A new report by the Government Accountability Office (GAO) details the urgent action needed to address the critical cybersecurity challenges facing the nation.
Key Takeaways
- GAO has made 1,610 recommendations to address 4 major cybersecurity issues
- 1,043 of these recommendations have been implemented, 567 remain
- GAO has recommended 10 critical actions in response to its findings
- Federal agencies reported over 30,000 information security incidents in FY 2022
Released June 13, 2024, the latest in the GAO ‘High Risk Series’ of reports highlights the challenges faced by the federal government in establishing a comprehensive cybersecurity strategy and performing effective oversight.
The report points to the increasing frequency and sophistication of cybersecurity incidents as the driver behind the urgency to address these challenges, with risks to essential technology systems increasing and threats coming from a range of sources, varying in type, capabilities and motive.
In fiscal year (FY) 2022, Federal agencies reported a total 30,659 information security incidents to the Department of Homeland Security’s (DHS) United States Computer Emergency Readiness Team (US-CERT). As per the report, “such attacks could result in serious harm to human safety, national security, the environment, and the economy.”
GAO has made 1,610 recommendations to address issues in 4 major cybersecurity areas since 2010. To date, Federal agencies have implemented 1,043 of these recommendations, with 567 still not implemented as of May 2024.
The report suggests that whilst these recommendations remain unimplemented, federal agencies are limited in their ability to:
- Provide effective oversight of critical government-wide initiatives
- Mitigate global supply chain risks
- Address challenges with cybersecurity workforce management
- Better ensure the security of emerging technologies
- Improve implementation of government-wide cybersecurity initiatives
- Address weaknesses in federal agency information security programs
- Enhance the federal response to cyber incidents
- Mitigate cybersecurity risks for key critical infrastructure systems and their data
- Protect private and sensitive data entrusted to them
Main Cybersecurity Challenges
The four major cybersecurity challenges established by the GAO are:
- Establishing a comprehensive cybersecurity strategy and performing effective oversight – 170 (43%) of 396 recommendations have not been implemented (as of May 2024)
- Securing federal systems and information – 221 (26%) of 839 recommendations have not been implemented (as of May 2024)
- Protecting the cybersecurity of critical infrastructure – 64 (51%) of 126 recommendations have not been implemented (as of May 2024)
- Protecting privacy and sensitive data – 112 (45%) of 249 recommendations have not been implemented (as of May 2024)
Critical Actions
Through the information gathered, the GAO has recommended 10 critical actions to counteract the risks.
- Develop and execute a more comprehensive federal strategy for national cybersecurity and global cyberspace
- Mitigate global supply chain risks (For example, installation of malicious software or hardware)
- Address cybersecurity workforce management challenges
- Bolster the security of emerging technologies (For example, artificial intelligence and Internet of Things)
- Improve implementation of government-wide cybersecurity initiatives
- Address weaknesses in federal agency information security programs
- Enhance the federal response to cyber incidents
- Strengthen the federal role in protecting the cybersecurity of critical infrastructure (For example, electricity grid and telecommunications networks)
- Improve federal efforts to protect privacy and sensitive data
- Appropriately limit the collection and use of personal information and ensure that it is obtained with appropriate knowledge or consent
In summary, the GAO proposes that the federal government needs to urgently take action to address the challenges and associated critical actions detailed in the report, saying that a “concerted action among the federal government and its nonfederal partners is critical to mitigating the risks posed by cyber-based threats.”