GAO Raises its Cybersecurity Concerns to the Presidential Cyber Commission
Published: September 28, 2016
The ongoing cybersecurity threats and deficiencies among federal agencies is moving beyond government watchdogs to become a topic for the 2016 presidential debates.
Days before cybersecurity took center stage at of cybersecurity being a major topic in the first 2016 presidential debate, a cybersecurity expert at the Government Accountability Office (GAO) highlighted its cybersecurity concerns to a presidential commission the ongoing challenges faced by almost all major federal agencies.
Gregory C. Wilshusen, GAO’s Director of Information Security Issues provided testimony before the President's Commission on Enhancing National Cybersecurity, which was created by Executive Order in February 2016.
GAO’s findings boil down to this:
“Several laws and policies establish a framework for the federal government’s information security and assign implementation and oversight responsibilities to key federal entities… However, implementation of this framework has been inconsistent, and additional actions are needed.”
These challenges persist amidst consistently strong growth in cybersecurity incidents reported by agencies. The number of information security incidents reported by federal agencies to the U.S. Computer Emergency Readiness Team (U.S. CERT) has grown from 5,503 in fiscal year (FY) 2006 to 77,183 in FY 2015 – the most recent complete data available. This is an increase of more than 1,300 percent.
Wilshusen urged federal agencies must continue to pursue the following actions:
Effectively implement risk-based entity-wide information security programs consistently over time. In FY 2015, 19 of the 24 major federal agencies reported that information security control deficiencies were either a material weakness or significant deficiency in internal controls over financial reporting. Agencies need to address several areas simultaneously:
- Enhance capabilities to effectively identify cyber threats to agency systems and information
- Implement sustainable processes for securely configuring operating systems, applications, workstations, servers, and network devices
- Patch vulnerable systems and replace unsupported software. Federal agencies consistently fail to apply critical security patches in a timely manner on their systems, sometimes years after the patch is available.
- Develop comprehensive security test and evaluation procedures and conduct examinations on a regular and recurring basis.
- Strengthen oversight of contractors providing IT services (The 2015 OPM data breach was named as a prime example.)
Improve capabilities for detecting, responding to, and mitigating cyber incidents. Even with strong security, organizations can continue to be victimized by attacks exploiting previously unknown vulnerabilities. Addressing this requires the following actions:
- DHS needs to expand capabilities, improve planning, and support wider adoption of its government-wide intrusion detection and prevention system.
- Improve cyber incident response practices at federal agencies
- Update federal guidance on reporting data breaches and develop consistent responses to breaches of personally identifiable information (PII).
Expand cyber workforce and training efforts to ensure that the government has a sufficient cybersecurity workforce with the right skills and training remains an ongoing challenge. Government-wide efforts are needed address this long-standing challenge:
- Enhance efforts for recruiting and retaining a qualified cybersecurity workforce
- Improve cybersecurity workforce planning activities at federal agencies
On the topic of contractor systems, Wilshusen noted results of GAO’s 2016 survey of agency chief information security officers (CISO) which reported that CISOs were challenged to a large or moderate extent in overseeing their IT contractors and receiving security data from the contractors, thereby diminishing the CISOs’ ability to assess how well agency information maintained by the contractors is protected. The concern over security information sharing, system monitoring, and the potential threat vectors presented by outside personnel and systems is not new and will continue to spur demands for greater visibility into contractor systems and internal practices.