GAO: CISA, Treasury Must Assess Critical Infrastructure Risks
When attackers breached Colonial Pipeline using a stolen password, it took a lot of people by surprise. But the reality is such attacks against critical infrastructure were brewing for some time. Last week, the U.S. Government Accountability Office (GAO) sought to make sure the nation is adequately prepared financially for such attacks.
There’s been an increase in cyberattacks on U.S. critical infrastructure in recent years—or at least more of these attacks have been publicly disclosed. Iranian attackers, for instance, managed to breach the Bowman Avenue Dam in New York in 2013 and gained control of the dam’s floodgates. In March of 2021, reports surfaced of attackers successfully breaching a water treatment facility in Oldsmar, Florida.
In 2016, the U.S. Department of Homeland Security’s ICS-CERT reported a 20% increase in attacks on critical manufacturers, and in April 2022 the CISA, FBI, NSA and others warned that Russian state-sponsored threat actors maintained a keen interest in U.S. critical infrastructure.
In a report issued last week, the GAO concluded that the effects of such incidents can cause cascading economic damage. In addition to increasing cybersecurity defenses and the nation’s ability to directly respond to such incidents, cyberinsurance and the Terrorism Risk Insurance Program (TRIP) can provide a safety net in the event of successful and catastrophic attacks, according to the GAO report.
“Cyber insurance can offset costs from some of the most common cyber risks, such as data breaches and ransomware. However, private insurers have been taking steps to limit their potential losses from systemic cyber events. For example, insurers are excluding coverage for losses from cyber warfare and infrastructure outages,” the GAO wrote. “TRIP covers losses from cyberattacks if they are considered terrorism, among other requirements. However, cyberattacks may not meet the program’s criteria to be certified as terrorism, even if they resulted in catastrophic losses. For example, attacks must be violent or coercive in nature to be certified,” the GAO continued.
Such financial risks, especially systemic attacks to critical infrastructure, pose significant risks. Consequently, the U.S. Congress charged the GAO with studying cybersecurity risks to U.S. critical infrastructure and the insurance available for those risks.
The report, GAO-22-10426, examined the extent of the risk cyberattacks posed to critical infrastructure and the degree to which the private insurance market and TRIP protect against those risks. The GAO also interviewed CISA and Department of the Treasury’s Federal Insurance Office (FIO) officials as well as stakeholders within critical infrastructure.
The GAO found:
Vulnerabilities. Critical infrastructure has become more vulnerable to cyberattacks due to the greater use of interconnected electronic systems.
Threats. Threat actors—such as nation-states, criminal groups and terrorists—have become increasingly capable of carrying out cyberattacks on critical infrastructure.
Impacts. Federal and industry data indicated that cyberattacks—including those affecting critical infrastructure—generally have increased in frequency and cost.
The GAO also concluded that the cybersecurity risks facing U.S. critical infrastructure are significant and growing and that cyberinsurance is one tool policyholders can use to help offset some of the associated losses.
“However, it is a tool that has been calibrated for non-catastrophic events. Whether insurers will continue to make coverage available for large cyberattacks with systemic effects resulting from the connectivity of interconnected systems is uncertain,” the GAO wrote.
The GAO recommended that CISA and the Treasury’s FIO both assessed the cybersecurity risks to critical infrastructure and the potential financial risks that called for some type of federal insurance response.
