Congress' Cyber Watchdog Sees Trouble
A GAO expert identifies cybersecurity gaps across the government.
It is no secret that the U.S. government is grappling with cybersecurity issues across its organizations and agencies. The good news is that the government has an auditing agency that investigates possible weaknesses or cybersecurity gaps and makes key recommendations to rectify problems: the U.S. Government Accountability Office, known as GAO.
“We are starting to see people in government taking the issues more seriously,” says Nick Marinos, a director in the GAO’s Information Technology and Cybersecurity Office. “But in other ways, we are behind the eight ball. Adversaries are advantaged by the fact of the automated ways by which they can attack. They can keep trying and bombarding federal networks. In many ways, there’s little time for the agencies to take a deep breath and realize from a strategic perspective the measures that could help protect their networks.”
In the GAO’s Information Technology and Cybersecurity Office, Marinos and five other executives lead a team of about 170 auditors conducting dozens of audits at a time, primarily involving cybersecurity, information technology management, privacy and data protection issues.
The vast majority of the GAO’s work comes from a congressional request from one or multiple legislators who commonly sit on a committee and have areas in their jurisdiction that they would like to investigate. The GAO also is tasked by law to perform audits. The review could be prompted by provisions from a cybersecurity law that authorizes an executive branch agency to take some action, and Congress wants to make sure that action was performed in accordance with the law or by following best practices, the director notes. For military-related efforts, the GAO performs audits mostly about the strategic and operational nature of the Defense Department’s work in cyberspace.
As a GAO director, Marinos’ responsibility is to be a conduit to Congress, interacting with staff and lawmakers and testifying before Congress when needed.
Depending on the requested audit, the team examines how an agency is protecting its networks and information. They recently conducted reviews of the Food and Drug Administration and the Centers for Disease Control, and they are currently looking at the National Institutes of Health and what that health agency is doing to protect the sensitive and important information that it maintains.
“The nature of the work can span from being extremely technical where we actually have a Center for Enhanced Cybersecurity unit within our team that protects networks,” the director notes. “Our experts go in and meet with the system administrators who are responsible for implementing security protections and through dialogue and tests that we ask the agencies to perform, we get a gauge of how consistently their networks are being protected.”
The team will make highly technical recommendations if they find issues. “Those recommendations we will share immediately with the agency because we want them to be able to take that information and better protect themselves,” he clarifies. “We also want to make sure we got it right because, in some cases, there are more ways than one to ensure that you’ve protected your network. We always try to have a good coordinating relationship with those that we audit.”
The GAO team also looks at the way an organization manages cybersecurity. “We’ll look even more broadly at practices all the way up to the top leadership of an organization, including how they are making risk management decisions, and we’ll make more expansive recommendations out of those reviews,” he explains.
They also are asked to examine the status of government entities that have specific responsibilities for helping other federal agencies and the private sector on cybersecurity governance—such as the Department of Homeland Security. “We’ll look at how their initiatives, which tend to be more governmentwide in nature, are being performed.”
One such review examined the Federal Risk and Authorization Management Program, or FedRAMP, process for adopting cloud computing and whether the program—which certifies that vendors’ cloud solutions to the federal government possess a certain level of security—was working or not. “We found issues that we thought were important to raise so that the key agencies involved could provide the best services possible. And that, in turn, would improve security.”
Another issue the GAO found was that some federal agencies, which are required by the Office of Management and Budget (OMB) to use FedRAMP, do not always use the program for authorizing cloud services. For example, one agency used 90 cloud services that were not authorized, while 14 other agencies used a total of 157 non-FedRAMP cloud services, the GAO says. In addition, the OMB was not effectively monitoring federal compliance with FedRAMP.
Meanwhile, a broader look at the extent to which the executive branch was implementing the 2018 National Cyber Strategy was the focus for Marinos’ team this fall. They looked not only at how agencies responded to the assigned tasks but also at what the White House was doing to keep track of the progress, Marinos explains. “We found that although there was a lot of activity and there was a plan in place, there wasn’t a whole lot of checking up to make sure that progress was being made,” he emphasizes. “We not only made recommendations to the White House to improve the way that they had implemented the strategy, but we also later made recommendations to Congress, which we do on occasion when we think that a fix could probably come through legislation.”
In that case, the GAO recommended that Congress consider passing legislation to establish a central leader within the White House for national cyber issues.
“So, no matter who the president is and what administration exists that there is continuity in terms of recognizing the urgency of addressing cyber challenges, which just continue to grow every day,” Marinos stipulates.
As Congress was applying its own oversight on the 2020 Census efforts, it also looked to the GAO for an independent review on how the Census Bureau prepared for the decennial national count—including important information technology (IT), data and cybersecurity system improvements—and then how the nation count was proceeding. The GAO prepared multiple reviews and reports on the matter. “My team focused on the IT and cyber preparations for that,” Marinos shares.
One pre-census audit found that while the large-scale technological changes pursued by the bureau would “introduce great potential for efficiency and effectiveness gains, they also introduce many information security challenges,” the report states. Allowing households to respond to the count via the Internet increased the risks of phishing attacks, while enabling bureau employees to use mobile devices to collect information from households created the need to protect the devices appropriately.
To help inform their cyber and information technology reviews, the GAO also formed a new mission team, the Science, Technology, Assessment and Analytics team (STAA). STAA consists of experts ranging from engineers to physicists and data scientists, Marinos notes.
“We have an opportunity to work with folks in GAO that came from implementation of roles in other parts of the government or from the private sector,” he states. “We are able to see how business is being done outside of government and bring some of those ideas to us as well. We partner with teams like STAA to evaluate not only what federal agencies and the government in general is doing to adopt new technology and to anticipate the impact of that technology, but also to assess five to 10 years out what is this technology going to do, even from a socioeconomic perspective to our nation.”
Naturally, with the advent of the 5G communications network to be followed by 6G, the GAO has a portfolio of audits and assessments reviewing impacts and policies. The GAO recently released a series of reports on 5G, including a technology assessment about privacy, cybersecurity, the overall impact of 5G communications and how the deployment of 5G networks in the United States is going. “And really, what will be the ultimate application of higher speed and broader bandwidth for our nation,” Marinos considers. The agency also is conducting classified work on the national security risks of 5G.
An unclassified audit report from October centering on the federal government’s efforts to mitigate national security risks and other challenges relating to 5G revealed that while the Trump administration had developed a national strategy on 5G, the policy fell short of being what the GAO calls an effective national strategy.
“The strategy does not include a risk assessment or complete information on 5G risks and does not include information on the quality—constraints or deficiencies—of the data,” the report indicates. “The strategy narrowly focuses on cybersecurity and supply chain risks to 5G infrastructure and does not include the full breadth of 5G risks. National strategies that do not have an analysis of threats and vulnerabilities as part of a broader risk assessment cannot adequately inform management decisions about resource allocations required to minimize risks and maximize returns on resources expended.”
Moreover, the strategy only partially addresses who is to implement the national 5G policy, how it relates to other policies, what the strategy is trying to achieve, specifics of what the particular national problems are, and a detailed cost estimate, according to the study.
In addition, the GAO team has been working closely over the last several years with the House of Representatives Committee on Oversight Reform, examining how the major federal agencies are implementing the legislation that focused on federal information technology acquisition reform. The law, known as FITARA, stipulated how federal agencies can improve their information technology. Marinos says $90 billion is being spent on information technology across the federal government.
“However, a majority of that money is still being spent on maintaining old legacy systems,” he warns.
Congress implementing an annual scorecard and performing active oversight of the agencies to see what progress they are making in implementing best practices or ensuring that the information technology development is occurring incrementally has helped, the director observes. Most agencies that are succeeding have chief information officers that are empowered to have broad oversight of the way the information technology dollars are being spent, even if it is an enormous agency.
With the risks to the nation from increasing cyber threats from adversaries, the GAO will continue to conduct reviews and examine the government’s cybersecurity posture. “GAO has identified cybersecurity as a high-risk area since 1997, as the nation started to increase our reliance on technology, and the risk of losing information became even greater,” he says. “And as we continue to rely on technology even more and think about emerging technologies like 5G or artificial intelligence and machine learning, these technologies are just going to make this issue of protecting sensitive data and the missions that those support even more important.”
“What I’ve noticed in the last couple of decades of doing this work is that the same issues I once saw as a new kid on the block at GAO, I’m still seeing today, which is a need for central leadership, coordination across not only the government but the private sector as well, and ultimately having a clear path, not necessarily to get to, but iterating yourself to be able to confront these evolving threats,” Marinos says.