Since taking office two years ago, the Biden administration has made the cyber defense of US government agencies — as well as the private sector — a key focus.
However, the US Government Accountability Office (GAO) – the audit and investigation arm of Congress – says that since 2010 it has made about 335 cybersecurity recommendations, but that nearly 60% of between them have not been implemented by the end of 2022.
At a time of increasingly sophisticated cyber threats against the government on the rise, failure to comply with about 190 of those recommendations could have significant ramifications, the agency said in a report this month, the first of four that it plans to deploy to highlight the main cybersecurity. areas that the federal government needs to address.
The first focuses on strategy and monitoring. “Until these are fully implemented, federal agencies will be more limited in their ability to protect the private and sensitive data entrusted to them,” the GAO wrote in the report.
The agency says the government needs to address four key areas: creating a more comprehensive cybersecurity strategy, addressing supply chain risks, addressing a shortage of federal cybersecurity workers (a problem the industry also faces) and strengthen the security of emerging technologies, including connected devices, operational technology (OT), artificial intelligence (AI) and quantum computing.
The agency says it started drumming in 1997 on the need to prioritize information security, expanded that priority in 2003 to include critical infrastructure protection and, 12 years later , also required to protect personally identifiable information (PII).
In September 2018, the White House rolled out its National Cybersecurity Strategy, followed a year later by an implementation plan by the National Security Council. The plan did not cover all areas that the GAO believed needed to be addressed, and in 2020 the agency said it would need to be updated or replaced.
Cybersecurity efforts accelerated when President Joe Biden arrived in the White House in 2021. Five months later, the administration issued its Executive Order for Cybersecurity Improvements and continued to do so. a priority through agencies such as the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Justice.
In June 2021, the Senate confirmed Chris Inglis as the Biden administration’s choice as the first National Cybersecurity Director to head the Office of the National Cybersecurity Director (ONDC) and beginning in August 2022, a new national cybersecurity strategy is being developed. The White House will soon have to choose another director; Inglis is expected to retire early this year.
Managing supply chain risk has been a challenge, according to the GAO, which made seven recommendations – including developing supply chain risk management policies, identifying and documenting an agency’s supply chain and the detection of counterfeit and compromised information and communications technologies (ICT) before they are deployed.
Supply chain risks are of particular concern to the US government, which found that a number of federal agencies were affected by Russian agents’ hack of SolarWinds’ Orion software in 2020.
As of December 2020, none of 23 agencies – including the Departments of Energy, Homeland Security (DHS), Education, and NASA – had implemented all seven recommendations and 14 had none. completed none.
It hadn’t improved after two years: As of December 2022, 130 of GAO’s 145 recommendations were yet to be implemented, and none of the 23 agencies had fully implemented everything directed at them.
The GAO had also said that creating a government-wide plan to address the shortage of federal cybersecurity workers was something the Office of Management and Budget (OMB) and DHS had taken steps to. solve. However, last year responsibility for labor issues shifted from OBM and DHS to ONCD.
“Since the transition, the director has committed to developing a national strategy that addresses cyber training and education, digital awareness, and the cyber workforce,” the GAO wrote. “This commitment is consistent with the administration’s current management program [to] fill critical skills gaps in the federal IT and cybersecurity workforce. »
Last month, the GAO reported that energy, health and human services, transportation, and homeland security were working on programs to protect critical infrastructure sectors that make extensive use of the Internet of Things (IoT). and OP systems, although without the necessary measurements it was difficult to determine their effectiveness.
They also lack IoT and OT security risk assessments. Agencies need to address this issue, the GAO wrote.
The agency also said that government surveillance must evolve to keep pace with rapid advances in artificial intelligence technologies and that steps must be taken now to prepare for the arrival of quantum computing, which will bring its set of cybersecurity threats.
“A large-scale quantum computer has the potential to break standard encryption technologies, creating a major information security risk,” the agency wrote. “As a result, the federal government’s cybersecurity infrastructure will need to evolve to address this threat.” ®