost.

Source: Prior GAO reports and GAO analysis of agency and industry documentation.

The effects of cyber incidents can spill over from the initial target to economically linked firms—magnifying damage to the economy. For example, in May 2021 the Colonial Pipeline Company learned that it was the victim of a cyberattack that led to short-lived gasoline shortages.

Cyber insurance and the Terrorism Risk Insurance Program (TRIP)—the government backstop for losses from terrorism—are both limited in their ability to cover potentially catastrophic losses from systemic cyberattacks. Cyber insurance can offset costs from some of the most common cyber risks, such as data breaches and ransomware. However, private insurers have been taking steps to limit their potential losses from systemic cyber events. For example, insurers are excluding coverage for losses from cyber warfare and infrastructure outages. TRIP covers losses from cyberattacks if they are considered terrorism, among other requirements. However, cyberattacks may not meet the program's criteria to be certified as terrorism, even if they resulted in catastrophic losses. For example, attacks must be violent or coercive in nature to be certified.

The Department of the Treasury's Federal Insurance Office (FIO) and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) both have taken steps to understand the financial implications of growing cybersecurity risks. However, they have not assessed the extent to which risks to critical infrastructure from catastrophic cyber incidents and potential financial exposures warrant a federal insurance response. CISA is the primary risk advisor on critical infrastructure and FIO the federal monitor of the insurance sector. Accordingly, they are well-positioned to jointly perform such an assessment. Doing so and reporting the results to Congress can inform deliberations on whether a federal insurance response is warranted.

If such a response were deemed necessary, GAO's framework for providing federal assistance to private market participants (GAO-10-719) could help inform its design. The framework notes the need to define the problem, mitigate moral hazard (that the existence of a federal backstop could result in entities taking greater risks), and protect taxpayer interests. Consistent with these elements, any federal insurance response should include clear criteria for coverage, specific cybersecurity requirements, and a dedicated funding mechanism with concessions from all market participants.

Cyber threats to critical infrastructure represent a significant economic challenge. Although cyber incident costs are paid in part by the private cyber insurance market, growing cyber threats have created uncertainty in this evolving market.

The Further Consolidated Appropriations Act, 2020, includes a provision for GAO to study cyber risks to U.S. critical infrastructure and available insurance for these risks. This report examines the extent to which (1) cyber risks for critical infrastructure exist; (2) private insurance covers catastrophic cyber losses and TRIP provides a backstop for such losses; and (3) cognizant federal agencies have assessed a potential federal response for cyberattacks.

GAO reviewed cyber insurance coverage literature and reports on cyber risk and the insurance market. GAO interviewed CISA and FIO officials and industry stakeholders (e.g., critical infrastructure owners, insurers, and brokers) that were selected based on factors such as expertise and market share.

Cyber insurance can help offset costs of some common cyber risks, like data breaches or ransomware. But cyber risks are growing, and cyberattacks targeting critical infrastructure—like utilities or financial services—could affect entire systems and result in catastrophic financial loss.

Insurers and the government's terrorism risk insurance may not be able to cover such losses. For example, the government's insurance may only cover cyberattacks if they can be considered "terrorism" under its defined criteria.

CISA and FIO should jointly assess the extent to which risks to critical infrastructure from catastrophic cyber incidents and potential financial exposures warrant a federal insurance response, and inform Congress of the results of their assessment. Both agencies agreed with the recommendations.

Leave a comment , , , ,
1 9 10 11 12 13 30