Cybersecurity: Web Structure is Thought of Resilient, however Federal Companies Proceed to Deal with Dangers

What GAO Discovered

The communications sector operates the a number of, impartial networks that type the premise for the web. To help the trade of community site visitors, service suppliers handle and management core infrastructure components with quite a few elements, together with web trade factors and submarine cable touchdown stations that connect with each home and worldwide networks (see graphic). A number of U.S. service suppliers function distinct core networks that traverse the nation and interconnect with one another at a number of factors.

How U.S. Web Core Networks Hook up with Service Suppliers

Whereas specialists contemplate the web structure to be resilient, it however faces a wide range of cyber and bodily dangers that may affect its elements; such dangers will be intentional or unintentional (see desk). Particularly, cyber-related dangers can affect two units of protocols wanted to make sure the distinctiveness of names utilized in internet-based providers and for facilitating the routing of information packets. Particularly, the area identify system interprets names, corresponding to www.gao.gov, to numerical addresses utilized by computer systems and different units to route knowledge. Moreover, the border gateway protocol is used to trade community availability and routing details about particular person networks (i.e., locations). Each of those protocols are threatened by intentional abuse by malicious actors, in addition to by unintentional failure. As well as, the web structure will be impacted by bodily dangers, corresponding to chopping or eradicating fiber-optic cabling.

Dangers to Web Structure

Supply: GAO evaluation of federal and nonfederal experiences. | GAO-22-104560

Dangers, if realized, might end in incidents that disrupt the right functioning of the web, together with outages, degradation of efficiency, and interception of site visitors. Panelists serving on two panels convened by GAO additionally acknowledged that the danger of intentional incidents affecting the web structure is determined by the capabilities and motives of malicious actors. GAO and others have reported on the threats posed by prison teams and nation states, amongst others, which may doubtlessly use their capabilities to affect elements of the web structure. For instance, a 2017 Division of Homeland Safety info technology-related threat evaluation recognized organized crime and nation states as threats to operations offering area identify routing providers.

Because the U.S. authorities lowered its position concerning web structure elements, together with decommissioning early networks it had developed and relinquishing its oversight position of web technical capabilities, these tasks handed to the worldwide multistakeholder group. Nobody group is accountable for the whole thing of web coverage, operations, and safety. Nevertheless, the federal authorities fulfills quite a lot of completely different roles that straight handle dangers to the web structure (see desk). To satisfy these roles, companies have taken actions. For instance, DHS labored with members of the communications and data expertise vital infrastructure sectors to, amongst different issues, full threat assessments on the sectors’ means to supply web capabilities. As well as, the Federal Communications Fee impacts the safety of the web structure via licensing submarine cables and touchdown stations, and administering a program to take away and change gear decided to pose an unacceptable threat to nationwide safety.

Federal Roles in Infrastructure Structure Safety

Supply: GAO evaluation of federal legislation and coverage, company documentation, and prior GAO experiences. | GAO-22-104560

Why GAO Did This Examine

The web is a world system of interconnected networks utilized by billions of individuals internationally to carry out private, academic, industrial, and governmental duties. The U.S. authorities over time has relinquished its oversight position of the web. A worldwide, multistakeholder group made up of many organizations shapes web coverage, operations, and safety. However the ongoing and rising reliance on the web underscores the necessity to perceive the dangers to its underlying structure.

The Home Committee on Armed Providers Report accompanying the William M. (Mac) Thornberry Nationwide Protection Authorization Act for Fiscal 12 months 2021 included a provision for GAO to look at web structure safety. This report (1) identifies safety dangers associated to the web structure and (2) determines the extent to which U.S. federal companies have taken actions to deal with safety dangers to the web structure.

GAO collected and analyzed publicly obtainable experiences from federal and nonfederal organizations to establish dangers to web structure elements (web trade factors, submarine cabling, the area identify system, and border gateway protocol, amongst others). GAO additionally reviewed federal legislation and coverage and its prior work to establish federal web structure safety roles and accountable companies. Based mostly on the companies’ roles, GAO collected and analyzed related paperwork and carried out interviews with officers from the accountable companies.

As well as, GAO convened two panels with subject material specialists. The panelists have expertise in numerous elements of the web structure, corresponding to proudly owning and working components of the infrastructure, collaborating in and contributing to requirements setting organizations, and learning and collaborating in numerous multistakeholder governance entities.

Through the panel periods, GAO offered beforehand recognized cyber and bodily dangers and requested that the specialists establish extra dangers or considerations that weren’t recognized. GAO and the specialists additionally mentioned federal authorities involvement in addressing the dangers.

For extra info, contact David B. Hinchman at (214) 777-5719 or hinchmand@gao.gov.