GAO: Incentives lacking for infrastructure protection

Despite more than a year of planning and reviews, the nation's critical infrastructure sectors still fall short on providing incentives to private owners to assess vulnerabilities and risks, according to a new report from the Government Accountability Office.

The GAO interviewed representatives from 17 critical infrastructure sectors, which include government facilities, food, water, energy, financial services, communications and information technology. Each sector has a coordinating council that submitted a sector protection plan in December 2006; federal authorities approved those plans in May.

While the sector plans generally meet requirements of the National Infrastructure Protection Plan, there is a major gap because most of the plans fail to provide incentives to private owners and operators to conduct risk assessments, GAO said. About 80 percent of the nation's critical infrastructure is privately owned.

Of nine sector plans reviewed, eight did not include such incentives, GAO reported.

"These incentives are important because a number of the industries in the sectors are privately owned and not regulated, and the government must rely on voluntary compliance with the NIPP," the GAO report states.

Furthermore, some sector plans are not comprehensive in their identification of physical, human and cyber assets. Only one sector, drinking water and water treatment systems, included all three categories of assets as required, GAO said.

This shortcoming is apparent in the communications sector plan for the wireless and satellite industries, GAO said. The plan limited the definition of assets to networks, systems and functions, but did not discuss human assets.

Furthermore, six of the 32 sector council representatives interviewed by the GAO expressed concerns about the usefulness of the Homeland Security Information Network, which is the computer network used by the Homeland Security Department for information-sharing with the critical infrastructure sectors.

"DHS' Infrastructure Protection officials said the system does not provide the capabilities that were promised, including providing the level of security expected by some sectors," GAO said. Also, there are fears that the information on security vulnerabilities may not be adequately protected, may be subjected to legal claims, and may be inadvertently released.