The U.S. Government Urgently Needs to Address Cybersecurity Challenges
Despite the high risks, the federal government has failed to implement certain cybersecurity actions, GAO reports.
The U.S. government has not established a comprehensive cybersecurity strategy, nor has it performed effective oversight of cybersecurity as called for by federal law and policy, the U.S. Government Accountability Office (GAO) concluded in a stark report on the state of the nation’s cybersecurity.
Because of the cybersecurity policy lag and related action, federal agencies and U.S. critical infrastructure—including energy, transportation systems, communications and financial services—are vulnerable. And these cybersecurity risks are increasing as security threats evolve and become more sophisticated, GAO, the government’s watchdog agency, reported.
The United States’ vulnerabilities can lead to additional security incidents and cyber attacks that disrupt critical operations; lead to inappropriate access to and disclosure, modification or destruction of sensitive information; and threaten national security, economic well-being and public health and safety, GAO stated.
“These risks include insider threats from witting or unwitting employees, escalating and emerging threats from around the globe, steady advances in the sophistication of attack technology and the emergence of new and more destructive attacks,” the agency stated. “In particular, foreign nations—where adversaries may possess sophisticated levels of expertise and significant resources to pursue their objectives—pose increasing risks. Compounding these risks, IT systems are often riddled with security vulnerabilities—both known and unknown.”
Artificial intelligence and the Internet of Things technologies are contributing to the complexity of the threat landscape and could introduce additional security, privacy and safety issues, GAO cautioned.
Alone, in fiscal year 2017, federal civilian agencies reported 35,277 cybersecurity incidents—which included web-based attacks, phishing and loss or theft of computing equipment.
As such, GAO identified 10 urgent actions that the federal government should take in order to address cybersecurity vulnerabilities. The recommended actions include: (1) develop and execute a “more comprehensive” strategy for national and global cyberspace; (2) mitigate global supply chain risks; (3) address cybersecurity workforce management challenges; (4) ensure the security of emerging technologies; (5) improve implementation of government-wide cybersecurity initiatives; and (6) address weaknesses in federal agency information security programs.
The government should also: (7) enhance its response to cyber incidents; (8) strengthen its role in protecting the cybersecurity of critical infrastructure; (9) improve its efforts to protect privacy and sensitive data; and (10) appropriately limit the collection and use of personal information.
GAO examined the challenges related to United States’ cybersecurity as the request of the chairman of the Senate Committee on Homeland Security and Governmental Affairs, Sen. Ron Johnson (R-Wis.), and Sen. Claire McCaskill (D-Mo.), the Committee’s ranking member, as well as Rep. Trey Gowdy (R-S.C.), chairman, and Rep. Elijah Cummings (D-Md.), ranking member of the House Committee on Oversight and Government Reform.
Since 2010, GAO has made more than 3,000 recommendations to agencies to address cybersecurity shortfalls. However, about 1,000 have not yet been implemented, the agency stated. The recommendations address protecting cyber critical infrastructure, managing the cybersecurity workforce and responding to cybersecurity incidents.
“Until these shortcomings are addressed, federal agencies’ information and systems will be increasingly susceptible to the multitude of cyber-related threats that exist,” GAO concluded.