A new report from the Government Accountability Office (GAO) says the federal government needs to move with greater urgency to improve the nation’s cybersecurity as the country faces “grave and rapidly evolving threats”.
The report, which is an update on previous work, sets out the critical actions needed to address four major challenges that GAO identified back in 2018:
Establishing a comprehensive cybersecurity strategy and performing effective oversight. The prior administration’s September 2018 national cybersecurity strategy and the June 2019 implementation plan detail the executive branch’s approach to managing the nation’s cybersecurity. In September 2020 GAO reported that the national strategy and implementation plan addressed some, but not all, of the desirable characteristics of national strategies, such as goals and resources needed. The new administration needs to either update the existing strategy and plan or develop a new comprehensive strategy that addresses those characteristics.
GAO also highlighted the urgent need to clearly define a central role for leading the implementation of the national strategy. Accordingly, it recommended that Congress consider legislation to designate a position in the White House to lead such an effort. In January 2021, Congress did so by establishing the Office of the National Cyber Director within the Executive Office of the President. GAO said that once the position is filled, the federal government will be better situated to direct activities to overcome the nation’s cyber threats and challenges, and to perform effective oversight.
Although establishing the Cyber Director position is an essential step forward, critical risks remain on supply chains, workforce management, and emerging technologies. For example, in December 2020, GAO reported that none of the 23 agencies in its review had fully implemented key foundational practices for managing information and communications technology supply chains. It made a total of 145 recommendations to the agencies to implement such practices in their approaches to supply chain management.
Securing federal systems and information. GAO found that the federal government has made some progress in securing systems. Nevertheless, federal agencies continue to have numerous cybersecurity weaknesses due in large part to ineffective information security programs. Further, cyber incidents are increasingly posing a threat to government and private sector entities. The seriousness of the threat was reinforced by the December 2020 discovery of a cyberattack that has had widespread impact on government agencies, critical infrastructures, and the private sector. In 2019 GAO reported that most of the 16 agencies reviewed had incident response processes with key shortcomings thereby limiting the ability to minimize damage from attacks.
Protecting cyber critical infrastructure. The nation’s critical infrastructure includes both public and private systems vital to national security and other efforts including providing the essential services that underpin American society. Since 2010, GAO has made nearly 80 recommendations to enhance infrastructure cybersecurity; for example, GAO recommended that agencies better measure the adoption of the National Institute of Standards and Technology framework of voluntary cyber standards and correct sector-specific weaknesses. However, most of these recommendations (nearly 50) have not been implemented. As a result, the watchdog says the risks of unprotected infrastructures being harmed are heightened.
Protecting privacy and sensitive data. The federal government and private sector have struggled to protect privacy and sensitive data. Advances in technology have made it easy to correlate information about individuals and ubiquitous internet connectivity has facilitated sophisticated tracking of individuals and their activities. The vast number of individuals affected by various data breaches has underscored concerns that personally identifiable information is not adequately being protected. GAO’s reviews of agency practices to protect sensitive data have identified weaknesses and made numerous recommendations at agencies such as the Department of Housing and Urban Development, Department of Education, and Internal Revenue Service.
In January 2019, GAO reported that the United States did not have a comprehensive internet privacy law governing the collection, use, and sale or other disclosure of consumers’ personal information. Accordingly, GAO recommended that Congress consider developing legislation on internet privacy that, among other things, would enhance consumer protections.
GAO’s March 24 report warns of the risk to supply chains, noting that “the exploitation of information and communications technology (ICT) products and services through the supply chain is an emerging threat.” These risks were realized and the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive and alert in December 2020 related to the cyberattack campaign that exploited software supply chain weaknesses. In February 2021, President Biden issued an executive order requiring the Secretaries of Commerce and Homeland Security to submit a report by February 2022 on supply chains for critical sectors and subsectors of the ICT industrial base and for that report to review, among others, cyber risks that could compromise the supply chain.
The National Security Council (NSC) said GAO’s report offered a comprehensive review of the cybersecurity challenges facing the nation and the opportunities available to make concrete improvements. NSC staff also provided the administration’s preliminary views about the four major cybersecurity challenges:
Establishing a comprehensive cybersecurity strategy and performing effective oversight. The administration will review the 2018 national cybersecurity strategy and its implementation plan. The administration will look for gaps in the existing strategy and the evolution of the cyber threat landscape in the intervening years, and will examine where updates are warranted.
Securing federal systems and information. The administration is looking to take early action to secure federal systems and information. These efforts should improve the government’s ability to prevent compromises, as well as its resilience and ability to respond quickly when intrusions occur.
Protecting cyber critical infrastructure. The administration said it is also focused on enhancing cybersecurity protections for critical infrastructure. An early emphasis will be placed on interruptions to services that could pose serious risks to health and safety.
Protecting privacy and sensitive data. The administration responded that it is committed to protecting privacy and sensitive data. The administration will look for opportunities to improve privacy of data, especially in light of how threats and technologies continue to evolve.
Since 2010, GAO has made about 3,300 recommendations to agencies aimed at remedying cybersecurity shortcomings. As of December 2020, more than 750 of those recommendations are not yet implemented.