The Federal government’s watchdog is giving agencies credit for big policy moves to improve cybersecurity but is pounding the table with urgency for those agencies to catch up on more than 500 previous recommendations for improving cybersecurity – including more thoroughly implementing the Biden administration’s recent cyber policy directives.
A new Government Accountability Office (GAO) report out today finds that since 2010, GAO has made 1,610 recommendations to address the government’s major cybersecurity challenges. Federal agencies have implemented 1,043 of the recommendations, but 567 remain unimplemented.
The report defines the government’s four major cybersecurity challenges as: establishing a comprehensive cybersecurity strategy and performing effective oversight; securing Federal systems and information; protecting the cybersecurity of critical infrastructure; and protecting privacy and sensitive data.
“Concerted action among the federal government and its nonfederal partners is critical to mitigating the risks posted by cyber-based threats,” the 89-page report says. “Recognizing the growing threat, the federal government urgently needs to take action to address the four major cybersecurity challenges and 10 associated critical actions.”
Until the remaining 567 recommendations are fully implemented, GAO warns that Federal agencies will be limited in their ability to:
- Provide effective oversight of critical governmentwide initiatives, mitigate global supply chain risks, address challenges with cybersecurity workforce management, and better ensure the security of emerging technologies;
- Improve implementation of governmentwide cybersecurity initiatives, address weaknesses in Federal agency information security programs, and enhance the Federal response to cyber incidents;
- Mitigate cybersecurity risks for key critical infrastructure systems and their data; and
- Protect private and sensitive data entrusted to them.
NCS Isn’t as Strong as it Could be, GAO Warns
Earlier this year, GAO found that the Biden-Harris administration’s March 2023 National Cybersecurity Strategy (NCS) “isn’t as strong as it could be” – arguing that the White House needs to implement outcome-oriented performance measures for various cybersecurity initiatives.
The watchdog agency has made nearly 400 recommendations to strengthen the National Cybersecurity Strategy and agencies’ ability to perform effective oversight. As of May, 170 of its recommendations have not been acted on, GAO found.
“In addition, the federal government needs to take action to ensure it is monitoring the global supply chain, confirm it has the highly skilled cyber workforce it needs, and address risk associated with emerging technologies – such as artificial intelligence,” GAO’s Director of IT and Cybersecurity, Marisol Cruz Cain, wrote in a June 13 blog post. “The government and the private sector are at risk when emerging threats aren’t addressed.”
Feds Limited in Ability to Improve Security of Systems
GAO emphasized that ineffective security controls could leave government information systems vulnerable to attack and delay responses.
Cruz Cain specifically notes that the December 2021 Log4j-based attack on Federal IT was deemed an “endemic vulnerability” – meaning that vulnerabilities will remain in systems for years despite actions to address them.
“We’ve reported on federal efforts to help agencies address weaknesses like these so that systems and information are more secure,” she wrote. “We’ve made more than 800 recommendations to improve efforts. But 221 of these recommendations have not been implemented, as of May. Doing so can greatly enhance the federal response to cyber incidents.”
Infrastructure Remains Vulnerable
Critical infrastructure sectors remain vulnerable to cyberattacks, as all 16 of the sectors rely heavily on IT systems to operate, the GAO said.
The report notes that GAO has made 126 recommendations to better protect the cybersecurity of critical infrastructure, but action is still needed on more than half of them.
“Attacks on critical infrastructure sectors continue to grow and could seriously harm human safety, national security, the environment, and the economy,” Cruz Cain wrote. “The federal government has taken some steps to address the challenges with protecting these systems from cyberattacks. But we see persistent shortcomings in these efforts.”
Efforts to Protect Privacy Limited
Finally, the GAO said it made nearly 250 recommendations – 112 still require action – on protecting privacy and sensitive data.
“While collection and use of personal data increases, there’s still no comprehensive U.S. internet privacy law about companies’ collection, use, or sale of your data,” Cruz Cain wrote. “This leaves consumers like you with limited assurances that your privacy will be protected.”
“Until actions are taken and our recommendations are implemented, the federal government, the national critical infrastructure, and the personal information of U.S. citizens will be increasingly susceptible to a multitude of cyber-related threats,” she concluded.
