The risks to systems underpinning the nation’s critical infrastructure are increasing as security threats evolve and become more sophisticated. The Government Accountability Office (GAO) first designated information security as a government-wide high-risk area in 1997. This was expanded to include protecting cyber critical infrastructure in 2003 and protecting the privacy of personally identifiable information in 2015. In 2018, it updated this high-risk area to reflect the lack of a comprehensive cybersecurity strategy for the federal government.
Since 2010, GAO has made over 3,000 recommendations to agencies aimed at addressing cybersecurity shortcomings, including protecting cyber critical infrastructure, managing the cybersecurity workforce, and responding to cybersecurity incidents. Of those 3,000 recommendations, 448 were made since GAO’s last high-risk update in February 2017. Although many recommendations have been addressed, about 700 have not yet been implemented.
Nevertheless, the administration has made progress in this high-risk area as it continues to meet the leadership commitment criterion through various actions. These include the President issuing an executive order in May 2017 requiring federal agencies to take a variety of actions, including better managing their cybersecurity risks and coordinating to meet reporting requirements related to cybersecurity of federal networks and critical infrastructure; and a National Security Strategy in December 2017 citing cybersecurity as a national priority and identifying needed actions. Further, the administration issued a government-wide reform plan and reorganization recommendations in June 2018 with, among other things, proposals for solving the federal cybersecurity workforce shortage. Additionally, the administration released a National Cyber Strategy in September 2018 outlining activities such as securing critical infrastructure, federal networks, and associated information.
Despite these actions, more work is needed and in its March 6 report GAO identifies four major cybersecurity challenges facing the nation:
- establishing a comprehensive cybersecurity strategy and performing effective oversight,
- securing federal systems and information,
- protecting cyber critical infrastructure, and
- protecting privacy and sensitive data.
To address these four major cybersecurity challenges, GAO has set out a number of critical actions the federal government and other entities need to take. These include developing and executing a more comprehensive federal strategy for national cybersecurity and global cyberspace; addressing cybersecurity workforce management challenges; and strengthening the federal role in protecting the cybersecurity of critical infrastructure.
Until these shortcomings are addressed, GAO says federal agencies’ information and systems will be increasingly susceptible to the multitude of cyberrelated threats that exist.
GAO has previously suggested that Congress consider amending laws, such as the Privacy Act of 1974 and the E-Government Act of 2002, because they may not consistently protect personally identifiable information (PII). While these laws and guidance set minimum requirements for agencies, they may not consistently protect PII in all circumstances of its collection and use throughout the federal government, and may not fully adhere to key privacy principles. GAO has also suggested that Congress consider strengthening the consumer privacy framework and review issues such as the adequacy of consumers’ ability to access, correct, and control their personal information; and privacy controls related to new technologies such as web tracking and mobile devices.