GAO: Federal IT Security Still at High RiskAdministration Lauded, But Much More Work Needed
In the report entitled High-Risk Series: An Update, issued last week, GAO documents significant programs initiated by the Obama administration since its 2009 High-Risk report to improve IT security and better protect cyber-reliant critical infrastructures to strengthen the nation's security posture. "These actions demonstrate the executive branch's commitment to managing the risks associated with the nation's extensive reliance on federal information systems and cyber critical infrastructures," wrote Gregory Wilshusen, GAO director for information security issues.
Still, Wilshusen wrote in the GAO audit, many challenges remain, including:
- Updating the national strategy for securing the information and communications infrastructure.
- Developing a comprehensive national strategy for addressing global cybersecurity and governance.
- Creating a prioritized national and federal research and development agenda for improving cybersecurity.
- Implementing the near- and mid-term actions recommended by the Cyberspace Policy Review directed by the president.
Wilshusen said executive branch agencies, in particular the Department of Homeland Security, need to advance cyber analysis and warning capabilities, acquire sufficient analytical and technical capabilities, develop strategies for hiring and retaining highly qualified cyber analysts and strengthen the effectiveness of the public-private sector partnerships in securing cyber-critical infrastructure. "Shortcomings and challenges associated with the implementation of several of the governmentwide security initiatives limit the initiatives' effectiveness in protecting federal systems," he said.
Executive branch agencies have yet to fully or effectively implement key elements of agency-wide information security programs, an underlying cause for IT security weaknesses, Wilshusen said. Among those programs: assessing risks, developing and implementing cost-effective security safeguards that reduce risk to an acceptable level, periodically testing and evaluating the effectiveness of the safeguards, and mitigating known control deficiencies.
"Until the executive branch agencies implement the hundreds of recommendations made by GAO and agency inspectors general to address cyber challenges, resolve identified deficiencies and fully implement effective security programs," Wilshusen wrote, "a broad array of federal assets and operations will remain at risk of fraud, misuse and disruption, and the nation's most critical federal and private sector infrastructure systems will remain at increased risk of attack from our adversaries."