Federal Cybersecurity – Will White House Actions Provide the Urgency GAO is Seeking?

Last week, the House Subcommittee on Government Operations held its biannual hearing to assess implementation of the Federal Information Technology Acquisition Reform Act (FITARA), Modernizing Government Technology (MGT) act, and the Federal Information Security Modernization Act of 2014 (FISMA). Kevin Walsh, Director of Information Technology and Cybersecurity at the Government Accountability Office (GAO) provided testimony on federal information technology (IT) management and cybersecurity. Citing the recent cybersecurity incidents – the SolarWinds Orion code compromise, the exploitation of vulnerabilities in Microsoft Exchange Server, and the unauthorized access to a U.S. water treatment facility’s industrial controls systems – Walsh appealed for the federal government to move with a greater sense of urgency to fully address its cybersecurity challenges.

Cybersecurity Risk is High

Just a few weeks ago, GAO underscored federal cybersecurity as one of its high-risk areas and reiterated the need for agencies to address four major cybersecurity challenges: (1) establishing a comprehensive cybersecurity strategy and performing effective oversight, (2) securing federal systems and information, (3) protecting cyber critical infrastructure, and (4) protecting privacy and sensitive data.

In his testimony, Walsh reemphasized the need for the federal government to develop and execute a comprehensive federal cybersecurity strategy. He also highlighted the need for agencies to make strides in mitigating global supply chain risks and enhancing federal cyber incident response.

Progress is Taking Time

In an effort to support the development a comprehensive federal cybersecurity strategy, Congress included a provision in the fiscal year (FY) 2021 National Defense Authorization Act (NDAA) that created the Office of the National Cyber Director (NCD) within the Executive Office of the President.

On April 12, the White House announced its plans to nominate Chris Inglis as the National Cyber Director and Jen Easterly as the Director of the Cybersecurity and Infrastructure Agency (CISA). Both are veterans of the National Security Agency (NSA) and will join other former NSA officials who are now part of the White House cybersecurity team, including Anne Neuberger, former NSA cybersecurity director who Biden appointed Deputy National Security Advisor for Cyber and Emerging Technology. Both Inglis Easterly must be confirmed by the Senate for their new appointments. Once in place, it is unclear how long it will take for the White House to put together the comprehensive federal cybersecurity strategy that GAO and Congress is urging.

Efforts at mitigating global supply chain risks are also underway. In February, the White House issued an executive order (EO) that in part directs various executive departments to assess the risks in their supply chains.  The EO called for both an immediate 100-day review of semiconductors, high-capacity batteries, and other products, as well as year-long sector-specific supply chain reviews within the defense, health, transportation, agriculture and other industries. According to news reports, other supply chain risk management (SCRM) proposals under consideration include assigning security grades to software companies and to add security labels to internet-of-things devices.

As far as “enhancing federal cyber incident response” goes, it appears that the immediate urgency to mitigate vulnerabilities from SolarWinds and Microsoft Exchange has been addressed. Neuberger announced that the White House has stood down the surge efforts among their two Unified Coordination Groups (UCGs) to drive a whole-of-government response to the SolarWinds and Microsoft Exchange incidents. Further related responses will be handling through standard agency incident management procedures.

Additional efforts are both underway and still on the drawing board. At the beginning of April, Homeland Security Secretary Alejandro Mayorkas announced that DHS is initiating a series of 60-day sprints focused on ransomware, industrial control systems, transportation systems and election security. An addition sprint is focused on developing the government cybersecurity workforce. Mayorkas has also said that DHS is drafting a proposal to establish a cybersecurity response and recovery fund to provide assistance to state, local, tribal and territorial governments. Biden’s FY 2022 budget is requesting an initial $20 million for the fund.

In addition to the SCRM provisions above, an anticipated Biden cyber-EO may establish a body within CISA for reporting cybersecurity incidents – modeled after the National Transportation Safety Board – as well as create a cybersecurity incident review board to include DHS and the attorney general.

White House Cyber Executive Order Still “Coming Soon”

White House officials continue to say at least one cyber EO is forthcoming. It is unclear whether they are waiting until they have a confirmed NCD and CISA director before issuing their directives. By Walsh’s reckoning more than 750 out of roughly 3,300 GAO recommendations made since 2010 had not been implemented as of December 2020.

Hopefully, whatever action that comes from the White House will provide the urgency and execution Walsh is encouraging.