GAO: Federal agencies lack insight on ransomware protections for critical infrastructure
Federal agencies charged with overseeing the manufacturing, energy, health care and transportation sectors are largely in the dark on whether companies in these sectors have adopted recommended ransomware protections, a new Government Accountability Office report found.
In examining the six lead agencies for those four sectors, the GAO said that “none have fully assessed the effectiveness of their support to sectors” as called out in the Department of Homeland Security’s 2013 National Infrastructure Protection Plan, nor have they “determined the extent of adoption of the National Institute of Standards and Technology’s recommended practices for addressing ransomware.”
Without thorough assessments from the six sector risk management agencies examined in the report — the Cybersecurity and Infrastructure Security Agency, the Department of Energy, the Department of Health and Human Services, the U.S. Coast Guard, Transportation Security Administration, and the Department of Transportation — their respective sectors are missing out on “communication, coordination, and timely sharing of threat and incident information,” the GAO stated.
The report from GAO, which conducted a performance audit from August 2022 to January 2024, comes amid a proliferation of ransomware attacks on critical infrastructure, including against U.S. manufacturing plants and health care facilities as well as high-profile incidents with energy systems, such as Colonial Pipeline in May 2021.
From October 2021 to October 2022, CISA reported more than 250 ransomware incidents involving the manufacturing, energy, health care and transportation critical infrastructure sectors. The FBI, meanwhile, noted that among the 870 critical infrastructure organizations that the bureau reported to be victims of ransomware, nearly half came from those four sectors.
Given the scattershot reporting approaches of ransomware attacks from both the public and private sector, CISA is working on new rules to create standardization in how ransomware attacks are reported. The lack of current reporting requirements “makes it more challenging for SRMAs to know the full impact of ransomware on their respective sectors,” the GAO noted.
The GAO’s 11 recommendations were met with varied responses: DHS and HHS agreed with their recommendations, while DOE and DOT agreed with some and disagreed with others.
“Given that ransomware remains one of the most serious and concerning cybersecurity challenges to our nation’s critical infrastructure, it is vital that the SRMAs assess risks and measure the effectiveness of their support activities to better protect their respective sectors from this pervasive threat,” the report said.
