GAO Blasts Cybersecurity Efforts of Federal AgenciesWatchdog Points to Numerous Risk Management Shortcomings
Some 23 federal agencies come up short in their cybersecurity efforts even as attacks on their IT infrastructures continue to grow and concerns about foreign interference in the upcoming 2020 elections persist, according to a Government Accountability Office report.
The GAO found that 22 of the 23 agencies it reviewed had designated an executive in charge of risk, but that most had failed in other key areas of risk management, such as developing a cybersecurity risk management plan; creating policies for assessing, monitoring and responding to risk; and establishing processes for coordinating their cybersecurity and enterprise risk management programs.
The government watchdog laid out 58 recommended steps the 23 agencies should take to shore up their cybersecurity defenses, saying that until they do, "agencies will face an increased risk of cyber-based incidents that threaten national security and personal privacy."
The top recommendation was for the Office of Management and Budget and the Department of Homeland Security to develop ways that agencies can share successful methods for addressing challenges in such areas as managing the competing priorities if cybersecurity and operations and implementing consistent cybersecurity risk management practices.
Other recommendations were aimed at individual agencies to help them shore up weaknesses. For example, the Commerce, Health and Human Services and Interior departments should conduct organizationwide cybersecurity risk assessments, while Transportation, Treasury and Veterans Affairs need to improve coordination between cybersecurity and enterprise risk management functions.
"Cybersecurity incidents continue to impact federal agencies, as well as entities across various critical infrastructure sectors," the report notes. "In fiscal year 2017, federal executive branch civilian agencies reported 35,277 incidents to the U.S. Computer Emergency Readiness Team. These incidents included web-based attacks, phishing and the loss or theft of computing equipment. These incidents and others like them can pose a serious challenge to economic and national security and personal privacy."
The GAO undertook the study to not only determine to what extent the agencies had instituted key elements of a risk management program, but also to find out what challenges these agencies were facing in putting those elements in place. The study also reviewed steps the Office of Management and Budget and the Department of Homeland Security have taken to address their risk management responsibilities.
Investigators found was that while all but one agency - the General Services Administration - had installed a cybersecurity risk executive, 16 agencies had not fully established a cybersecurity risk management strategy that outlined boundaries for risk-based decisions.
"The risks to IT systems supporting the federal government and the nation's critical infrastructure are increasing as security threats continue to evolve and become more sophisticated," according to the GAO report. "These risks include insider threats from witting or unwitting employees, escalating and emerging threats from around the globe, steady advances in the sophistication of attack technology, and the emergence of new and more destructive attacks. Therefore, it is imperative for agency leaders and managers at all levels to manage the risks associated with the operation and use of information systems that support their missions and business functions."
In support of their argument, the GAO investigators noted several recent cybersecurity incidents involving the federal government, including the indictment of two Ukrainian men for their roles in an international conspiracy to hack into the U.S. Securities and Exchange Commission's computers. In addition, the GAO report points to a joint alert in March 2018 by Homeland Security and the FBI stating that cybercriminals connected to the Russian government had since at least March 2016 been targeting computing systems of the federal government and private entities.
The 23 federal agencies face a number of challenges in establishing risk management programs, according to the report. All these agencies noted that it's difficult to hire and retain cybersecurity personnel. Other challenges included managing priorities of operations and cybersecurity, obtaining risk data and using federal guidance on cybersecurity risk management.
Security Gaps Not Surprising
The federal agencies' shortcomings in risk management aren't surprising, says Rick Holland, CISO and vice president of strategy at security firm Digital Shadows.
"Given the bureaucratic challenges the federal government faces, unfortunately, it isn't shocking that all agencies have yet to create a risk management program," Holland tells Information Security Media Group. "If you look at some of the broader risks that many of the federal agencies face, cyber risk management is just one of many challenges they face. ... I classify the GAO's findings as a work in progress, and not dissimilar from much of the private sector. You see very similar findings in unregulated private sector verticals - immature or nonexistent risk management programs and a lack of a single individual responsible for cyber risk management."
Ongoing security training for employees is a key part of any security plan. A recent study by Egress Software found that 60 percent of data breaches were the result of employees making mistakes. Security awareness should be part of a broader cybersecurity program, says Atif Mushtaq, founder and CEO at the security firm SlashNext.
"Cybercriminals focus on low-hanging fruit and soft targets for the highest success rate," Mushtaq said. "Since the human element is the weak link in cybersecurity, the right security tools can automate protections and minimize the risk of human error. If government agencies are slow to put defenses in place, attackers will concentrate their efforts on organizations with weak or no defenses in order to get the data and information they need."