GAO Pushes for Speeding Up Cybersecurity EnhancementsAudit Calls for Prompt Government Action, Especially in Wake of SolarWinds Attack
The Government Accountability Office is urging the U.S. government to respond more rapidly to cybersecurity issues, especially in the wake of the SolarWinds supply chain attack that led to the breach of nine federal departments as well as about 100 companies.
For example, the federal watchdog, in its new cybersecurity audit report, urges the Biden administration to promptly appoint a national cyber director within the White House to coordinate the government's response to major security issues as mandated in the 2021 National Defense Authorization Act. Lawmakers from both parties also have been pressuring the administration to nominate a candidate.
The White House is currently conducting what it calls a 60-day review of the national cyber director position, Press Secretary Jen Psaki said March 16.
The GAO report also urges government agencies to improve supply chain security develop more comprehensive incident response plans. And it calls on Congress to pass a national privacy law.
Scott Shackelford, chair of Indiana University's cybersecurity program, notes that of all the recommendations in the report, the appointment of a White House-level cyber coordinator is the most important.
"This new report makes it more apparent than ever that the Biden administration needs to appoint a national cyber director with all due haste," Shackelford says. "The cybersecurity team at the National Security Council and others ... are doing great work, but more coordination, resources and engagement are urgently needed to better manage the multifaceted cyber threats facing the nation."
The Associated Press reported Monday that the SolarWinds attackers gained access to at least one email account used by Chad Wolf, who was acting secretary of the Department of Homeland Security in the final months of the Trump administration, along with the accounts of other DHS and Department of Energy officials.
The attackers apparently targeted DHS staffers who were working on detecting threats from overseas, and they also trageted the calendars of officials at the Department of Energy, AP reports (see: Senators Raise Concerns About Energy Dept. Cybersecurity).
The GAO report notes that the SolarWinds supply chain attack demonstrates that "weaknesses remain" in the ability of government agencies to protect, respond and defend against security intrusions.
U.S. agencies investigating the SolarWinds attack believe that a Russian-linked group likely conducted the cyber espionage operation to obtain access to email communications and create long-term persistence within federal networks. A DHS spokesperson told AP that the department "no longer sees indicators of compromise on our networks."
Responding to the AP report, Jake Williams, a former member of the National Security Agency's elite hacking team who now runs the cybersecurity consultancy Rendition Infosec, writes on Twitter that it would like take years to determine the complete impact of the SolarWinds attack.
We'll continue to see the fallout from this for years to come. https://t.co/92Coit6yBU— Jake Williams (@MalwareJake) March 29, 2021
The Biden administration also is investigating attacks targeting unpatched vulnerabilities in on-premises Microsoft Exchange email servers that have affected thousands of organizations, including many smaller firms and local government agencies (see: Exchange Hacks: How Will the Biden Administration Respond?).
Response to GAO
The GAO asked DHS, the National Security Council and the Office of Management and Budget to provide input for its cybersecurity audit report before it was published.
While DHS added technical details to the report, the OMB responded by saying the agency is working on improving two specific areas - securing federal systems and information and protecting the privacy of sensitive data, the audit notes.
The staff of the National Security Council noted in its response to the GAO: "As the administration charts a course for cyber policy issues, the draft offered a comprehensive review of the cybersecurity challenges facing the nation and the opportunities available to make concrete improvements."
But the GAO noted that many federal departments have not addressed major issues involving cybersecurity. For instance, the report found that none of the 23 agencies it audited had "fully implemented key foundational practices for managing information and communications technology supply chains."
The GAO has made 145 supply chain recommendations to government agencies to follow, according to the audit.
Since 2010, the watchdog agency has made about 3,300 cybersecurity recommendations to departments across the federal government. As of December 2020, 750 of these recommendations have not been implemented, the report notes.
4 Areas of Improvement
The GAO report looked at four areas in need of urgent improvements:
- Establishing a comprehensive cybersecurity strategy and performing effective oversight;
- Securing federal systems and information;
- Protecting cyber critical infrastructure;
- Protecting privacy and sensitive data.
The GAO noted that while the Trump administration had established a national cybersecurity strategy in September 2018 and an implementation plan in June 2019, these did not address all the goals and resources needed to create an effective, governmentwide strategy to address security issues.
"The new administration needs to either update the existing strategy or plan or develop a new comprehensive strategy that addresses those characteristics," according to the audit.
The GAO found that while the federal government had made some strides in securing federal systems and information, the SolarWinds supply chain attack showed more improvements are needed. For example, 16 federal agencies lack incident response plans, the audit determined.
The GAO recommends that federal agencies that oversee and have responsibility for critical infrastructure voluntarily adopt the National Institute of Science and Technology's cybersecurity framework to help create more comprehensive cybersecurity programs. The audit also notes that of 80 recommendation related to critical infrastructure security that GAO has been made since 2010, about 50 have not been implemented.
The GAO report also says that multiple federal agencies have fallen short of protecting citizens' data. Plus, it urges Congress to adopt a national data protection and privacy law (see: Is a US National Privacy Law on the Horizon?).