We're just shouting into the void, says US watchdog offering cybersecurity advice
Federal depts ignore almost 60% of IT defense recommendations
Since coming into office two years ago, the Biden Administration has made the cyber defenses of US government agencies – as well as the private sector – a key focus.
However, the US Government Accountability Office (GAO) – Congress' auditing and investigative arm – says that since 2010, it has made about 335 cybersecurity recommendations, but that almost 60 percent of those have not been implemented by the end of 2022.
At a time when increasingly sophisticated cyberthreats against the government are growing, not following through on about 190 of those recommendations could have significant ramifications, the agency said in a report this month, the first of four it plans to roll out to highlight the primary cybersecurity areas the federal government needs to address.
This first one focuses on a strategy and oversight. "Until these are fully implemented, federal agencies will be more limited in their ability to protect private and sensitive data entrusted to them," the GAO wrote in the report.
The agency says the government needs to address four key areas: create a more comprehensive cybersecurity strategy, address supply-chain risks, deal with a shortage of federal cybersecurity workers (a problem the private sector also is dealing with), and strengthen the security of emerging technologies, including connected devices, operational technology (OT), artificial intelligence (AI), and quantum computing.
The agency says it began banging the drum in 1997 about the need to prioritize information security, expanded that focus in 2003 to include protecting critical infrastructure, and 12 years later brought the need to shield personally identifiable information (PII) as well.
The White House in September 2018 rolled out its National Cyber Strategy, followed a year later by an implementation plan by the National Security Council. The plan didn't cover all the areas that the GAO said needed to be addressed and in 2020 the agency said it either should be updated or replaced.
Efforts around cybersecurity accelerated when President Joe Biden came into the White House in 2021. Five months later, the Administration issued its Executive Order for Improving Cybersecurity and has continued to make it a priority through such agencies as the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Justice.
In June 2021, the Senate confirmed Chris Inglis as the Biden Administration's choice as the first national cyber director to head up the Office of the National Cyber Director (ONDC) and as of August 2022, a new national cybersecurity strategy is being developed. The White House will have to soon choose another director; Inglis is expected to retire early this year.
- Biden now wants to toughen up chemical sector's cybersecurity
- US Government Accountability Office explains why it sustained Microsoft's protests over $10bn NSA contract
- US aims to step up security for federal datacenters: Both physical and cyber
- $10b National Security Agency contract re-awarded to AWS
Addressing supply-chain risks has been a challenge, according to the GAO, which made seven recommendations – including developing policies for managing supply chain risks, identifying and documenting an agency's supply chain, and detecting counterfeit and compromised information and communications technologies (ICT) before they're deployed.
Supply-chain risks are a particular concern for the US government, which found a number of federal agencies were affected by the hack by Russian operatives on SolarWinds' Orion software in 2020.
As of December 2020, none of the 23 agencies – including the Departments of Energy, Homeland Security (DHS), Education, and NASA – had implemented all seven recommendations and 14 had not completed any.
It hadn't improved after two years: By December 2022, 130 of the GAO's 145 recommendations were not yet implemented and none of the 23 agencies had fully implemented all that were addressed to them.
The GAO also had said creating a government-wide plan to address the federal cybersecurity worker shortage was something the Office of Management and Budget (OMB) and DHS had taken steps to address. However, last year the responsibility for workforce issues went from OBM and DHS to the ONCD.
"Since the transition, the Director has committed to developing a national strategy that addresses cyber training and education, digital awareness, and the cyber workforce," GAO wrote. "This commitment is consistent with the current Administration's management agenda [to] address critical skills gaps across the federal IT and cybersecurity workforce."
Last month, the GAO reported that the Energy, Health and Human Services, Transportation, and Homeland Security were working on programs to protect critical infrastructure sectors that extensively use Internet of Things (IoT) and OP systems, though without the necessary metrics it was difficult to determine how effective they are.
They also lack IoT and OT security risk assessments. The agencies need to fix that, the GAO wrote.
The agency also said that government oversight needs to evolve to keep pace with the rapid advancements in AI technologies and that steps need to be taken now to prepare for the arrival of quantum computing, which will bring its share of cybersecurity threats.
"A full-scale quantum computer has the potential to break standard encryption technologies, creating a major information security risk," the agency wrote. "As a result, the federal government's cybersecurity infrastructure will need to evolve to address this threat." ®