Testifying before the House Subcommittee on Research and Technology, Committee on Science, Space and Technology today, Gregory C. Wilshusen, Director, Government Accountability Office (GAO) Information Security Issues, warned GAO “has consistently identified shortcomings in the federal government’s approach to ensuring the security of federal information systems and cyber critical infrastructure, as well as its approach to protecting the privacy of personally identifiable information (PII),” and that, “Over the past several years [GAO] has made about 2,500 recommendations to federal agencies to enhance their information security programs and controls.”
As of February 2017, GAO reported, about 1,000 of its recommendations had not yet been implemented.
Saying, “Cyber-based intrusions and attacks on federal systems and systems supporting our nation’s critical infrastructure, such as communications and financial services, are evolving and becoming more sophisticated,” GAO also emphasized that, “While previous administrations and agencies have acted to improve the protections over federal and critical infrastructure information and information systems, the federal government needs to take the following actions to strengthen US cybersecurity:”
- Effectively implement risk-based entity-wide information security programs consistently over time. Among other things, agencies need to: implement sustainable processes for securely configuring operating systems, applications, workstations, servers and network devices.
- Patch vulnerable systems and replace unsupported software; develop comprehensive security test and evaluation procedures and conduct examinations on a regular and recurring basis; and strengthen oversight of contractors providing IT services.
- Improve its cyber incident detection, response and mitigation capabilities, noting, “The Department of Homeland Security needs to expand the capabilities and support wider adoption of its government-wide intrusion detection and prevention system. In addition, the federal government needs to improve cyber incident response practices, update guidance on reporting data breaches and develop consistent responses to breaches of PII.
- Expand its cyber workforce planning and training efforts. The federal government needs to enhance efforts for recruiting and retaining a qualified cybersecurity workforce and improve cybersecurity workforce planning activities.
- Expand efforts to strengthen cybersecurity of the nation’s critical infrastructures. The federal government needs to develop metrics to assess the effectiveness of efforts promoting the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity and measure and report on effectiveness of cyber risk mitigation activities and the cybersecurity posture of critical infrastructure sectors, and
- Better oversee protection of personally identifiable information. The federal government needs to protect the security and privacy of electronic health information; ensure privacy when face recognition systems are used; and protect the privacy of users’ data on state-based health insurance marketplaces.
Wilshusen said, “Several recommendations made by the Commission on Enhancing National Cybersecurity (Cybersecurity Commission) and the Center for Strategic & International Studies (CSIS) are generally consistent with or similar to GAO’s recommendations in several areas, including: establishing an international cybersecurity strategy, protecting cyber critical infrastructure, promoting use of the NIST cybersecurity framework, prioritizing cybersecurity research and expanding cybersecurity workforces.”
GAO first designated information security as a government-wide high-risk area in 1997. This designation was expanded to include the protection of cyber critical infrastructure in 2003 and protecting the privacy of personally identifiable information in 2015.
“Critical infrastructure includes systems and assets so vital to the United States that incapacitating or destroying them would have a debilitating effect on national security,” Wilshusen said. “Mostly owned and operated by the private sector, these critical infrastructures are grouped by the following industries or ‘sectors:’ chemical; commercial facilities; communications; critical manufacturing; dams; defense industrial base; emergency services; energy; financial services; food and agriculture; government facilities; health care and public health; information technology (IT); nuclear reactors, materials, and waste; transportation systems; and water and wastewater systems.”
Wilshusen said, “The work on which [his] statement is based was conducted in accordance with generally accepted government auditing standards,” and that, “Those standards require that we plan and perform audits to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.”
