Government Agencies’ Cyber Breach Expected
GAO identified lax cybersecurity measures across federal computer systems.
December’s news of yet another highly sophisticated break into U.S. government agencies’ cyber systems didn’t come as a surprise to the Government Accountability Office. The government’s auditing agency investigates possible weaknesses or cybersecurity gaps and makes key recommendations to rectify problems. In some ways, it saw this coming.
“We are starting to see people in government taking the issues more seriously,” says Nick Marinos, director, Information Technology and Cybersecurity Office, Government Accountability Office (GAO). “But in other ways, we are behind the eight ball. Adversaries are advantaged by the fact of the automated ways by which they can attack. They can keep trying and bombarding federal networks. In many ways, there's no time for the agencies to take a deep breath and realize from a strategic perspective the measures that could help protect their networks.”
Marinos and his team conduct several audits simultaneously, primarily involving cybersecurity, privacy and data protection issues. Depending on the requested audit, the team examines how an agency is protecting its networks and information.
“The nature of the work can span from being extremely technical where we actually have a Center for Enhanced Cybersecurity unit within our team that protects networks,” the director notes. “Our experts go in and meet with the system administrators who are responsible for implementing security protections and through dialogue and tests that we ask the agencies to perform, we get a gauge of how consistently their networks are being protected.”
One review examined the Federal Risk and Authorization Management Program, or FedRAMP, process for adopting cloud computing and whether the program—which certifies that vendors’ cloud solutions to the federal government possess a certain level of security—was working or not. “We found issues that we thought were important to raise to DHS so that they and the other key agencies involved could provide the best services possible. And that, in turn, would improve security.”
Another issue the GAO found was that some federal agencies, which are required by the Office of Management and Budget (OMB) to use FedRAMP, do not always use the program for authorizing cloud services. For example, one agency used 90 cloud services that were not authorized, while 14 other agencies used a total of 157 non-FedRAMP cloud services, the GAO says. In addition, the OMB was not effectively monitoring federal compliance with FedRAMP.
Meanwhile, a broader look at the extent to which the executive branch was implementing the 2018 National Cyber Strategy was the focus of Marinos’ team this fall. They looked not only at how agencies responded to the assigned tasks but also at what the White House was doing to keep track of the progress, Marinos explains.
“We found that although there was a lot of activity and there was a plan in place, there wasn't a whole lot of checking up to make sure that progress was being made,” he emphasizes. “We not only made recommendations to the White House to improve the way that they had implemented the strategy, but we also later made recommendations to Congress, which we do on occasion when we think that a fix could probably come through legislation.”
The GAO team also looks at the way an organization manages cybersecurity. “We'll look even more broadly at practices all the way up to the top leadership of an organization, including how they are making risk management decisions, and we'll make more expansive recommendations out of those reviews,” he explains.
Read more about what the GAO found while examining the federal agencies’ cyber defenses in the January issue of SIGNAL Magazine, online on January 4.