![](/img/client_headers/KingSpalding/UniversalHeader.jpg)
On October 30, 2017, the United States Government Accountability Office (“GAO”) issued a report on the Department of Homeland Security’s (“DHS”) risk assessment practices for critical infrastructure. GAO reviewed DHS’s practices in three of sixteen critical infrastructure sectors and assessed private sector representatives’ views on the utility of DHS’s risk information. Notably, half of the private sector respondents reported that the lag time between DHS learning of threat information and passing it on to the industry caused the information to become stale and less effective in protecting against cyber and physical threats.
DHS’s Office of Intelligence and Analysis assesses natural or manmade threats, including terrorist attacks and cyberattacks, and disseminates this information to critical infrastructure owners and operators. For example, the Transportation Security Administration, a DHS agency, provides threat intelligence to mass transit security directors and others through joint classified briefings. DHS officials also provide tools and resources to assess asset and facility vulnerabilities and consequences of occurrences, such as cyberattacks, that result in losses.
Three of the six industry representatives that GAO interviewed, all of whom sit on coordinating councils that establish information sharing processes between their industries and the government, criticized the speed at which DHS shares threat information as too slow. All six private sector representatives told GAO that threat information is the most useful type of risk information because it allows owners and operators to react immediately to improve their security posture. The representatives interviewed were from the manufacturing, nuclear, and transportation sectors.
Representatives from two of the three sectors said DHS’s cyber and physical vulnerability assessments for specific companies are useful. They were less confident, however, in endorsing sector-wide assessments DHS conducts because vulnerabilities vary so widely from one company to the next. The GAO report does not include any recommendations.